From May to August 2025, an advanced persistent threat group known as Cavalry Werewolf—also tracked as YoroTrooper and Silent Lynx—executed a sophisticated attack campaign targeting Russia’s public sector and vital industries such as energy, mining, and manufacturing.
The coordinated offensive leveraged trusted relationships for highly targeted spear-phishing and deployed a custom multi-language malware arsenal, marking Cavalry Werewolf as one of this year’s most adaptable and dangerous APT outfits.
Cavalry Werewolf’s initial compromise hinges primarily on spear-phishing emails, which masqueraded as official communication from Kyrgyz governmental agencies.
Attackers crafted fake addresses—sometimes even hijacking genuine official accounts—from ministries such as the Ministry of Economy and Commerce or the Ministry of Transport and Communications.
By blurring the lines between impersonation and direct compromise, the group maximized credibility.
Typical phishing lures included RAR archives disguised as legitimate documents, such as “three-month results of joint operations” or “shortlist of employees to receive bonuses.”
Inside the archives, victims found either FoalShell—a reverse shell backdoor—or StallionRAT, a remote access trojan. These malware families are central to Cavalry Werewolf’s tactics for gaining long-term control.
The resource is read, memory is allocated with RWE (Read, Write, Execute) permissions using VirtualAlloc, and the shellcode is executed.
A crucial detection tip for defenders: Monitor the creation of archives with document-like names within the %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook directory, a well-known repository for files downloaded through Microsoft Outlook.
FoalShell and StallionRAT
FoalShell: Versatility by Design
FoalShell is a compact reverse shell, with variants written in C#, C++, and Go. Its core goal is to provide attackers with reliable command-line access on infected hosts via a hidden cmd.exe process.
- C# Version: Implements a persistent loop connecting to command-and-control (C2) at
188.127.225.191:443, redirecting command and output streams while running command prompts in hidden windows. - C++ Variant: Uses a shellcode loader obfuscated inside resources. The code loads and executes shellcode, which connects to C2 at
109.172.85.63and launches a concealed command prompt for attacker interaction. - Go Implementation: Connects to C2
62.113.114.209:443, again runningcmd.exeinvisibly, leveraging Go’s networking stack for flexibility.
Threat hunting guidance: Watch for suspicious cmd.exe instances spawned by processes in temp directories or with unusual parentage, as well as processes executing multiple system discovery routines in quick succession.
StallionRAT: Telegram-Controlled Espionage
StallionRAT is a feature-rich Remote Access Trojan implemented in Go, PowerShell, and Python, with a unique flair: It leverages Telegram bots for command and control, bypassing many conventional network defenses.
- PowerShell Variant: Deployed using a C++ dropper, it executes Base64-encoded commands to obfuscate malicious intent from security software.
- Operations: StallionRAT parses Telegram messages to list compromised hosts, execute arbitrary commands per device, and transfer files—often hiding payloads in
C:\Users\Public\Libraries.
Persistence is achieved via registry Run keys, while post-compromise operations include deploying tools such as ReverseSocks5Agent (SOCKS5 proxying) to tunnel external traffic, with observed C2 connections at 96.9.125.168:443 and 78.128.112.209:10443. Reconnaissance techniques included commands like ipconfig, netstat, whoami, and net user /dom.
Defenders should correlate the use of the -EncodedCommand parameter in PowerShell, monitor C:\Users\Public\Libraries for newly dropped binaries, and watch for suspicious registry persistence.
Indicators reveal a possible expansion of targeting beyond Russian-speaking entities. Files in Tajik and desktop artifacts in Arabic suggest active reconnaissance or test attacks toward Tajikistan and parts of the Middle East. Additionally, traces of AsyncRAT point toward ongoing toolset diversification.
Defense and Recommendations
Cavalry Werewolf’s campaign exemplifies the expanding technical and operational sophistication of modern APTs.
Their adept use of multi-language custom malware, Telegram-based C2, and trust-abusing spear-phishing presents a formidable challenge for defenders.
- Enforce strict verification of unexpected or unofficial correspondence.
- Train personnel to check email headers deeply, not just display names.
- Deploy advanced EDR/XDR monitoring for encoded PowerShell, abnormal
cmd.exehierarchies, and registry Run key manipulations. - Flag known proxy tools and monitor lateral movement indicators, especially involving C2 addresses and system reconnaissance tools.
- FoalShell C2s: 188.127.225.191:443, 109.172.85.63, 62.113.114.209:443
- StallionRAT/Proxy: 96.9.125.168:443, 78.128.112.209:10443
- Key paths:
%LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook,C:\Users\Public\Libraries - Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Staying vigilant against such multi-vector threats is essential as Cavalry Werewolf adapts and expands its assaults.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
