Werewolf raids Russia's public sector with trusted relationship attacks

SUMMARY :

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malware, including FoalShell reverse shells and StallionRAT, controlled via Telegram. The group impersonated or compromised real email accounts from Kyrgyz agencies. Their arsenal includes various versions of FoalShell (Go, C++, C#) and StallionRAT (Go, PowerShell, Python). The attackers executed commands for system reconnaissance, file uploads, and SOCKS5 proxying. Evidence suggests potential expansion to targets in Tajikistan and Middle Eastern countries.

OPENCTI LABELS :

stallionrat,kyrgyzstan,russia,energy,mining,asyncrat,phishing,reverse shell,rat,telegram,government,foalshell,manufacturing


AI COMMENTARY :

1. Introduction: In the summer of 2025, Cavalry Werewolf, an advanced threat actor group, launched a sophisticated operation targeting Russia’s public sector and critical industries. Under the guise of trusted government correspondence from Kyrgyzstan, the attackers exploited the gravitas of real Kyrgyz government email accounts to sow confusion and gain initial access. The primary targets included state agencies and enterprises within the energy, mining, and manufacturing sectors, underscoring the strategic importance of these industries in Russia’s economy.

2. Attack Vector and Initial Compromise: The campaign hinged on highly tailored phishing emails that appeared to originate from Kyrgyz government officials. By leveraging compromised or impersonated addresses, the adversaries bypassed traditional defenses and tricked recipients into opening malicious attachments or clicking on weaponized links. Once a foothold was established through spear-phishing, the operators deployed custom reverse shell malware to maintain persistence and pivot through internal networks.

3. Malware Arsenal: Cavalry Werewolf’s toolkit featured multiple versions of FoalShell reverse shells developed in Go, C++, and C#, along with StallionRAT implants written in Go, PowerShell, and Python. These variants enabled the threat actors to execute reconnaissance commands, upload and download files, and proxy traffic over SOCKS5. The group also experimented with Asyncrat as a secondary remote access tool, further diversifying their capabilities and making signature-based detection more challenging.

4. Command and Control via Telegram: In a notable twist, the attackers established command and control channels hosted on Telegram, eschewing more conventional infrastructures. This approach allowed rapid, encrypted communications between infected hosts and the adversary’s controllers, while complicating efforts by defenders to trace or block network traffic effectively. The use of Telegram also highlights a growing trend among threat actors to exploit mainstream messaging platforms for covert operations.

5. Operational Impact and Expansion: During the May to August 2025 window, the operation disrupted workflows in several Russian energy and mining firms, resulting in data exfiltration and intermittent service degradation. Analysts have observed signs that Cavalry Werewolf is poised to expand its campaign to neighboring Tajikistan and select Middle Eastern countries, signaling a broader geopolitical objective. Organizations in critical sectors are urged to enhance phishing defenses, monitor for unusual reverse shell connections, and validate email communications from government domains to mitigate the evolving threat posed by this RAT-enabled campaign.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Werewolf raids Russia's public sector with trusted relationship attacks