#Ukraine Denys Prokopenko on the role of #Russia #GRU general Alexeev shot today in Moscow:

Lieutenant General Vladimir Alekseyev, First Deputy Chief of the GRU of the Russian General Staff, who was shot in Moscow this morning, was the senior Russian representative at the negotiations in Mariupol in May 2022, during the withdrawal of the Mariupol garrison from Azovstal.

Alekseyev pledged that Russia would comply with the Geneva Convention on the treatment of prisoners of war and personally guaranteed humane conditions of detention for our captured servicemen. His signature appears on the relevant document, signed in Mariupol at that time. For our part, we demonstrated humanity and handed over to Alekseyev three Russian prisoners of war who had received medical treatment and were provided with food and water.

The word of an officer, a native of Vinnytsia Oblast, and a traitor to his homeland, proved to be worthless. The systematic torture of captured Azov fighters, the denial of medical care, and starvation are clear proof of this.

Prokopenko didn’t mention it but the most hideous war crime committed by Russians agains the Mariupol prisoners was Olenivka massacre:

en.wikipedia.org/wiki/Olenivka…

Nothing surprising here - the infamous “word of Russian officer” has been proven to be not worth a shit like forever. #Poland has an especially bitter lesson here from 1945 when 16 leaders of the Polish Underground who fought Nazi invasion 1939-1945 were invited for talks to Moscow under “security guarantees”… and then arrested and charged with… “Nazi collaboration”.

en.wikipedia.org/wiki/Trial_of…

An interesting dynamics of #Trump vs #Poland relations which are part of the broader degradation of Trump vs Europe and Trump vs #NATO relations. A recent CBOS study indicated a significant drop of Poles “considering today’s USA a reliable ally” - from 73% in 2021 to merely 29.0% in 2026.

This was likely caused by the long stream of Trump’s statements openly dismissive and offensive towards Europe and NATO, continued accusations of EU being “dictatorship”, “EU censorship”, “splitting EU” (happily boosted by Musk and Russians) and openly threatening with change of regime in the EU in the US National Security Strategy (!) which kind of mirrored similar goals set for EU by Russia and Belarus. Then there were the surreal threats towards #Denmark and #Greenland.

This nonsense has further escalated in the last few weeks, when Trump first publicly stated that “NATO wasn’t there when we needed it”, which was promptly corrected by NATO member reminding how many soldiers each of the lost when US invoked Article 5 in 2001 following WTC attacks. To which Trump even more dismissively replied that that “yeah they were there but just stayed behind, far from the front line” (quoting from memory) etc etc.

The new show started with Trump’s equally surreal and narcissistic campaign to get himself awarded the Nobel Peace Prize and his personal project Board of Peace which resembles more a multi-level marketing scheme than any actual political body. Many politicians commented on these events critically, but in Poland the latest row started with the Chair of Polish Parliament Włodzimierz Czarzasty commenting publicly that Trump does not deserve any Nobel Prize:

President Trump is destabilising the situation in these organisations by representing a policy of force and pursuing a transactional policy through the use of force. This is a violation of policies, values and, in many cases, international law. Customs policy, a different interpretation of history, e.g. regarding the participation of Polish soldiers in missions, the instrumental treatment of other territories, as in the case of Greenland.

His full statement can be read here[^1] and in general there’s nothing offensive there, Czarzasty just stated facts and quoted Trump. What was surprising was the reaction of Tom Rose, the new US ambassador to Poland, who completely lost it and declared on X that “US is breaking any contacts with Czarzasty” because he “insulted President”. As a reminder, Czarzasty’s statement was literally collection of quotes from Trump which made it even more absurd, because he seemed to imply that quoting Trump was insulting to him. And yes, it indeed kind of is, but Trump’s rants are his own and nobody’s else.

Most Polish politicians were rather surprised by this course of action, especially when Rose decided to discipline the Prime Minister Tusk for saying that “diplomats should respect each other rather than patronize”, which clearly alluded to Rose’s rather aggressive comments. Rose replied the following:

Dear Mr. Prime Minister — I’m assuming your thoughtful and well-articulated message was sent to me by mistake, because surely you intended it for the Speaker of the Sejm, Włodzimierz Czarzasty, who’s despicable, disrespectful and insulting comments about President Trump were so potentially damaging to your government.

