Kaspersky has revealed details of a new campaign by the Stan Ghouls group, which attacked financial institutions, industrial enterprises, and IT companies in the CIS in late 2025. The attackers used updated infrastructure, including new malicious domains, and showed interest in Internet of Things (IoT) systems.
The Stan Ghouls group is known for attacks on financial organizations and companies from industry and IT since 2023. Among its features is the use of unique malicious loaders in Java and a large-scale infrastructure that is periodically modified.
Attacks begin with phishing emails containing malicious PDF attachments. These may contain links to a malicious loader that downloads legitimate NetSupport software to manage the infected device. Previously, the main tool was the STRRAT Trojan, also known as Strigoi Master.
According to Alexey Shulmin, a cybersecurity expert at Kaspersky, more than 60 targets have been attacked in total, which indicates the group's significant resources.