Cavalry Werewolf APT Targets Russian Agencies with FoalShell and Telegram C2

The threat actor known as Cavalry Werewolf has been observed ramping up its operations between May and August 2025, targeting Russian state agencies as well as energy, mining, and manufacturing enterprises across the region. According to BI.ZONE Threat Intelligence, the group relies heavily on custom-built malware, including FoalShell reverse shells and StallionRAT remote access trojans, controlled through Telegram bots.

Initial access is achieved primarily through targeted phishing. The report notes: “In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials.”

The campaigns impersonated agencies such as the Ministry of Economy and Commerce and the Ministry of Transport and Communications, delivering malicious RAR archives carrying FoalShell or StallionRAT payloads.

In some cases, Cavalry Werewolf went further, compromising real email accounts for use in future campaigns. As BI.ZONE emphasizes: “Attackers can not only impersonate officials but also actually compromise their email accounts for phishing.”

The group’s FoalShell malware comes in multiple implementations—C#, C++, and Go.

• FoalShell C#: A .NET-based reverse shell that redirects input and output threads to cmd.exe. The report explains: “The attacker gains access to the command line on the victim’s remote device and can execute any command. The cmd.exe window runs in hidden mode.”
• FoalShell C++: A launcher that injects obfuscated shellcode into memory. “The resource contents are copied to the allocated memory and the shellcode is executed, which deobfuscates the main reverse shellcode and transfers control to it.”
• FoalShell Go: A lightweight variant that “establishes a connection with a remote control server and provides the attackers with hidden access to the command line of the victim’s computer.”

Across variants, FoalShell was distributed with decoy filenames mimicking government documents, such as employee incentive orders, meeting protocols, and memos.

The StallionRAT family, written in Go, PowerShell, and Python, enables attackers to maintain persistent control. BI.ZONE describes: “StallionRAT allows attackers to execute arbitrary commands, load additional files, and exfiltrate collected data. The cluster uses a Telegram bot as their C2 server.”

Once executed, StallionRAT assigns a DeviceID to each infected host and maintains continuous communication with its operators via Telegram. Commands include listing compromised hosts, executing arbitrary code, uploading files, and setting up SOCKS5 proxies for tunneling.

BI.ZONE researchers observed attackers running reconnaissance commands such as whoami, ipconfig, and netstat, as well as installing persistence mechanisms via registry keys.

While most campaigns focused on Russian entities, BI.ZONE uncovered evidence that Cavalry Werewolf is expanding its scope. The report highlights: “The investigation revealed … a file in the Tajik language … which may be evident of the attackers also targeting Tajikistan.”

Additionally, Arabic-language file names were found on attacker systems, suggesting potential operations targeting the Middle East.

Related Posts:

• Beyond the Inbox: How a Cyber-Espionage Group Is Exploiting Two WinRAR Vulnerabilities
• Paper Werewolf: From Espionage to Destruction – A New Threat Emerges
• Squid Werewolf APT Masquerades as Recruiters in Espionage Campaign Targeting Key Employees
• Sapphire Werewolf’s Amethyst Stealer Targets Energy Companies
• Stealthy Attacks: Silent Werewolf Deploys Custom Loaders in Espionage Operations