Oh and yes, today you’ve got Trump video with dancing apes with Harris & Obama faces, so good luck to Rose with defending that.

[^1]: sejm.gov.pl/Sejm10.nsf/komunik…

Gimmick Sunglasses Become Easy Custom Helmet Visor

[GizmoThrill] shows off a design for an absolutely gorgeous, high-fidelity replica of the main character’s helmet from the video game Satisfactory. But the best part is the technique used to create the visor: just design around a cheap set of full-face “sunglasses” to completely avoid having to mold your own custom faceplate.

One of the most challenging parts of any custom helmet build is how to make a high-quality visor or faceplate. Most folks heat up a sheet of plastic and form it carefully around a mold, but [GizmoThrill] approached the problem from the other direction. After spotting a full-face sun visor online, they decided to design the helmet around the readily-accessible visor instead of the other way around.

The first thing to do with the visor is cover it with painter’s tape and 3D scan it. Once that’s done, the 3D model of the visor allows the rest of the helmet to be designed around it. In the case of the Satisfactory helmet, the design of the visor is a perfect match for the game’s helmet, but one could easily be designing their own custom headgear with this technique.
The hexagon grid pattern? It’s actually a clear vinyl sticker and doesn’t obstruct vision at all. Another clever touch.
With the helmet 3D printed, [GizmoThrill] heads to the bandsaw to cut away any excess from the visor, and secure it in place. That’s all there is to it! Sure, you don’t have full control over the visor’s actual shape, but it sure beats the tons and tons of sanding involved otherwise.

There’s a video tour of the whole process that shows off a number of other design features we really like. For example, metal mesh in the cheek areas and in front of the mouth means a fan can circulate air easily, so the one doesn’t fog up the inside of the visor with one’s very first breath. The mesh itself is concealed with some greebles mounted on top. You can see all those details up close in the video, embedded just below.

The helmet design is thanks to [Punished Props] and we’ve seen their work before. This trick for turning affordable and somewhat gimmicky sunglasses into something truly time-saving is definitely worth keeping in mind.

youtube.com/embed/9zncjfnF110?…

hackaday.com/2026/02/05/gimmic…

Tech policy is now industrial policy

WELCOM BACK TO THE FREE MONTHLY EDITION of Digital Politics.I'm Mark Scott, and will be in Amsterdam and Brussels during the week of Feb 16, and then back in Brussels the week of Feb 23. If you're around for coffee, drop me a line here.

Also, apologies to those of you who are struggling to access the web version of this newsletter. There are ongoing technical difficulties linked with Ghost's back-end infrastructure. I'm working to resolve this asap.

— What defines digital policymaking is fundamentally shifting from a focus on online issues to those that directly affect the offline world.

— American lawmakers are again debating if Europe's online safety rules threaten the First Amendment. What is actually going on here?

— The world's semiconductor market remains highly concentrated within East Asia.

Let's get started:

THE END OF TECH POLICY AS WE KNOW IT

FOR YEARS, YOU COULD DIVIDE DIGITAL POLICYMAKING into three main camps. There was antitrust, privacy and platform governance. Some would argue that artificial intelligence deserves its own bucket. But, for me, AI fitted neatly into one of the three existing dogmas that underpinned decades of governance efforts linked to the online world.

That era is now over.

It's not that antitrust, privacy and platform governance, as topics, are either "solved" or relegated to the trash heap of history. If anything, these policymaking topics are now more pressing, in 2026, than at any other time in history. Yet it is time for those of us enmeshed in this world to acknowledge what has been on a slow burn for at least the last decade. Now, tech policy is as much an industrial policy issue — with all the political ramifications that come with that — as it is something that merely affects (and I say this with a pinch of salt) people and their interactions with some of the largest companies on earth.

By industrial policy issue, I mean the offline-online nexus of topics that encompass everything from the climate change problems and employment issues connected to data centres to the high politics of semiconductor subsidies and global tariffs imposed on electric vehicles. These topics significantly expand from the "antitrust, privacy and platform governance" cocoon that many of us, including myself, have lived in as the world has woken up to the fact that what happens online inevitably has consequences for the offline world.

There are many reasons for this shift.

