Shocking Cyber Siege: “Cavalry Werewolf” Unleashed — FoalShell & StallionRAT Target Russian State Agencies and Industry

⚠️ Introduction

Cavalry Werewolf — a covert threat actor linked to multiple regional clusters — has surfaced as an aggressive cyber campaign aimed at Russian government bodies and critical industries. This rewritten, expanded article synthesizes the original reporting, clarifies technical details, and adds strategic analysis and forward-looking predictions. Read on for a clear, human-style breakdown of how phishing, lightweight backdoors and Telegram-based exfiltration have been combined to give operators effective, low-friction control over breached networks.

📝 Summary

Security researchers observing activity attributed to a cluster they call Cavalry Werewolf report targeted phishing operations that impersonate Kyrgyz government officials to deliver RAR archives containing two primary malware families: FoalShell and StallionRAT. BI.ZONE labels the cluster Cavalry Werewolf and notes overlaps with several tracked groups including YoroTrooper, SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris — the latter linked in past reporting to a Kazakhstan-associated actor (Storm-0473). Between May and August 2025, the attackers sent tailored emails to Russian state agencies and enterprises in energy, mining and manufacturing, sometimes using compromised legitimate Kyrgyz government addresses to increase credibility. FoalShell functions as a lightweight reverse shell implemented in languages such as Go, C++ and C, enabling arbitrary command execution via cmd.exe. StallionRAT, written in Go, PowerShell and Python, offers a Telegram-bot based exfiltration and command framework; operators can enumerate compromised hosts, run commands with Invoke-Expression-like behavior, and upload files — all orchestrated through bot commands such as /list, /go and /upload. Post-compromise tooling also includes SOCKS5 reverse agents, device-fingerprint collectors, and common lateral-movement and persistence tactics. BI.ZONE observed English and Arabic filenames in samples, suggesting a potentially broader targeting remit than previously assumed. The vendor warns that Cavalry Werewolf is iterating on its toolkit and expanding capabilities, highlighting the need for rapid intelligence to keep detection and mitigation effective. Separate reporting from Group-IB in August 2025 tied ShadowSilk activity to government targets across Central Asia and APAC using reverse proxies and RATs initially developed in Python and later ported to PowerShell. BI.ZONE’s telemetry and investigation of underground chatter further point to a wave of compromises across Russian organizations over the past year — at least 500 companies — with attackers frequently exploiting public-facing web apps, installing lightweight persistent access tools like gs-netcat, and abusing legitimate admin utilities (Adminer, phpMiniAdmin, mysqldump) to extract databases. The overall picture is of a nimble, regionally focused offensive cluster that blends social engineering, multi-language tooling, commodity web-shell tactics and creative exfiltration channels to maintain stealth and operational tempo.

🕵️‍ What Undercode Say:

Cavalry Werewolf appears to be a modular, opportunistic cluster that prioritizes human-centric initial access and low-profile persistence. The heavy reliance on convincing spear-phishing — impersonating Kyrgyz officials and even using compromised Kyrgyz regulatory emails — shows investment in reconnaissance and persona-building: operators are willing to seed trust to bypass perimeter scrutiny. FoalShell’s presence in compiled languages (Go, C++, C) signals a goal of cross-platform compatibility and low-detection footprints; compiled reverse shells often evade script-only defenses and make static detection harder. StallionRAT’s Telegram-bot exfiltration is particularly telling — it leverages a consumer-grade platform for C2 that blends in with normal traffic and avoids custom C2 infrastructure that defenders more readily block. The bot command set (enumeration, remote execution, upload) converts Telegram into a rudimentary but effective remote management plane, simplifying operations and requiring minimal bespoke infrastructure. The simultaneous use of ReverseSocks5Agent/ReverseSocks5 and common administrative tools implies a layered approach: lightweight backdoors provide initial footholds; legitimate tools and tunnels are then abused for reconnaissance, lateral movement and data extraction. The cluster’s overlaps with groups such as Tomiris, ShadowSilk and Tomiris-linked Storm-0473 suggest shared tooling, shared tradecraft, or perhaps shared operators — common in the evolving cybercrime ecosystem where code reuse and vendor-like toolsets are rife. The detection of English and Arabic file names widens the profile: either the operators repurpose tooling across different campaigns or they are building multi-regional targeting capability, possibly working with freelance affiliates who adapt payloads for local languages. From a defensive standpoint, the attacks exploit predictable weak points: exposed public web apps, default or accessible admin tools, and human trust. The underground reporting of 500 compromised Russian companies, with extraction commonly via public-facing application vulnerabilities and subsequent use of gs-netcat and web shells, reinforces that many breaches begin with basic web app flaws and then escalate via tried-and-tested tooling. Organizations that lack rapid telemetry on external-facing app anomalies or that do not strictly monitor outbound connections (including encrypted or tunneled traffic) are particularly at risk. Operationally, the use of reversible, small-footprint backdoors means incident responders must focus on behavior-based detection (process spawning, unusual cmd.exe or PowerShell invocations, unexpected remote connections over non-standard ports) rather than purely signature-based defenses. The convergence of nation-affiliated hypotheses (Kazakhstan links via Tomiris/Storm-0473) with financially motivated leak-posting behavior in underground forums complicates attribution: some actors pursue geopolitical aims while others monetize access, and tool-sharing blurs lines. For blue teams, priorities should be phishing-resistant authentication (MFA with phishing-resistant keys where possible), strict egress filtering (Telegram and other consumer API endpoints should be monitored and controlled), robust web-application hygiene (WAFs, regular patching, least-privilege database access), and rapid triage playbooks that assume quick data exfiltration following web app compromise. In the threat-hunting domain, searching for artifacts left by Go-compiled reverse shells, unexplained scheduled tasks, injected PowerShell code, and anomalies in database dump activity will deliver early wins. Incident handlers should also map supply-chain-like vectors — compromised third-party or government email accounts — as part of the blast-radius assessment, because trusted third-party impersonation was a factor in at least one observed instance. Finally, information-sharing across regional CERTs and intelligence vendors is crucial: the attackers’ speed of tool evolution means static indicators degrade quickly, and only coordinated telemetry and TTP sharing will keep enterprise detection tuned to the cluster’s iterative changes.

✅ Fact Checker Results

Cavalry Werewolf’s use of FoalShell and StallionRAT is consistent with BI.ZONE’s public findings; the Telegram-based exfiltration behavior described matches multiple technical reports. ✅
Attribution to Kazakhstan-linked Tomiris / Storm-0473 remains a credible hypothesis but is not definitive — overlaps in tooling can be caused by code reuse and third-party tooling markets. ❌ (not conclusive)
Group-IB and BI.ZONE reporting together support the claim of widespread compromises via public-facing web apps and use of gs-netcat and Adminer-like tools for extraction. ✅

🔮 Prediction

Expect Cavalry Werewolf and affiliated clusters to further diversify their toolset and delivery chains, blending compiled implants with script-based loaders and expanding use of benign cloud and messaging platforms for C2 and exfiltration. 🔮📈
Over the next months, defenders will see more Telegram- and cloud-API-driven controls used as covert channels; organizations that do not monitor API usage or DNS/HTTPS egress will remain vulnerable. 🔮⚠️
In response, we predict a rise in targeted detection rules for Go-compiled reverse shells, increased egress filtering policies in enterprise networks, and more coordinated regional intel-sharing among CERTs to counter rapid TTP evolution. 🔮🤝