New research from BI.ZONE Threat Intelligence tracked Cavalry Werewolf activity between May and August 2025. The group primarily targeted Russian state agencies, along with enterprises in the energy, mining, and manufacturing sectors. These adversaries impersonate government officials and deploy custom-built malware to carry out their operations. To gain initial access, Cavalry Werewolf sent spear-phishing emails disguised as official correspondence from Kyrgyz government officials. Each email contained a RAR archive that deployed either FoalShell, a reverse shell, or StallionRAT, a remote access trojan controlled via Telegram, allowing the attackers to maintain stealthy command-and-control over compromised systems.
“Adversaries often send phishing emails impersonating major or well‑known organizations or referencing them for credibility,” BI.ZONE said in a post. “The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them. It is important to remember that the brands cannot be liable for the actions of criminals and associated damage.”
In their targeted phishing campaigns against Russian organizations, Cavalry Werewolf impersonated employees from Kyrgyz government agencies, using fake email addresses to make the messages appear legitimate. The attackers specifically posed as staff from the Ministry of Economy and Commerce, the Ministry of Culture, Information, Sports and Youth Policy, and the Ministry of Transport and Communications.
“In one of the phishing mailings, the attackers used a real email address found on the website of the Kyrgyz Republic’s regulatory authority,” according to the post. “It is likely that the attackers had compromised this address earlier to use in future attacks.”
FoalShell is a simple reverse shell used by Cavalry Werewolf, written in Go, C++, and C#. FoalShell allows attackers to execute arbitrary commands in the cmd[dot]exe command line interpreter on a compromised host. The StallionRAT is a group of remote access trojans written in Go, PowerShell, and Python, used by Cavalry Werewolf. StallionRAT allows attackers to execute arbitrary commands, load additional files, and exfiltrate collected data. The cluster uses a Telegram bot as its C2 server.
The researchers mention that phishing still ranks first among the attack vectors: adversaries rely on the recipient’s carelessness to distribute malware via email.
BI.ZONE detailed that in this campaign, the attackers employed a launcher written in C++ to run an instance of the StallionRAT malware in PowerShell. The launcher executes PowerShell with a Base64-encoded command. Execution of this PowerShell command launches StallionRAT, which is controlled via Telegram.
The investigation also revealed additional information related to Cavalry Werewolf preparing for attacks and testing malicious programs.
In the first case, the discovered files indicate preparations for an attack against Russian companies, as well as a file in the Tajik language, which may be evidence of the attackers also targeting Tajikistan. Besides, there is reason to believe that, in addition to the identified malware, the attackers may have used other tools, such as AsyncRAT.
“In the second case, besides the files named in English, we found files named in Arabic,” the post added. “This suggests that the attackers might be targeting countries in the Middle East. Thus, the span of Cavalry Werewolf attacks is quite broad and not limited to Russia, other CIS countries, and regions where their malicious activity has been recorded.”
Organizations can strengthen email security by using dedicated filtering and threat detection services that block unwanted messages and protect communications. Upon deployment, such systems typically activate multiple layers of protection against spam, phishing, spoofing, mail server vulnerabilities, and malware. Filtering combines statistical, signature-based, linguistic, content, heuristic, and machine-vision analysis. Machine learning models classify emails by content and continuously refine their accuracy, ensuring that malicious emails are blocked while legitimate messages are delivered without delay.
To build an effective cyber defense, it is equally important to understand which threats are most relevant to organizations. Threat intelligence platforms provide insights into ongoing attacks, active threat actors, their tools and tactics, as well as data gathered from underground sources. Access to this intelligence allows security teams to stay proactive, prioritize risks, and accelerate incident response.