In part, policymakers are fickle beasts, and the rise of semiconductors, large language models and "digital sovereignty" has allowed many to expand their interests from often wonky digital policy topics to those that have a more direct effect on the world around them.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in January:
— Why the decline of US tech leadership, the rise of China as an internet governor, the growth of AI slop around elections, and the implications of child online safety rules will define 2026. More here.
— Europe wants to revamp its digital rules. Its citizens aren't so sure; Washington's departure from more than 60 international organizations shows how US officials are tactically engaging with global digital issues; Who dominates the world of data centers. More here.
— The transatlantic digital relationship has gone from bad to worse; Everything you need to know about India's AI Impact Summit; How many teenagers' social media accounts have been removed in Australia. More here.
— After Greenland-Gate, Europe is taking the gloves off when it comes to digital sovereignty; ByteDance's sale of its US TikTok unit doesn't solve any of the underlying problems; Teenagers are more open to smartphone bans than you might think. More here.

It's also true that many of the global efforts to update antitrust, privacy and platform governance rules — from the United States and European Union to Brazil and South Africa — have only had middling success. Some of that is down to policymaking being, well, hard. But the increasing geopolitical consequences (see the next section on the EU-US platform spat) of these decisions have often made actual legislating hard. Even those who have passed laws (looking at you, Brussels) must live with the reality that not all of their revamped digital rulebook has been the success that many had first hoped for.

National leaders have similarly embraced this "industrialization" of tech policy with open arms.

Being seen to open a new semiconductor foundry or data center is just better retail politics, in the short term, compared to the hard yakka required to pass child safety rules or unpick the oligopoly of a small number of Silicon Valley giants. It's not that some (but not all) lawmakers want to do those things. But it's an easier lift to return to political form via tax incentives and other subsidies to entice foreign firms to set up locally than to build complex coalitions to update national data protection regulation that few people actually understand.

I don't mean to denigrate this shift. The world is seeking economic growth — often powered by artificial intelligence. Politicians and policymakers face hard trade-offs between updating national economies to meet these new demands and supporting the more traditional digital wonkery which has defined the last 12 years of my career.

It's also true you can have both tech-driven industrial policy and digital policy that focuses on antitrust, privacy and platform governance. But what is becoming clear in 2026 is that many policymakers are shifting toward the former and away from the latter. That will require a recalibration for many (again, including myself) who feel more comfortable discussing the inner workings of ex ante digital competition reforms than how best to construct a federated system of data centres with the least energy footprint possible.

It's a mind-shift from almost exclusively focusing on the online world — often with offline consequences — to acknowledging that tech-focused industrial policy includes a greater number of traditional "analogue" policy areas than many of us have been used to dealing with.

That includes a heavy dose of trade policy as the world hurtles toward a zero-sum, mercantilist viewpoint where re-shoring, export controls and subsidies tied to foreign direct investment are as important as whether social media companies are held accountable for what is posted within their global networks.

It also includes a mishmash of policymaking specialisms that combines digital policy with labor policy with climate change policy with public health policy with a myriad of other policy areas which all intersect in this expanded form of tech-related industrial policy. Such coalitions are hard to create. Everyone believes their subject area is the most important and, routinely, experts speak past each other in jargon that no one outside of these communities understands.

None of this should take focus away from the ongoing problems associated with antitrust, privacy and platform governance. If Digital Politics can be read as anything, it's an indictment that within those three areas, there is still a lot of work to do.

But we should not remain siloed into what is comfortable and overlook what is happening around us. National leaders — mostly spurred on by the AI hype — are wedded to this blending of tech and industrial policy in the name of economic growth. That will have knock-on consequences beyond the digital realm, especially as the global labor force tries to navigate the complexities of the current techno-enabled geopolitical uncertainty.

Just like in last week's newsletteron the more muscular approach to digital sovereignty, within Europe, after the Greenland crisis, I do not yet have solutions to much of the complexity outlined above. It's going to be hard. But pretending that tech policy has not morphed into something more offline, more industrial and more multi-disciplinary would be a mistake.

It's time for many of us to evolve to meet this new challenge.

Chart of the Week

NOT ALL SEMICONDUCTORS ARE CREATED equally. But in terms of total production, three regions — East Asia, the US and the EU — represented more than 90 percent of the collective global annual production, based on figures from 2024, the last full-year available.

Even that geographical breakdown doesn't tell the full story.

