A sophisticated cyber threat actor, identified as Cavalry Werewolf, has been actively targeting Russian public sector entities, deploying advanced malware strains such as FoalShell and StallionRAT. This group exhibits significant overlaps with other known clusters, including YoroTrooper, SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris, indicating a complex and interconnected threat landscape.
Initial Access via Phishing Campaigns
Between May and August 2025, Cavalry Werewolf orchestrated a series of targeted phishing attacks. These campaigns involved sending deceptive emails that masqueraded as official communications from Kyrgyz government officials. The primary targets were Russian state agencies, along with enterprises in the energy, mining, and manufacturing sectors. In certain instances, the attackers compromised legitimate email accounts associated with Kyrgyzstan’s regulatory authority to enhance the credibility of their phishing attempts.
Deployment of FoalShell and StallionRAT
The phishing emails contained RAR archive attachments designed to deliver two primary malware payloads:
– FoalShell: This lightweight reverse shell is available in multiple versions, including Go, C++, and C#. It enables attackers to execute arbitrary commands on the infected system using the command prompt (cmd.exe), facilitating unauthorized control and data exfiltration.
– StallionRAT: Developed in Go, PowerShell, and Python, StallionRAT provides a versatile platform for executing commands, loading additional malicious files, and exfiltrating data. Notably, it utilizes a Telegram bot for command-and-control (C2) operations, supporting commands such as:
– `/list`: Retrieves a list of compromised hosts connected to the C2 server.
– `/go [DeviceID] [command]`: Executes specified commands on the targeted device.
– `/upload [DeviceID]`: Uploads files to the victim’s device.
Additionally, the attackers deployed tools like ReverseSocks5Agent and ReverseSocks5, and executed commands to gather comprehensive device information, further enhancing their control over compromised systems.
Connections to Other Threat Actors
Cavalry Werewolf’s operations bear significant similarities to those of the Tomiris group, suggesting potential ties to Kazakhstan-based threat actors. Microsoft previously attributed the Tomiris backdoor to a Kazakhstan-affiliated entity known as Storm-0473. This connection underscores the possibility of regional collaboration or shared objectives among these groups.
Furthermore, the use of filenames in both English and Arabic indicates that Cavalry Werewolf’s targeting may extend beyond Russian entities, potentially encompassing a broader range of victims.
Implications and Recommendations
The activities of Cavalry Werewolf highlight the evolving nature of cyber threats facing Russian organizations. The group’s ability to employ sophisticated malware and leverage legitimate communication channels for phishing underscores the need for heightened vigilance.
To mitigate such threats, organizations should:
– Enhance Email Security: Implement advanced email filtering solutions to detect and block phishing attempts.
– Conduct Regular Training: Educate employees on recognizing phishing emails and the importance of not interacting with suspicious attachments or links.
– Implement Multi-Factor Authentication (MFA): Strengthen access controls to prevent unauthorized access, even if credentials are compromised.
– Monitor Network Activity: Utilize intrusion detection systems to identify unusual network behavior indicative of malware activity.
– Keep Systems Updated: Regularly apply security patches to operating systems and software to close vulnerabilities that could be exploited by attackers.
By adopting these measures, organizations can bolster their defenses against sophisticated threat actors like Cavalry Werewolf and reduce the risk of successful cyber intrusions.
