Cavalry Werewolf Campaign Targets Russian Public Sector with FoalShell and StallionRAT
Summary
Hide ▲
Show ▼
A threat actor known as Cavalry Werewolf, with ties to several other groups, has been targeting Russian public sector entities, energy, mining, and manufacturing enterprises. The attacks involve phishing emails impersonating Kyrgyz government officials to deliver FoalShell and StallionRAT malware. The campaign, observed between May and August 2025, uses sophisticated malware written in multiple programming languages to execute arbitrary commands, exfiltrate data, and maintain persistence. The threat actor's broader targeting scope is indicated by filenames in English and Arabic. The attacks highlight the evolving tactics of the group, which is actively expanding its arsenal and experimenting with new tools.
Timeline
-
03.10.2025 13:30 1 articles · 6h ago
Cavalry Werewolf Campaign Targets Russian Public Sector with FoalShell and StallionRAT
Between May and August 2025, the threat actor Cavalry Werewolf targeted Russian public sector entities, energy, mining, and manufacturing enterprises. The attacks involved phishing emails impersonating Kyrgyz government officials to deliver FoalShell and StallionRAT malware. The malware, written in multiple programming languages, enables arbitrary command execution, data exfiltration, and persistence. The threat actor's broader targeting scope is indicated by filenames in English and Arabic.
Show sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
Information Snippets
-
Cavalry Werewolf is a threat actor with overlaps with YoroTrooper and several other clusters.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
The group targets Russian state agencies, energy, mining, and manufacturing enterprises.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
Initial access is gained through targeted phishing emails disguised as official correspondence from Kyrgyz government officials.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
Malware families used include FoalShell and StallionRAT, written in Go, C++, C#, PowerShell, and Python.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
FoalShell is a lightweight reverse shell that allows running arbitrary commands using cmd.exe.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
StallionRAT enables executing arbitrary commands, loading additional files, and exfiltrating data using a Telegram bot.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
The campaign involves tools like ReverseSocks5Agent and ReverseSocks5, and commands to gather device information.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
The threat actor's broader targeting scope is indicated by filenames in English and Arabic.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
-
Cavalry Werewolf is actively experimenting with expanding its arsenal, highlighting the need for quick insights into the tools used.
First reported: 03.10.2025 13:301 source, 1 articleShow sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30