Cavalry Werewolf, a Russian-focused advanced persistent threat (APT) cluster, has intensified its offensive operations by experimenting with new malware variants and leveraging Telegram-based command-and-control (C2).
Security teams must prioritize real-time visibility into the tools employed by this group to maintain effective detection and prevention measures. Without timely insights into FoalShell and StallionRAT, defenders risk falling behind as the adversary refines its tactics.
In recent months, Cavalry Werewolf has addressed targeted phishing campaigns against multiple Russian organizations.
The attackers impersonate employees of Kyrgyz government agencies—such as the Ministry of Economy and Commerce, the Ministry of Culture, Information, Sports and Youth Policy, and the Ministry of Transport and Communications—to deceive recipients into opening malicious archives. These phishing emails include RAR attachments containing either FoalShell or StallionRAT binaries.
One campaign used a legitimate email address harvested and likely compromised from the Kyrgyz Republic’s regulatory authority website.
By repurposing this genuine account, the adversary increased the credibility of their lures, demonstrating an ability to breach trusted infrastructure for future operations.
This tactic underscores the critical need for verifying both sender identity and content—text, links, and attachments—to thwart sophisticated impersonation efforts.
FoalShell: A Multi-Language Reverse Shell
FoalShell represents Cavalry Werewolf’s simple yet effective reverse shell, implemented in Go, C++, and C#. Each version enables hidden execution of cmd.exe, granting attackers full command-line access on compromised hosts.
Threat hunters can detect FoalShell activity by monitoring for suspicious archives created in %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook and for cmd.exe processes spawned by unexpected parent executables in locations such as %Temp% or %UserProfile%Downloads.
StallionRAT and Telegram-Based C2 Operations
StallionRAT, written in Go, PowerShell, and Python, extends Cavalry Werewolf’s capabilities with arbitrary command execution, file loading, and data exfiltration. This family uses a Telegram bot as its C2 channel.
A C++ launcher triggers StallionRAT via a Base64-encoded PowerShell command:
textpowershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand
Once active, StallionRAT assigns each host a random DeviceID and retrieves the computer name. The RAT continuously polls the Telegram bot using the getUpdates function, executing commands like /go [DeviceID] [command], /upload [DeviceID], and /list.
Commands observed on an infected host (DeviceID 9139) include registry persistence through Runregistry keys, SOCKS5 proxy deployment via ReverseSocks5Agent, and environment reconnaissance commands such as ipconfig /all, netstat, and whoami.
To detect these actions, security teams should configure correlation rules for PowerShell launches with -EncodedCommand and monitor file creation in C:UsersPublicLibraries as well as suspicious registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
Broadening Threat Horizon
Evidence of Tajik-language archives (Номерхои коргархо new.rar) and Arabic-named files on attacker machines suggests that Cavalry Werewolf’s operations extend beyond Russia and CIS countries into Central Asia and the Middle East.
Additional tools, such as AsyncRAT, may also feature in their toolkit, indicating continuous development and diversification of malware capabilities.
Effective defense against Cavalry Werewolf demands continuous cyber threat intelligence monitoring and rapid threat hunting hypotheses.
Organizations should integrate automated telemetry analysis, regularly update detection signatures for new FoalShell and StallionRAT behaviors, and validate email senders beyond superficial checks. Only through vigilant tool visibility and proactive hunting can security teams stay ahead of this evolving APT.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