East Asia, as a region, produces roughly three-fourths of the world's microchips. Within that, Taiwan manufactures 60 percent of total global semiconductor production — a figure that rises to 90 percent for the most advanced chips.
Source: Technology in Global Affairs

THE US TO EUROPE'S ONLINE SAFETY RULES: I JUST CAN'T QUIT YOU

YOU HAVE TO HAND IT TO CONGRESS. They may not be able to pass any digital rules (with maybe the exception of ByteDance's TikTok US offloading), but they sure like a hearing about how Europe is censoring Americans online. On Feb 4, the House of Representatives' Judiciary Committee will hold its second hearing entitled "Europe's Threat to American Speech and Innovation: Part II." Watch along here at 10am ET / 4pm CET / 3pm UK. You can read a report Republican lawmakers published to outline their arguments here.

The hearing follows a similar meeting, in September, which included British politician Nigel Farage comparing the United Kingdom to North Korea — because of the country's online safety regime, known as the Online Safety Act (editor's note: the UK is not like North Korea.) David Kaye, a University of California professor who gave evidence at the invitation of the Democrats, suggested it was the US, not Europe, that was undermining free speech.

Some US politicians and influencers' aversion to European online safety rules are well known. Accusations include subverting Americans' free speech rights; forcing platforms to crack down on legal speech online; and working with outside researchers to demote most right-wing social media users due to an alleged woke agenda. For more on what this looks like on the ground, check out my dispatch from 2023.

First things first: Europe's online safety rules are not about quelling free speech rights. Both the EU's Digital Services Act and UK's Online Safety Act enshrine protections for free speech into each separate legislation. (Disclaimer: I sit on an independent committee at Ofcom, the British regulator which oversees the country's rules, and anything I say here is in a personal capacity.) At their roots, these online safety regimes are exercises in transparency which are aimed at holding social media companies to their word on how they implement internal terms of service.

If these companies don't follow mostly internal procedures — or, in the case of X, flagrantly disregard basic transparency requirements — then they will be held responsible for those actions. Such regulatory oversight is standard in sectors from financial services to pharmaceuticals. X is appealing its fine under the EU's Digital Services Act.

Many European officials believe they can win over American critics by explaining the basics of how these regimes operate. If only we can make them understand the inner workings of mandatory risk assessment and audit requirements, goes the theory, then they will realize that no one wants to harm free speech.

That framing misses the point.

If this was about the specifics of these online safety rules, then it would be obvious — based on the actual reading of the documents (here and here) — that censorship is not at the heart of this legislation. Or, if you don't want to scroll through those pages, read this from the European rules:

"Providers of intermediary services shallact in a diligent, objective and proportionate manner in applying and enforcing the restrictions referred to in paragraph 1, with due regard to the rights and legitimate interests of all parties involved, including the fundamental rights of the recipients of the service, such as the freedom of expression, freedom and pluralism of the media, and other fundamental rights and freedoms as enshrined in the Charter." (Emphasis in bold is my own)

But if you read these American criticisms as part of a decades-old attempt to hobble Europe from regulating US tech firms — in everything from antitrust, privacy and platform governance (see above section) — then these latest attacks on the Old World's online safety rules start to make sense.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

It's not specifically about which article within the UK's Online Safety Act is alleged to silence Americans within the US (note: there are none.) Instead, it's part of an ongoing effort — albeit one on steroids — that includes many US politicians and policymakers pushing back against European concerns that American tech giants may not be playing fairly when operating on the other side of the Atlantic.

That goes for everything from Silicon Valley's alleged weaponization of EU privacy rules to cement their dominance to ongoing claims that American social media companies are not transparent about what often polarising posts show up in Europeans' feeds.

It's notable that in the Feb 4 hearing in Washington, another topic under discussion is how the EU's Digital Markets Act and other corporate transparency rules "target American companies and hurt innovation." It's hard to square how criticism aimed at Europe's online safety rules should go hand in hand with complaints about the Continent's digital competition rules. Unless, that is, you view these discussions as part of the wider — and decades-old — pushback from Washington against Brussels' (and, to a lesser degree London's) attempt to hold some of the US' largest firms to account.

None of that excuses the ongoing attacks aimed at destroying the EU and UK's online safety rules — all in the name of protecting American free speech. Such rhetoric from some in the US has arguably made the European online information space more dangerous and harmful, in part due to companies' willingness to pull back on their online safety protocols to align with such American criticism.

