Werewolf raids Russia's public sector with trusted relationship attacks

SUMMARY :

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malware, including FoalShell reverse shells and StallionRAT, controlled via Telegram. The group impersonated or compromised real email accounts from Kyrgyz agencies. Their arsenal includes various versions of FoalShell (Go, C++, C#) and StallionRAT (Go, PowerShell, Python). The attackers executed commands for system reconnaissance, file uploads, and SOCKS5 proxying. Evidence suggests potential expansion to targets in Tajikistan and Middle Eastern countries.

OPENCTI LABELS :

rat,phishing,russia,telegram,asyncrat,government,reverse shell,mining,manufacturing,kyrgyzstan,energy,foalshell,stallionrat


AI COMMENTARY :

1. In recent months, security researchers have uncovered a sophisticated threat campaign targeting Russia’s public sector, revealing a pattern of trusted relationship attacks that exploit the credibility of government entities. This blog article examines the operation and techniques of Cavalry Werewolf, a malicious actor group that leveraged phishing and custom malware to infiltrate state agencies and critical infrastructures in energy, mining, and manufacturing. By understanding the anatomy of this assault, organizations can better prepare their defenses against similar incursions.

2. The group known as Cavalry Werewolf distinguished itself by masquerading as Kyrgyz government officials to gain initial access, effectively weaponizing the implicit trust between state entities. From May to August 2025, the attackers impersonated or outright compromised legitimate email accounts from Kyrgyzstan, delivering targeted phishing messages to employees within Russian state agencies. This level of social engineering underscores the importance of verifying email origins and adopting stringent identity authentication protocols.

3. Initial access was achieved through spear phishing campaigns crafted to evade conventional email security filters. Recipients received carefully tailored messages purportedly from national trade or regulatory bodies in Kyrgyzstan. By clicking on malicious attachments or links, users unwittingly downloaded loaders that served as beachheads for deeper compromise. The emphasis on credential theft and lateral movement highlights the danger posed by phishing-based intrusion techniques.

4. Upon successful infiltration, Cavalry Werewolf deployed a multi-language malware arsenal featuring FoalShell and StallionRAT variants. FoalShell reverse shells, written in Go, C++ and C#, provided persistent remote access, while StallionRAT, available in Go, PowerShell and Python editions, enabled comprehensive reconnaissance and data exfiltration. Both tools communicated with command and control servers via Telegram, showcasing the group’s preference for leveraging popular messaging platforms as covert C2 channels.

5. The attackers executed a sequence of commands to enumerate system configurations, harvest credentials, and transfer files. They used SOCKS5 proxying capabilities to mask their footprint and facilitate further pivoting across internal networks. Evidence also indicates the use of asyncrat-style RAT features for process hollowing and in-memory execution, demonstrating an advanced approach to maintaining stealth and persistence.

6. The implications of this campaign extend far beyond individual agency breaches. By targeting critical sectors such as energy, mining and manufacturing, adversaries like Cavalry Werewolf threaten national stability and economic security. Disruptions to industrial control systems or unauthorized data disclosure in these industries can have cascading effects, emphasizing the need for robust threat intelligence and incident response frameworks within government and private enterprises alike.

7. Indicators suggest that the group has aspirations to expand its operations to neighboring regions, including Tajikistan and multiple Middle Eastern countries. This geographic shift could signal a broader regional focus or the exploitation of emerging geopolitical tensions. Continuous monitoring of network traffic for unusual Telegram activity, FoalShell reverse shell signatures and anomalies related to StallionRAT deployments is critical for early detection of new intrusion attempts.

8. Defending against such sophisticated incursions requires a combination of technical and procedural safeguards. Implementing multi-factor authentication, enhancing email filtering with domain-based message authentication, restricting PowerShell execution policies and deploying network segmentation can limit the impact of phishing and RAT deployments. Regular threat intelligence updates and cross-border collaboration among government cyber defense teams will bolster resilience against trusted relationship attacks. By learning from the Cavalry Werewolf operation, organizations can harden their defenses and stay one step ahead of evolving threat actors.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Werewolf raids Russia's public sector with trusted relationship attacks