Cavalry Werewolf hacker group attacks Russian state institutions

Nov. 7, 2025, 10:05 a.m.

Description

A Russian government organization was targeted by the Cavalry Werewolf hacker group, aiming to collect confidential information and network data. The attack began with phishing emails containing malware disguised as documents. The group utilized various tools including backdoors, trojans, and modified legitimate programs. They employed open-source software, reverse-shell backdoors, and Telegram API for control. The attackers focused on information gathering, network configuration, and establishing persistence in compromised systems. Their tactics included using Windows built-in tools, modifying the registry, and exploiting public directories for malware deployment. The group's sophisticated approach and diverse toolset highlight the evolving threat landscape for government institutions.

External References

https://news.drweb.com/show/?i=15078&lng=en&c=5
https://otx.alienvault.com/pulse/690db6c3db213f06f2b53533
Tags
phishing
data theft
backdoors
network infiltration
russian government
reverse-shell
open-source tools
2025-11-07
trojan.packed2.49708
telegram api
backdoor.shellnet.2
backdoor.reverseshell.10
backdoor.tunnel.41
trojan.inject5.57968
bat.downloader.1138
trojan.siggen31.54011
backdoor.shellnet.1
trojan.filespynet.5
backdoor.reverseproxy.1
backdoor.rshell.169
backdoor.siggen2.5463
trojan.packed2.49862

Date

  • Created: Nov. 7, 2025, 9:07 a.m.
  • Published: Nov. 7, 2025, 9:07 a.m.
  • Modified: Nov. 7, 2025, 10:05 a.m.

Indicators

  • fbf1bae3c576a6fcfa86db7c36a06c2530423d487441ad2c684cfeda5cd19685
  • e695eafb035d9a54bf6b22bc27dbaad4c02cb4cd3011952e0ca77eb78e7c688c
  • d59577c808e5fc0c67cfaf17fb64cd92c2ed4cb3b6c6bd7110836c8b4b856170
  • cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06
  • af3d740c5b09c9a6237d5d54d78b5227cdaf60be89f48284b3386a3aadeb0283
  • ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d
  • a3ec2992e6416a3af54b3aca3417cf4a109866a07df7b5ec0ace7bd1bf73f3c6
  • 7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf
  • 6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252
  • 537c632851ba7bda9927062c592ec70eeafa3b089cafee539e5baff0d2e49e6f
  • 4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288
  • 484ab26ddb26d551147f293c8f4d9188a59c007d48a318933fd1171d10e6dd23
  • 3820a65ea7d478ffdcebf25a0413025e5d4a098024039d66e75e8cf14267ec2a
  • 22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab
  • 19bd1cee3800defcb8ca40e0187a160c1243a1c282084f9bd1e5c979b4729431
  • 148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda
  • 056e34ad8ed1e219fb29e04b8c17d72b6f2fbe4bc9d7c8e82f4a8a3249462cbc
  • 89.22.161.133
  • 78.128.112.209
  • 77.232.42.107
  • 64.95.11.202
  • 185.173.37.67
  • 168.100.10.73
  • 96.9.125.168
  • 94.198.52.210
  • 188.127.231.136
  • sss.qwadx.com
Download all indicators here!

Attack Patterns

  • Trojan.Packed2.49862
  • BackDoor.ReverseProxy.1
  • Trojan.Inject5.57968
  • BackDoor.ShellNET.2
  • BackDoor.RShell.169
  • BackDoor.ReverseShell.10
  • BackDoor.Siggen2.5463
  • Trojan.Siggen31.54011
  • Trojan.Packed2.49708
  • BAT.DownLoader.1138
  • Trojan.FileSpyNET.5
  • BackDoor.Tunnel.41
  • BackDoor.ShellNET.1
  • Cavalry Werewolf

Additional Informations

  • Government
  • Russian Federation