Advanced 'Cavalry Werewolf' Cyber Campaign Targets Russian Governments and Infrastructure
A sophisticated cyber campaign, dubbed Cavalry Werewolf, has been targeting Russian and neighboring government and critical infrastructure organizations since May 2025. The campaign, linked to the YoroTrooper hacker group, uses custom malware tools and advanced techniques to evade detection and gain access to sensitive information.
The primary tool employed in this campaign is StallionRAT, a modular malware with a dual-stage loader implemented in C++ and PowerShell. This loader architecture helps StallionRAT evade traditional antivirus solutions and exploit the legitimacy of PowerShell for stealth. The malware is deployed via custom tools like FoalShell reverse shell and is highly effective due to its modular design and use of Telegram for command-and-control.
The campaign uses phishing emails as its initial attack vector. These emails impersonate Kyrgyz government officials and contain malicious RAR archives with authentic-looking logos and real email addresses. When victims open the attachments, they unwittingly drop both reverse shell and StallionRAT loader onto their systems. Once inside the network, threat actors exfiltrate sensitive files, use SOCKS5 proxies for lateral movement, and meticulously map internal environments. The campaign has expanded its reach to include mining, energy, and manufacturing sectors, with state institutions being the primary targets.
The Cavalry Werewolf campaign has been active for several months, causing significant concern due to its advanced techniques and the sensitive nature of the targets. Security experts urge organizations to enhance their email security measures, user training, and incident response capabilities to mitigate the risk posed by such sophisticated attacks.
