New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT

New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT

Briefly

"Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It's also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris. "In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials," BI.ZONE said. "The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.""

"Cavalry Werewolf's ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it's a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473. The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT."

"In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic's regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe. StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and"