What I'm reading

— A tech entrepreneur set up a Reddit-style social media that only AI agents could post to. Humans are relegated to just watching along. Check it out here.

— The European Commission open two proceedings into Google's obligations under the Digital MarketS Act. More here.

— The Netherlands is moving toward ditching US tech services for those created either domestically or within the EU. More here.

— Maldita, the Spanish fact-checker, found more than 500 TikTok accounts that produced AI-generated videos of alleged political protests in violation of its commitments under the EU's online safety regime. More here.

— The Irish regulator in charge of the EU's Digital Services Act published guidance on how independent researchers could apply for access to private data held within social media companies. More here.

digitalpolitics.co/newsletter0…

Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT

Introduction

Stan Ghouls (also known as Bloody Wolf) is an cybercriminal group that has been launching targeted attacks against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attackers primarily have their sights set on the manufacturing, finance, and IT sectors. Their campaigns are meticulously prepared and tailored to specific victims, featuring a signature toolkit of custom Java-based malware loaders and a sprawling infrastructure with resources dedicated to specific campaigns.

We continuously track Stan Ghouls’ activity, providing our clients with intel on their tactics, techniques, procedures, and latest campaigns. In this post, we share the results of our most recent deep dive into a campaign targeting Uzbekistan, where we identified roughly 50 victims. About 10 devices in Russia were also hit, with a handful of others scattered across Kazakhstan, Turkey, Serbia, and Belarus (though those last three were likely just collateral damage).

During our investigation, we spotted shifts in the attackers’ infrastructure – specifically, a batch of new domains. We also uncovered evidence suggesting that Stan Ghouls may have added IoT-focused malware to their arsenal.

Technical details

Threat evolution

Stan Ghouls relies on phishing emails packed with malicious PDF attachments as their initial entry point. Historically, the group’s weapon of choice was the remote access Trojan (RAT) STRRAT, also known as Strigoi Master. Last year, however, they switched strategies, opting to misuse legitimate software, NetSupport, to maintain control over infected machines.

Given Stan Ghouls’ targeting of financial institutions, we believe their primary motive is financial gain. That said, their heavy use of RATs may also hint at cyberespionage.

Like any other organized cybercrime groups, Stan Ghouls frequently refreshes its infrastructure. To track their campaigns effectively, you have to continuously analyze their activity.

Initial infection vector

As we’ve mentioned, Stan Ghouls’ primary – and currently only – delivery method is spear phishing. Specifically, they favor emails loaded with malicious PDF attachments. This has been backed up by research from several of our industry peers (1, 2, 3). Interestingly, the attackers prefer to use local languages rather than opting for international mainstays like Russian or English. Below is an example of an email spotted in a previous campaign targeting users in Kyrgyzstan.

Example of a phishing email from a previous Stan Ghouls campaign

The email is written in Kyrgyz and translates to: “The service has contacted you. Materials for review are attached. Sincerely”.

The attachment was a malicious PDF file titled “Постановление_Районный_суд_Кчрм_3566_28-01-25_OL4_scan.pdf” (the title, written in Russian, posed it as an order of district court).

During the most recent campaign, which primarily targeted victims in Uzbekistan, the attackers deployed spear-phishing emails written in Uzbek:

Example of a spear-phishing email from the latest campaign

The email text can be translated as follows:
[redacted] AKMALZHON IBROHIMOVICH

You will receive a court notice. Application for retrial. The case is under review by the district court. Judicial Service.

Mustaqillik Street, 147 Uraboshi Village, Quva District.
The attachment, named E-SUD_705306256_ljro_varaqasi.pdf (MD5: 7556e2f5a8f7d7531f28508f718cb83d), is a standard one-page decoy PDF:

The embedded decoy document

Notice that the attackers claim that the “case materials” (which are actually the malicious loader) can only be opened using the Java Runtime Environment.

They even helpfully provide a link for the victim to download and install it from the official website.

The malicious loader

The decoy document contains identical text in both Russian and Uzbek, featuring two links that point to the malicious loader:

• Uzbek link (“- Ish materiallari 09.12.2025 y”): hxxps://mysoliq-uz[.]com/api/v2/documents/financial/Q4-2025/audited/consolidated/with-notes/financials/reports/annual/2025/tashkent/statistical-statements/
• Russian link (“- Материалы дела 09.12.2025 г.”): hxxps://my-xb[.]com/api/v2/documents/financial/Q4-2025/audited/consolidated/with-notes/financials/reports/annual/2025/tashkent/statistical-statements/

Both links lead to the exact same JAR file (MD5: 95db93454ec1d581311c832122d21b20).

