Between May and August 2025, a technically advanced threat campaign targeted Russia’s public sector and several critical industries, focusing primarily on energy, mining, and manufacturing, [SEO keywords: Cavalry Werewolf APT, cyber threat, FoalShell, StallionRAT]. Analysts attribute the operations to the group known as Cavalry Werewolf, also tracked as YoroTrooper and Silent Lynx. The attackers used highly tailored phishing lures that abused trusted government relationships to deliver custom malware, aimed at maintaining persistent access and executing remote commands.
Campaign overview, social engineering and targeting
The attackers sent spear-phishing emails crafted to appear as official communications from Kyrgyz government offices, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications. Attachments were delivered as RAR archives, with filenames chosen to resemble legitimate documents, for example, “three-month results of joint operations” or “shortlist of employees to receive bonuses”, increasing the chances of a user opening the file. There is evidence that the adversary blurred impersonation with real compromise, likely by using or having previously compromised authentic government email accounts to improve credibility.
A notable forensic indicator, useful for defenders, is that the malicious archives are often saved to the Outlook cache, typically under the path, %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook, providing a detection point for security teams monitoring Outlook cache behavior.
Malware families and multi-language development, FoalShell and StallionRAT
The campaign relied mainly on two malware families, FoalShell and StallionRAT, plus additional tools such as AsyncRAT installers, showing the group is expanding and refining its toolkit. What stands out is the multi-language approach, with variants written in C#, C++, Go, PowerShell, and Python, enabling flexible deployment depending on target environments and defensive controls.
FoalShell, a lightweight reverse shell architecture
FoalShell functions as a compact reverse shell that grants remote command-line access through cmd.exe. Different language implementations use distinct techniques to remain stealthy:
- The C# version establishes a simple TCP connection to a command-and-control server, running cmd.exe in hidden window mode and relaying standard and error output back to the attacker. One observed C2 IP was 188.127.225.191 on port 443.
- The C++ build uses embedded, obfuscated shellcode that is stored in the executable resources under a label such as “output_bin”. At runtime, the resource is extracted, deobfuscated, and executed in memory allocated with Read, Write, Execute permissions, for example via VirtualAlloc, then connects to a C2, for instance 109.172.85.63. A representative sequence from the C++ analysis shows the exe resolving the C2 address, creating a connected socket, and launching cmd.exe with redirected standard handles to the socket.
- The Go variant implements a custom networking stack and forces cmd.exe to run with hidden windows, connecting to a C2 such as 62.113.114.209 on port 443.
These language-specific builds increase the operational flexibility of the actors, making detection by signature-based products more difficult.
StallionRAT and other remote access components
StallionRAT operates as a full-featured remote access trojan, tailored to provide persistence, remote administration, and data exfiltration. The presence of AsyncRAT installer files in discovered infrastructure suggests the group mixes bespoke tooling with off-the-shelf RATs to diversify capabilities and complicate attribution.
Technical artifacts, indicators and detection opportunities
- Common download location, useful for detection: %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook, monitor for unexpected RAR or executable files stored in that cache.
- Network indicators, examples observed: 188.127.225.191:443, 109.172.85.63:443, 62.113.114.209:443. Monitor DNS and outbound TLS streams to these endpoints, look for unusual client behaviors forcing cmd.exe or other shells to run hidden.
- Runtime techniques include shellcode unpacking in memory, redirected stdin/stdout/stderr to sockets, and hidden process windows. Endpoint detection should include memory inspection, behavioral monitoring of CreateProcess calls that spawn cmd.exe with redirected handles, and checks for VirtualAlloc with RWX permissions.
Code-like excerpt from analysis, showing socket to address and launching of cmd.exe, demonstrates how the executable redirected standard IO to the socket, then created a process for cmd.exe, enabling remote command execution.
Geopolitical scope and expansion signs
Desktop artifacts and recovered documents indicate the group is not limiting operations to Russian targets. Files in Tajik languages suggest interest in Tajikistan, and Arabic-named documents point toward reconnaissance in Middle Eastern countries. This geographic breadth, together with multi-language malware builds, indicates an intent to scale operations across multiple regions and industries.
Mitigation recommendations, prioritized actions for defenders
- Monitor Outlook cache paths, especially %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook, for newly written RAR or executable files, quarantine and analyze suspicious files.
- Deploy behavioral EDR rules to flag processes that spawn cmd.exe with redirected standard handles, hidden window attributes, or use RWX memory allocations, for example VirtualAlloc with executable permissions.
- Harden email gateways with attachment scanning and block high-risk archive types by default, implement strong DMARC, DKIM, SPF policies, and multi-factor authentication on government accounts.
- Network monitoring, block or inspect outbound traffic to suspicious IPs and unusual TLS endpoints, apply egress filtering and proxying with decryption where lawful and feasible.
- Conduct user awareness training focused on convincing spear-phishing techniques that mimic government correspondence.
- Keep an inventory of legitimate intergovernmental contacts, establish secure channels for sensitive documents, and verify unexpected messages through alternate channels.
