Cavalry Werewolf Phishing Campaign Targets Russian Agencies
Cybersecurity experts have uncovered a sophisticated phishing campaign, dubbed 'Cavalry Werewolf', targeting Russian state agencies and enterprises between May and August 2025. Disguised as official correspondence from Kyrgyz government officials, the group sent spear-phishing emails containing malware.
The group, active since at least 2021, impersonated government officials to trick targets into opening RAR archives. These archives deployed either FoalShell or StallionRAT malware. FoalShell enables attackers to execute arbitrary commands on compromised hosts, while StallionRAT allows command execution, file loading, and data exfiltration.
Cavalry Werewolf focused on energy, mining, and manufacturing sectors in Russia. They employed a C++ launcher to run StallionRAT in PowerShell. The group uses a Telegram bot as its command-and-control server. Although no specific Middle Eastern targets have been identified, the group may extend its reach beyond Russia and Tajikistan.
Organizations worldwide, particularly in targeted sectors, are urged to bolster email security measures. Dedicated filtering and threat detection services can help protect against such sophisticated phishing campaigns. Further research is ongoing to monitor Cavalry Werewolf's activities and potential expansion into new regions.
