Werewolf raids Russia's public sector with trusted relationship attacks

Oct. 2, 2025, 1:15 p.m.

Description

Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malware, including FoalShell reverse shells and StallionRAT, controlled via Telegram. The group impersonated or compromised real email accounts from Kyrgyz agencies. Their arsenal includes various versions of FoalShell (Go, C++, C#) and StallionRAT (Go, PowerShell, Python). The attackers executed commands for system reconnaissance, file uploads, and SOCKS5 proxying. Evidence suggests potential expansion to targets in Tajikistan and Middle Eastern countries.

External References

https://bi-zone.medium.com/cavalry-werewolf-raids-russias-public-sector-with-trusted-relationship-attacks-e19f7a5c83ef?source=rss-3882bedad280------2
https://otx.alienvault.com/pulse/68de490aedd85dd657453bd2
Tags
rat
phishing
russia
government
asyncrat
mining
telegram
reverse shell
manufacturing
kyrgyzstan
2025-10-02
energy
foalshell
stallionrat

Date

  • Created: Oct. 2, 2025, 9:42 a.m.
  • Published: Oct. 2, 2025, 9:42 a.m.
  • Modified: Oct. 2, 2025, 1:15 p.m.

Attack Patterns

  • StallionRAT
  • FoalShell
  • AsyncRAT
  • Cavalry Werewolf

Additional Informations

  • Energy
  • Government
  • Manufacturing
  • Kyrgyzstan
  • Tajikistan
  • Russian Federation