Using FoalShell and StallionRAT, a New “Cavalry Werewolf” Attack Targets Russian Agencies
Using FoalShell and StallionRAT, a New “Cavalry Werewolf” Attack Targets Russian Agencies
A threat actor reported to have similarities to the hacker collective YoroTrooper has been seen using malware families like FoalShell and StallionRAT to attack the Russian public sector.
Under the alias Cavalry Werewolf, cybersecurity provider BI.ZONE is monitoring the behavior. Additionally, it is evaluated to share similarities with clusters that are monitored as Tomiris, Comrade Saiga, Silent Lynx, SturgeonPhisher, and ShadowSilk.
“To gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials,” claimed BI.ZONE. “The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.”
Group-IB disclosed in August 2025 that ShadowSilk had launched operations against Central Asian and Asia-Pacific (APAC) government organizations using remote access trojans and reverse proxy tools that were originally built in Python and later transferred to PowerShell.
Cavalry Werewolf’s connections to Tomiris are noteworthy, in part because they support the theory that it is a threat actor with ties to Kazakhstan. Microsoft linked the Tomiris backdoor to a threat actor based in Kazakhstan identified as Storm-0473 in a report published towards the end of last year.
The most recent phishing campaigns, which were detected between May and August 2025, use phony email addresses to distribute RAR archives that contain FoalShell or StallionRAT by posing as Kyrgyz government officials.
According to reports, the threat actor sent the messages in at least one instance by breaking into a valid email account linked to the regulatory body of the Kyrgyz Republic.In versions of Go, C++, and C#, FoalShell is a lightweight reverse shell that enables operators to use cmd.exe to execute arbitrary commands.
This is also true of StallionRAT, which is written in Go, PowerShell, and Python and allows the attackers to load more files, run arbitrary commands, and use a Telegram bot to exfiltrate data that has been gathered.The following are a few instructions that the bot supports:
- /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server.
- /go [DeviceID] [command], to execute the given command using Invoke-Expression.
- /upload [DeviceID], to upload a file to the victim’s device.
Tools such as ReverseSocks5Agent and ReverseSocks5, together with commands to collect device information, are also run on the infected hosts.
According to the Russian cybersecurity provider, it also discovered several filenames in Arabic and English, indicating that Cavalry Werewolf’s targeting may be more extensive than previously thought.
“Cavalry Werewolf is actively experimenting with expanding its arsenal,” stated BI.ZONE. “This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks.”
At least 500 Russian companies were compromised, the majority of which were in the finance, entertainment, education, and commerce sectors, according to the company’s disclosure of an analysis of publications made on Telegram channels or underground forums over the past year by hacktivists and financially motivated attackers.
“In 86% of cases, attackers published data stolen from compromised public‑facing web applications,” it stated. “The attackers installed gs-netcat on the compromised server to guarantee continuous access after they were able to access the public web application. The attackers would occasionally load extra web shells. Additionally, they extracted data from databases using reputable programs like Adminer, phpMiniAdmin, and mysqldump.
About the Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
SBI Crypto Breached by North Korean Hackers and ₹175 Crore was Stolen in the Digital Heist
About Author
English