Between May and August 2025, a sophisticated cyber threat campaign emerged, targeting Russia’s public sector and critical industries. The group behind these attacks, known as Cavalry Werewolf—also referred to as YoroTrooper and Silent Lynx—has been actively deploying custom-built malware through highly targeted phishing operations that exploit trusted governmental relationships.
Targeted Sectors and Attack Methods
The campaign primarily focuses on organizations within the energy, mining, and manufacturing sectors. The attackers employ spear-phishing emails disguised as official correspondence from legitimate Kyrgyz government entities, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications. These emails contain RAR archives with filenames crafted to mimic genuine official documents, such as three-month results of joint operations or shortlist of employees to receive bonuses. Inside these archives are either the FoalShell reverse shell or the StallionRAT remote access trojan.
Evidence suggests that the attackers may have successfully breached real official email accounts to enhance their operational credibility, blurring the line between impersonation and actual compromise. Analysts have identified that the malicious archives are typically downloaded to the %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook directory, presenting a key detection opportunity for security teams monitoring Outlook cache activity.
Technical Sophistication and Malware Variants
The sophistication of this campaign extends beyond social engineering tactics, incorporating multi-language malware implementations that demonstrate the group’s technical versatility and commitment to operational security. The threat actors have developed variants of their malware in C#, C++, Go, PowerShell, and Python, each designed to evade detection through different mechanisms while maintaining core command-and-control functionality.
Desktop artifacts discovered during analysis indicate the group is preparing to expand beyond Russian targets, with files in the Tajik language suggesting interest in Tajikistan and Arabic-named documents pointing toward potential Middle Eastern reconnaissance. The discovery of AsyncRAT installer files further highlights the group’s evolving toolkit and ambitious operational scope.
FoalShell: Multi-Language Backdoor Architecture
FoalShell represents a lightweight but effective reverse shell implementation designed to grant attackers command-line access through cmd.exe on compromised systems. The malware’s architecture varies across programming languages:
– C# Version: Establishes straightforward TCP connections to command-and-control servers while maintaining stealth through hidden window styles. The core functionality operates through a continuous loop that receives commands, executes them via cmd.exe, and returns both standard and error output to the C2 infrastructure located at IP address 188.127.225.191 on port 443.
– C++ Variant: Employs more sophisticated evasion techniques through shellcode loading mechanisms. An obfuscated FoalShell shellcode is embedded within the executable’s resources under the name output_bin, which is extracted and executed in memory allocated with Read, Write, Execute permissions using VirtualAlloc. The shellcode then deobfuscates the main reverse shellcode before establishing network connectivity to C2 server 109.172.85.63.
– Go Implementation: Utilizes its own networking stack to connect to C2 server 62.113.114.209 on port 443, forcing cmd.exe processes to run in hidden window states through the HideWindow parameter set to 1.
This multi-language approach allows the attackers to adapt their deployment strategy based on target environment characteristics and security posture, making detection more challenging for traditional signature-based security solutions.
StallionRAT: Advanced Remote Access Trojan
In addition to FoalShell, the Cavalry Werewolf group employs StallionRAT, a more potent component in their arsenal. StallionRAT is characterized by its modular design and utilizes Telegram-based command-and-control (C2) infrastructure, allowing for flexible and resilient communication channels. This RAT enables the attackers to execute a wide range of commands on the compromised systems, including data exfiltration, further enhancing their control over the infected networks.
Implications and Recommendations
The activities of the Cavalry Werewolf APT group underscore the evolving landscape of cyber threats, where attackers leverage sophisticated social engineering tactics combined with technical prowess to infiltrate critical sectors. Organizations within the targeted industries should be particularly vigilant, implementing robust email filtering systems, conducting regular security awareness training for employees, and monitoring network traffic for unusual activities.
Security teams are advised to pay close attention to the specific indicators of compromise associated with this campaign, such as the presence of malicious archives in the Outlook cache directory and the use of multi-language malware variants. By staying informed and proactive, organizations can better defend against such advanced persistent threats.
