FoalShell and StallionRAT RAR-delivery activity
Malware Activity
Summary
Hide ▲
Show ▼
A phishing-delivered malware operation is spreading FoalShell and StallionRAT, enabling remote command execution and data exfiltration on compromised hosts. The activity targeted Russian state agencies and related energy, mining, and manufacturing organizations, increasing the risk of follow-on intrusion and theft. The malware was delivered through RAR archives sent in emails impersonating Kyrgyz government officials during May to August 2025.
Related Happenings
FAUX#ELEVATE phishing campaign targeting French-speaking corporate environments
Campaign
First: 24.03.2026 18:35
Last: 24.03.2026 18:35
Sources 1
About this happening:
The **FAUX#ELEVATE** phishing campaign is actively targeting **French-speaking corporate environments** with **fake resume/CV lures** that deliver malware for **credential theft**...
FAUX#ELEVATE phishing campaign targeting French-speaking corporate environments
CampaignAbout this happening: The **FAUX#ELEVATE** phishing campaign is actively targeting **French-speaking corporate environments** with **fake resume/CV lures** that deliver malware for **credential theft**...
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware
Campaign
First: 24.01.2026 13:09
Last: 24.01.2026 13:09
Sources 1
About this happening:
A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...
Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware
CampaignAbout this happening: A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...
PurpleBravo Contagious Interview campaign
Campaign
First: 21.01.2026 19:17
Last: 21.01.2026 19:17
Sources 1
About this happening:
The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
PurpleBravo Contagious Interview campaign
CampaignAbout this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.
Timeline
-
03.10.2025 13:30 2 articles · 7mo ago
BI.ZONE reports Cavalry Werewolf phishing campaign against Russian public sector
Initial DisclosureBI.ZONE says Cavalry Werewolf targeted Russian state agencies and related energy, mining, and manufacturing enterprises with targeted phishing emails impersonating Kyrgyz government officials, delivering RAR archives that installed FoalShell or StallionRAT. The activity was observed between May and August 2025, and at least one message was sent from a compromised email address associated with the Kyrgyz Republic's regulatory authority. BI.ZONE also assessed overlaps with YoroTrooper-linked activity and related clusters including SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris.
Show sources
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30
- New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT — thehackernews.com — 03.10.2025 13:30