Between May and August 2025, a sophisticated cyber threat campaign emerged, targeting Russia’s public sector and critical industries. The group behind these attacks, known as Cavalry Werewolf—also referred to as YoroTrooper and Silent Lynx—has been actively deploying custom-built malware through highly targeted phishing operations that exploit trusted governmental relationships.
Targeted Sectors and Attack Methods
The campaign primarily focuses on organizations within the energy, mining, and manufacturing sectors. The attackers employ spear-phishing emails disguised as official correspondence from legitimate Kyrgyz government entities, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications. These emails contain RAR archives with filenames crafted to mimic genuine official documents, such as three-month results of joint operations or shortlist of employees to receive bonuses. Inside these archives are either the FoalShell reverse shell or the StallionRAT remote access trojan.
Evidence suggests that the attackers may have successfully breached real official email accounts to enhance their operational credibility, blurring the line between impersonation and actual compromise. Analysts have identified that the malicious archives are typically downloaded to the %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook directory, presenting a key detection opportunity for security teams monitoring Outlook cache activity.
Technical Sophistication and Multi-Language Malware
The sophistication of this campaign extends beyond social engineering tactics, incorporating multi-language malware implementations that demonstrate the group’s technical versatility and commitment to operational security. The threat actors have developed variants of their malware in C#, C++, Go, PowerShell, and Python, each designed to evade detection through different mechanisms while maintaining core command-and-control functionality.
Desktop artifacts discovered during analysis indicate the group is preparing to expand beyond Russian targets, with files in the Tajik language suggesting interest in Tajikistan and Arabic-named documents pointing toward potential Middle Eastern reconnaissance. The discovery of AsyncRAT installer files further highlights the group’s evolving toolkit and ambitious operational scope.
FoalShell: Multi-Language Backdoor Architecture
FoalShell represents a lightweight but effective reverse shell implementation designed to grant attackers command-line access through cmd.exe on compromised systems. The malware’s architecture varies across programming languages, with the C# version establishing straightforward TCP connections to command-and-control servers while maintaining stealth through hidden window styles.
The core functionality operates through a continuous loop that receives commands, executes them via cmd.exe, and returns both standard and error output to the C2 infrastructure located at IP address 188.127.225.191 on port 443.
The C++ variant employs more sophisticated evasion techniques through shellcode loading mechanisms. An obfuscated FoalShell shellcode is embedded within the executable’s resources under the name output_bin, which is extracted and executed in memory allocated with Read, Write, Execute permissions using VirtualAlloc. The shellcode then deobfuscates the main reverse shellcode before establishing network connectivity to C2 server 109.172.85.63.
StallionRAT: Advanced Remote Access Trojan
StallionRAT is a more potent component in the attackers’ arsenal, featuring a modular design and utilizing Telegram-based command-and-control (C2) infrastructure. This remote access trojan allows for extensive control over compromised systems, including file manipulation, process management, and data exfiltration. Its modular nature enables the attackers to update and expand its capabilities as needed, making it a versatile tool for prolonged cyber espionage activities.
Implications and Recommendations
The Cavalry Werewolf group’s activities underscore the evolving landscape of cyber threats, where attackers employ sophisticated social engineering tactics combined with technically advanced malware to infiltrate critical sectors. Organizations within the targeted industries should enhance their cybersecurity measures by:
1. Employee Training: Educate staff on recognizing phishing attempts, especially those mimicking official correspondence.
2. Email Security: Implement advanced email filtering solutions to detect and block malicious attachments and links.
3. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of identifying and mitigating multi-language malware variants.
4. Network Monitoring: Monitor network traffic for unusual patterns, particularly connections to known C2 servers.
5. Regular Updates: Keep all systems and software up to date to minimize vulnerabilities that could be exploited by such malware.
By adopting a comprehensive cybersecurity strategy that includes these measures, organizations can better defend against the sophisticated tactics employed by groups like Cavalry Werewolf.
