A threat actor that’s known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT.
Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It’s also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris.
“In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials,” BI.ZONE said. “The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.”
In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell.
Cavalry Werewolf’s ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it’s a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473.
The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT.
In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic’s regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe.
StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and exfiltrate collected data using a Telegram bot. Some of the commands supported by the bot include –
- /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server
- /go [DeviceID] [command], to execute the given command using Invoke-Expression
- /upload [DeviceID], to upload a file to the victim’s device
Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information.
The Russian cybersecurity vendor said it also uncovered various filenames in English and Arabic, suggesting that the targeting focus of Cavalry Werewolf may be broader in scope than previously assumed.
“Cavalry Werewolf is actively experimenting with expanding its arsenal,” BI.ZONE said. “This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks.”
The disclosure comes as the company disclosed that an analysis of publications on Telegram channels or underground forums by both financially motivated attackers and hacktivists over the past year has identified compromises of at least 500 companies in Russia, most of which spanned commerce, finance, education, and entertainment sectors.
“In 86% of cases attackers published data stolen from compromised public‑facing web applications,” it noted. “After gaining access to the public web application, the attackers installed gs‑netcat on the compromised server to ensure persistent access. Sometimes, the attackers would load additional web shells. They also used legitimate tools such as Adminer, phpMiniAdmin, and mysqldump to extract data from databases.”
