Between May and August 2025, the advanced persistent threat group Cavalry Werewolf, also tracked as YoroTrooper and Silent Lynx, orchestrated a sophisticated cyberattack campaign targeting Russia’s public sector and critical infrastructure.
The campaign focused on energy, mining, and manufacturing industries, deploying custom-built multi-language malware families through highly targeted spear-phishing operations disguised as official government correspondence.
The threat actors leveraged fake email addresses impersonating legitimate Kyrgyz government entities, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications.
Security researchers discovered evidence suggesting the attackers may have compromised actual official email accounts, significantly increasing the authenticity and success rate of their phishing attempts.
The malicious emails contained RAR archives with filenames mimicking genuine official documents, such as quarterly operations reports and employee bonus lists, designed to exploit victim trust and urgency.
Multi-Language Malware Arsenal: FoalShell and StallionRAT
Cavalry Werewolf deployed two primary malware families in this campaign. FoalShell, a lightweight reverse shell, grants attackers command-line access to compromised systems via cmd.exe.
The malware demonstrates exceptional versatility with implementations in C#, C++, and Go programming languages.
The C# variant establishes connections to command-and-control infrastructure at 188.127.225.191 on port 443, executing a continuous loop to receive commands and return output while maintaining stealth through hidden window styles.
The C++ version utilizes shellcode loaders embedded in executable resources to evade static analysis, connecting to 109.172.85.63. The Go implementation connects to 62.113.114.209 on port 443, forcing cmd.exe processes to run in hidden window states.
StallionRAT, the second malware family, represents a sophisticated remote access trojan available in Go, PowerShell, and Python variants.
Its distinctive feature involves using Telegram bots as command-and-control channels, enabling attackers to execute arbitrary commands, manage files, and exfiltrate sensitive data.
In observed attacks, C++ launchers executed PowerShell instances with Base64-encoded commands to bypass security monitoring.
The PowerShell implementation supports three key commands: listing compromised devices, executing commands on specific hosts using Invoke-Expression, and uploading files to C:\Users\Public\Libraries.
Post-compromise activities revealed the group’s focus on establishing persistence through registry modifications in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and deploying SOCKS5 proxying tools like ReverseSocks5Agent to tunnel traffic through infrastructure at 96.9.125.168:443 and 78.128.112.209:10443.
Network reconnaissance commands including ipconfig, netstat, and whoami were systematically executed to map victim environments.
Desktop artifacts indicate Cavalry Werewolf may be expanding operations beyond Russia, with files discovered in Tajik and Arabic languages suggesting potential targeting of Tajikistan and Middle Eastern organizations.
Security teams should implement enhanced email verification procedures, monitor for PowerShell encoded commands, detect suspicious cmd.exe relationships, and flag connections to identified command-and-control infrastructure to defend against this evolving threat.
Indicators of Compromise (IOCs)
FoalShell Malware
| c26b62fa593d6e713f1f2ccd987ef09fe8a3e691c40eb1c3f19dd57f896d9f59 1dfe65e8dc80c59000d92457ff7053c07f272571a8920dbe8fc5c2e7037a6c98 a8ada7532ace3d72e98d1e3c3e02d1bd1538a4c5e78ce64b2fe1562047ba4e52 cc9e5d8f0b30c0aaeb427b1511004e0e4e89416d8416478144d76aa1777d1554 |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