It’s worth noting that these attackers are constantly updating their infrastructure, registering new domains for every new campaign. In the relatively short history of this threat, we’ve already mapped out over 35 domains tied to Stan Ghouls.

The malicious loader handles three main tasks:

1. Displaying a fake error message to trick the user into thinking the application can’t run. The message in the screenshot translates to: “This application cannot be run in your OS. Please use another device.”
   
   Fake error message
2. Checking that the number of previous RAT installation attempts is less than three. If the limit is reached, the loader terminates and throws the following error: “Urinishlar chegarasidan oshildi. Boshqa kompyuterni tekshiring.” This translates to: “Attempt limit reached. Try another computer.”
   
   The limitCheck procedure for verifying the number of RAT download attempts
3. Downloading a remote management utility from a malicious domain and saving it to the victim’s machine. Stan Ghouls loaders typically contain a list of several domains and will iterate through them until they find one that’s live.
   
   The performanceResourceUpdate procedure for downloading the remote management utility

The loader fetches the following files, which make up the components of the NetSupport RAT: PCICHEK.DLL, client32.exe, advpack.dll, msvcr100.dll, remcmdstub.exe, ir50_qcx.dll, client32.ini, AudioCapture.dll, kbdlk41a.dll, KBDSF.DLL, tcctl32.dll, HTCTL32.DLL, kbdibm02.DLL, kbd101c.DLL, kbd106n.dll, ir50_32.dll, nskbfltr.inf, NSM.lic, pcicapi.dll, PCICL32.dll, qwave.dll. This list is hardcoded in the malicious loader’s body. To ensure the download was successful, it checks for the presence of the client32.exe executable. If the file is found, the loader generates a NetSupport launch script (run.bat), drops it into the folder with the other files, and executes it:

The createBatAndRun procedure for creating and executing the run.bat file, which then launches the NetSupport RAT

The loader also ensures NetSupport persistence by adding it to startup using the following three methods:

1. It creates an autorun script named SoliqUZ_Run.bat and drops it into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup):
   
   The generateAutorunScript procedure for creating the batch file and placing it in the Startup folder
2. It adds the run.bat file to the registry’s autorun key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malicious_key_name).
   
   The registryStartupAdd procedure for adding the RAT launch script to the registry autorun key
3. It creates a scheduled task to trigger run.bat using the following command:
   schtasks Create /TN "[malicious_task_name]" /TR "[path_to_run.bat]" /SC ONLOGON /RL LIMITED /F /RU "[%USERNAME%]"
   
   The installStartupTask procedure for creating a scheduled task to launch the NetSupport RAT (via run.bat)

Once the NetSupport RAT is downloaded, installed, and executed, the attackers gain total control over the victim’s machine. While we don’t have enough telemetry to say with 100% certainty what they do once they’re in, the heavy focus on finance-related organizations suggests that the group is primarily after its victims’ money. That said, we can’t rule out cyberespionage either.

Malicious utilities for targeting IoT infrastructure

Previous Stan Ghouls attacks targeting organizations in Kyrgyzstan, as documented by Group-IB researchers, featured a NetSupport RAT configuration file client32.ini with the MD5 hash cb9c28a4c6657ae5ea810020cb214ff0. While reports mention the Kyrgyzstan campaign kicked off in June 2025, Kaspersky solutions first flagged this exact config file on May 16, 2025. At that time, it contained the following NetSupport RAT command-and-control server info:
...

