- A threat actor called Cavalry Werewolf has targeted Russian public sector entities with Malware.
- They use phishing emails impersonating Kyrgyz government officials to distribute FoalShell and StallionRAT malware.
- The group has links to other Hacker clusters and may be affiliated with Kazakhstan.
- StallionRAT uses a Telegram bot for commands like file upload and data exfiltration.
- Analysis found at least 500 Russian companies compromised in the past year, mainly via public web applications.
A threat group known as Cavalry Werewolf has targeted Russian state agencies and enterprises in sectors like energy and mining with malware attacks from May to August 2025. The attackers used phishing emails disguised as official messages from Kyrgyz government officials to send malicious RAR archives containing FoalShell and StallionRAT malware.
Cybersecurity firm BI.ZONE said the attackers impersonated Kyrgyzstan government employees and in one case used a compromised legitimate email address linked to the Kyrgyz Republic’s regulatory authority. FoalShell is a lightweight reverse shell available in Go, C++, and C# versions that lets attackers run commands on infected systems via cmd.exe.
StallionRAT, also written in Go, PowerShell, and Python, allows operators to execute commands, upload files, and steal data using a Telegram bot interface. Commands include listing compromised hosts, running commands remotely, and uploading files. The attackers also deployed tools named ReverseSocks5Agent and ReverseSocks5 to gather device information.
BI.ZONE tracks Cavalry Werewolf as related to other clusters like SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris. The link to Tomiris supports the idea that the group may be Kazakhstan-affiliated. Earlier, Group-IB reported ShadowSilk attacks against government targets in Central Asia and Asia-Pacific using reverse proxy tools and remote access trojans written in Python and PowerShell.
The malware files carried English and Arabic filenames, suggesting a broader target range. BI.ZONE noted, “Cavalry Werewolf is actively experimenting with expanding its arsenal.” The firm emphasized the need to quickly identify new tools to defend against these evolving attacks.
Separately, BI.ZONE analyzed Hacking activity on Telegram and underground forums over the past year, finding at least 500 Russian companies compromised. Most victims were in commerce, finance, education, and entertainment sectors. In 86% of cases, attackers exploited public-facing web applications to gain access. They then installed tools like gs-netcat for persistent access and used legitimate database management utilities to extract data.
For more details, see the original BI.ZONE report and the related analysis on hacked Russian companies Russia-and-cis/”>here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Cathie Wood Buys Baidu, Alibaba; Exits BREA in Ark Portfolio Shift
- Brokerages Stand by Tesla Despite Sharp Drop, See Long-Term Upside
- Hedera Launches Agent Kit for AI-Driven Blockchain Workflows
- Bitcoin Rallies 10% as Wallet Holders Shift to Accumulation Mode
- Coinbase Stock Surges on Bitcoin Loans, UBI Pilot, Regulatory Gains
