Full Report
A threat actor that's known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT. Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It's also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga,
Analysis Summary
# Threat Actor: Cavalry Werewolf
## Attribution & Identity
**Primary Moniker:** Cavalry Werewolf (tracked by BI.ZONE)
**Associated Groups/Clusters:** Share overlaps with YoroTrooper. Assessed to have commonalities with SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris. Ties to Tomiris suggest potential affiliation with a Kazakhstan-based threat actor (Storm-0473).
**Motivation Context:** General overlap with financially motivated attackers and hacktivists, though specific motivation for this campaign (targeting Russian public sector) is not explicitly detailed beyond espionage/disruption implied by the targets.
## Activity Summary
Cavalry Werewolf has been observed targeting the Russian public sector between May and August 2025. The initial access technique involved targeted phishing emails disguised as official correspondence from Kyrgyz government officials. In one instance, the actor compromised a legitimate email address associated with the Kyrgyz Republic's regulatory authority to send the malicious emails. The campaigns distribute RAR archives containing the FoalShell or StallionRAT malware.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing via email impersonating Kyrgyz government officials.
- **Delivery:** Distribution of RAR archives containing malware payloads.
- **Execution/Command & Control (C2):** Use of FoalShell (lightweight reverse shell in Go, C++, C#) to run arbitrary commands via `cmd.exe`. Use of StallionRAT (written in Go, PowerShell, and Python) for command execution, file loading, and data exfiltration via a Telegram bot.
- **Post-Exploitation:** Execution of tools like `ReverseSocks5Agent` and `ReverseSocks5`. Gathering device information.
- **MITRE ATT&CK IDs (Inferred from description of capabilities):** T1566.001 (Phishing: Spearphishing Attachment), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1071.001 (Application Layer Protocol: Web Protocols - utilized by Telegram for C2).
## Targeting
**Sectors:** Russian public sector, energy enterprises, mining enterprises, and manufacturing enterprises.
**Geography:** Primarily targeting Russia. Initial access vectors involved impersonating officials from the Kyrgyz Republic.
**Victims:** Russian state agencies, energy, mining, and manufacturing enterprises.
## Tools & Infrastructure
**Malware Families Used:**
* **FoalShell:** Lightweight reverse shell (Go, C++, C# versions).
* **StallionRAT:** Remote Access Trojan (Go, PowerShell, Python) utilizing a Telegram bot for C2 commands (`/list`, `/go [DeviceID] [command]`, `/upload [DeviceID]`).
* **Auxiliary Tools:** `ReverseSocks5Agent` and `ReverseSocks5`.
**Infrastructure:** Communication utilizes a Telegram bot for C2 operations.
## Implications
Cavalry Werewolf appears to be an evolving, state-affiliated or closely aligned actor (given Tomiris linkage) leveraging geopolitical tensions (impersonating Kyrgyz officials to target Russia). Their use of multiple languages (English and Arabic filenames noted) suggests a potentially broader targeting scope than immediately evident. Their active experimentation with the arsenal signifies a dynamic threat actor requiring flexible detection capabilities.
## Mitigations
- Enhance scrutiny and technical validation of emails originating from diplomatic or governmental sources, especially those related to Central Asian correspondence.
- Implement network monitoring to detect C2 communications utilizing popular services like Telegram for command and control exfiltration or instruction receipt.
- Maintain up-to-date signatures for FoalShell and StallionRAT across endpoint security solutions.
- Harden endpoints against script-based execution mechanisms often employed by RATs written in PowerShell and Go.