[HTTP]CMPI=60
GatewayAddress=hgame33[.]com:443
GSK=FN:L?ADAFI:F?BCPGD;N>IAO9J>J@N
Port=443
SecondaryGateway=ravinads[.]com:443
SecondaryPort=443
At the time of our January 2026 investigation, our telemetry showed that the domain specified in that config, hgame33[.]com, was also hosting the following files:

• hxxp://www.hgame33[.]com/00101010101001/morte.spc
• hxxp://hgame33[.]com/00101010101001/debug
• hxxp://www.hgame33[.]com/00101010101001/morte.x86
• hxxp://www.hgame33[.]com/00101010101001/morte.mpsl
• hxxp://www.hgame33[.]com/00101010101001/morte.arm7
• hxxp://www.hgame33[.]com/00101010101001/morte.sh4
• hxxp://hgame33[.]com/00101010101001/morte.arm
• hxxp://hgame33[.]com/00101010101001/morte.i686
• hxxp://hgame33[.]com/00101010101001/morte.arc
• hxxp://hgame33[.]com/00101010101001/morte.arm5
• hxxp://hgame33[.]com/00101010101001/morte.arm6
• hxxp://www.hgame33[.]com/00101010101001/morte.m68k
• hxxp://www.hgame33[.]com/00101010101001/morte.ppc
• hxxp://www.hgame33[.]com/00101010101001/morte.x86_64
• hxxp://hgame33[.]com/00101010101001/morte.mips

All of these files belong to the infamous IoT malware named Mirai. Since they are sitting on a server tied to the Stan Ghouls’ campaign targeting Kyrgyzstan, we can hypothesize – with a low degree of confidence – that the group has expanded its toolkit to include IoT-based threats. However, it’s also possible it simply shared its infrastructure with other threat actors who were the ones actually wielding Mirai. This theory is backed up by the fact that the domain’s registration info was last updated on July 4, 2025, at 11:46:11 – well after Stan Ghouls’ activity in May and June.

Attribution

We attribute this campaign to the Stan Ghouls (Bloody Wolf) group with a high degree of confidence, based on the following similarities to the attackers’ previous campaigns:

1. Substantial code overlaps were found within the malicious loaders. For example:
   
   Code snippet from sample 1acd4592a4eb0c66642cc7b07213e9c9584c6140210779fbc9ebb76a90738d5e, the loader from the Group-IB report

   
   Code snippet from sample 95db93454ec1d581311c832122d21b20, the NetSupport loader described here

2. Decoy documents in both campaigns look identical.
   
   Decoy document 5d840b741d1061d51d9786f8009c37038c395c129bee608616740141f3b202bb from the campaign reported by Group-IB

   
   Decoy document 106911ba54f7e5e609c702504e69c89a used in the campaign described here

3. In both current and past campaigns, the attackers utilized loaders written in Java. Given that Java has fallen out of fashion with malicious loader authors in recent years, it serves as a distinct fingerprint for Stan Ghouls.

Victims

We identified approximately 50 victims of this campaign in Uzbekistan, alongside 10 in Russia and a handful of others in Kazakhstan, Turkey, Serbia, and Belarus (we suspect the infections in these last three countries were accidental). Nearly all phishing emails and decoy files in this campaign were written in Uzbek, which aligns with the group’s track record of leveraging the native languages of their target countries.

Most of the victims are tied to industrial manufacturing, finance, and IT. Furthermore, we observed infection attempts on devices within government organizations, logistics companies, medical facilities, and educational institutions.

It is worth noting that over 60 victims is quite a high headcount for a sophisticated campaign. This suggests the attackers have enough resources to maintain manual remote control over dozens of infected devices simultaneously.

Takeaways

In this post, we’ve broken down the recent campaign by the Stan Ghouls group. The attackers set their sights on organizations in industrial manufacturing, IT, and finance, primarily located in Uzbekistan. However, the ripple effect also reached Russia, Kazakhstan, and a few, likely accidental, victims elsewhere.

With over 60 targets hit, this is a remarkably high volume for a sophisticated targeted campaign. It points to the significant resources these actors are willing to pour into their operations. Interestingly, despite this, the group sticks to a familiar toolkit including the legitimate NetSupport remote management utility and their signature custom Java-based loader. The only thing they seem to keep updating is their infrastructure. For this specific campaign, they employed two new domains to house their malicious loader and one new domain dedicated to hosting NetSupport RAT files.

One curious discovery was the presence of Mirai files on a domain linked to the group’s previous campaigns. This might suggest Stan Ghouls are branching out into IoT malware, though it’s still too early to call it with total certainty.

We’re keeping a close watch on Stan Ghouls and will continue to keep our customers in the loop regarding the group’s latest moves. Kaspersky products provide robust protection against this threat at every stage of the attack lifecycle.

