Bloody Wolf, a notorious threat actor, has shifted its tactics by replacing malware with the legitimate remote administration tool NetSupport. The group has expanded its targets to include organizations in both Kazakhstan and Russia, compromising over 400 systems. Their attack method involves phishing emails with PDF attachments containing links to malicious JAR files. These files download and install NetSupport components, enabling full system access. The campaign exploits the prevalence of remote work and the increased use of remote administration software. The attackers' use of legitimate tools makes detection more challenging for conventional defenses. The report provides detailed technical information about the attack process and indicators of compromise.