A cyberespionage syndicate named Cavalry Werewolf used sophisticated phishing methods to pose as Kyrgyz government officials in order to target Russian government agencies and important industries like manufacturing, mining, and energy between May and August 2025. The campaign used unusual tools like Telegram bots for command and control to distribute custom malware, such as FoalShell and StallionRAT, which allowed for remote access, data theft, and persistence. The actor probably originates from Kazakhstan and appears to be broadening its geographical emphasis. It has been linked to well-known threat groups such as YoroTrooper and Tomiris. Separately, web application attacks compromised more than 500 Russian companies, exposing a wider and growing threat to the region’s public and private sector infrastructure.
Cavalry Werewolf is a recently identified threat actor that uses spoofed or compromised Kyrgyz government email accounts to deliver RAR archives containing advanced malware. The campaign makes use of FoalShell, a cross-compiled reverse shell (Go/C++/C#), as well as StallionRAT, a multi-language remote access trojan that uses Telegram for command and control. These programs support remote command execution, data exfiltration, and persistence methods such as PowerShell obfuscation, Run key registry modifications, and file placement in unusual folders. The details and technicalities of the campaign are discussed further.
Delivery and Infection Chain:
The primary method by which Cavalry Werewolf obtains initial access is through targeted spear-phishing. In emails that impersonate Kyrgyz government officials (including those sent from compromised Kyrgyz mailboxes), weaponized RAR attachments that unpack FoalShell or StallionRAT are delivered. Additionally, attackers exploit public-facing web application compromises (gs-netcat/web shells) and legitimate admin tools (Adminer, mysqldump) to extend their footholds. Their Infection Chain is followed as mentioned below,
Technical Capabilities
Cavalry Werewolf demonstrates polished operational tradecraft, including targeted social engineering using spoofed identities and legitimately compromised mailboxes, the ability to run targeted espionage and opportunistic web-app campaigns, rapid cross-platform tooling adoption (porting code between Go, C++, C#, Python, and PowerShell), and flexible C2 design that combines commodity services (Telegram) with anonymizing proxies (SOCKS5). The group uses legitimate administrative utilities (Adminer, phpMiniAdmin, mysqldump) for data extraction and lightweight persistent implants and web shells (gs-netcat) to maintain long-term footholds, indicating coordinated red-team style planning and tolerance for multi-stage, stealthy intrusion lifecycles.
With its small footprint for reconnaissance, easy portability across Windows environments, and dependable remote command execution via cmd.exe, FoalShell is a powerful reverse shell family that has been compiled across Go, C++, and C# variants. Instead of handling large amounts of data, it is made for quick interactive control and script invocation. Further, the StallionRAT is a modular RAT that integrates Telegram-based C2 Implemented in Go, PowerShell, and Python, for data transfer and command issuance. It can be used to upload files (/upload), execute arbitrary commands using InvokeExpression (/go), and enumerate infected hosts (/list). Additionally, it can be used in conjunction with ReverseSocks5 agents to create covert tunnelling for lateral movement and exfiltration. These tools, which have layered obfuscation and persistence mechanisms that make standard detection and takedown efforts more difficult, allow for both immediate interactive control and sustained, feature-rich operations.
Attribution and Evolution
The group is actively experimenting with multi-language malware, commodity web shells, and hybrid C2 (consumer platforms + proxy chains), indicating a shift from opportunistic compromises toward more deliberate, scalable espionage operations. Telemetry and tooling overlap link Cavalry Werewolf to clusters tracked as YoroTrooper, Tomiris (Microsoft’s Storm-0473 lineage), ShadowSilk, and others, suggesting a regional nexus—possibly Kazakhstan-affiliated—with evolving capabilities.
Active Campaign and Geographic Spread
Between May-Aug 2025, activity targeted Russian state agencies and critical infrastructure sectors (energy, mining, manufacturing). However, English, and Arabic filenames and incidents reported in Russia, Tajikistan, and the Middle East indicate a broader operational footprint. Based on analysis and related reports also highlight widespread web-app compromises across Russian organizations, underscoring both targeted and opportunistic campaign elements.
Conclusion:
Cavalry Werewolf is an adaptive espionage threat actor that uses targeted phishing, mailbox compromise, custom cross-platform shells, and web-attack techniques. Defenders should treat incidents as persistent, multi-stage intrusions that require coordinated detection (email, endpoint, network, and application layers), rapid containment, and cross-organizational intelligence sharing to limit damage and prevent re-compromise.
The use of proxying, resilient persistence, and encrypted/consumer C2 channels by the actor makes detection and remediation more difficult. Successful intrusions could have high impact that would result in extensive espionage and data theft (sensitive government and industrial documents, database exfiltration), covert long-term access for follow-on operations, potential operational disruption via lateral movement or sabotage, and significant reputational, regulatory, and supply-chain risk to affected organizations.