Indicators of compromise

* Additional IoCs and a YARA rule for detecting Stan Ghouls activity are available to customers of our Threat Intelligence Reporting service. For more details, contact us at crimewareintel@kaspersky.com.

PDF decoys

B4FF4AA3EBA9409F9F1A5210C95DC5C3
AF9321DDB4BEF0C3CD1FF3C7C786F0E2
056B75FE0D230E6FF53AC508E0F93CCB
DB84FEBFD85F1469C28B4ED70AC6A638
649C7CACDD545E30D015EDB9FCAB3A0C
BE0C87A83267F1CE13B3F75C78EAC295
78CB3ABD00A1975BEBEDA852B2450873
51703911DC437D4E3910CE7F866C970E
FA53B0FCEF08F8FF3FFDDFEE7F1F4F1A
79D0EEAFB30AA2BD4C261A51104F6ACC
8DA8F0339D17E2466B3D73236D18B835
299A7E3D6118AD91A9B6D37F94AC685B
62AFACC37B71D564D75A58FC161900C3
047A600E3AFBF4286175BADD4D88F131
ED0CCADA1FE1E13EF78553A48260D932
C363CD87178FD660C25CDD8D978685F6
61FF22BA4C3DF7AE4A936FCFDEB020EA
B51D9EDC1DC8B6200F260589A4300009
923557554730247D37E782DB3BEA365D
60C34AD7E1F183A973FB8EE29DC454E8
0CC80A24841401529EC9C6A845609775
0CE06C962E07E63D780E5C2777A661FC

Malicious loaders

1b740b17e53c4daeed45148bfbee4f14
3f99fed688c51977b122789a094fec2e
8b0bbe7dc960f7185c330baa3d9b214c
95db93454ec1d581311c832122d21b20
646a680856f837254e6e361857458e17
8064f7ac9a5aa845ded6a1100a1d5752
d0cf8946acd3d12df1e8ae4bb34f1a6e
db796d87acb7d980264fdcf5e94757f0
e3cb4dafa1fb596e1e34e4b139be1b05
e0023eb058b0c82585a7340b6ed4cc06
0bf01810201004dcc484b3396607a483
4C4FA06BD840405FBEC34FE49D759E8D
A539A07891A339479C596BABE3060EA6
b13f7ccbedfb71b0211c14afe0815b36
f14275f8f420afd0f9a62f3992860d68
3f41091afd6256701dd70ac20c1c79fe
5c4a57e2e40049f8e8a6a74aa8085c80
7e8feb501885eff246d4cb43c468b411
8aa104e64b00b049264dc1b01412e6d9
8c63818261735ddff2fe98b3ae23bf7d

Malicious domains

mysoliq-uz[.]com
my-xb[.]com
xarid-uz[.]com
ach-uz[.]com
soliq-uz[.]com
minjust-kg[.]com
esf-kg[.]com
taxnotice-kg[.]com
notice-kg[.]com
proauditkg[.]com
kgauditcheck[.]com
servicedoc-kg[.]com
auditnotice-kg[.]com
tax-kg[.]com
rouming-uz[.]com
audit-kg[.]com
kyrgyzstanreview[.]com
salyk-notofocations[.]com

securelist.com/stan-ghouls-in-…

DIY Macropad Rocks a Haptic Feedback Wheel

Macropads can be as simple as a few buttons hooked up to a microcontroller to do the USB HID dance and talk to a PC. However, you can go a lot further, too. [CNCDan] demonstrates this well with his sleek macropad build, which throws haptic feedback into the mix.

The build features six programmable macro buttons, which are situated either on side of a 128×64 OLED display. This setup allows the OLED screen to show icons that explain the functionality of each button. There’s also a nice large rotary knob, surrounded by 20 addressable WS2811 LEDs for visual feedback. Underneath the knob lives an an encoder, as well as a brushless motor typically used in gimbal builds, which is driven by a TMC6300 motor driver board. Everything is laced up to a Waveshare RP2040 Plus devboard which runs the show. It’s responsible for controlling the motors, reading the knob and switches, and speaking USB to the PC that it’s plugged into.

It’s a compact device that nonetheless should prove to be a good productivity booster on the bench. We’ve featured [CNCDan’s] work before, too, such as this nifty DIY VR headset.

youtube.com/embed/bNUKRJQjuvQ?…

hackaday.com/2026/02/05/diy-ma…