A threat actor that’s known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT.
Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It’s also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris.
“In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials,” BI.ZONE said. “The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.”
In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell.
Cavalry Werewolf’s ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it’s a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473.
The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT.
In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic’s regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe.
StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and exfiltrate collected data using a Telegram bot. Some of the commands supported by the bot include –
- /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server
- /go [DeviceID] [command], to execute the given command using Invoke-Expression
- /upload [DeviceID], to upload a file to the victim’s device
Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information.
The Russian cybersecurity vendor said it also uncovered various filenames in English and Arabic, suggesting that the targeting focus of Cavalry Werewolf may be broader in scope than previously assumed.
“Cavalry Werewolf is actively experimenting with expanding its arsenal,” BI.ZONE said. “This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
