Cavalry Werewolf APT Targets Multiple Sectors Using FoalShell and StallionRAT

Cavalry Werewolf APT Targets Multiple Sectors Using FoalShell and StallionRAT

From May to August 2025, an advanced persistent threat group known as Cavalry Werewolf—also tracked as YoroTrooper and Silent Lynx—executed a sophisticated attack campaign targeting Russia’s public sector and vital industries such as energy, mining, and manufacturing.

The coordinated offensive leveraged trusted relationships for highly targeted spear-phishing and deployed a custom multi-language malware arsenal, marking Cavalry Werewolf as one of this year’s most adaptable and dangerous APT outfits.

Cavalry Werewolf’s initial compromise hinges primarily on spear-phishing emails, which masqueraded as official communication from Kyrgyz governmental agencies.

Attackers crafted fake addresses—sometimes even hijacking genuine official accounts—from ministries such as the Ministry of Economy and Commerce or the Ministry of Transport and Communications.

By blurring the lines between impersonation and direct compromise, the group maximized credibility.

Typical phishing lures included RAR archives disguised as legitimate documents, such as “three-month results of joint operations” or “shortlist of employees to receive bonuses.”

Inside the archives, victims found either FoalShell—a reverse shell backdoor—or StallionRAT, a remote access trojan. These malware families are central to Cavalry Werewolf’s tactics for gaining long-term control.

The resource is read, memory is allocated with RWE (Read, Write, Execute) permissions using VirtualAlloc, and the shellcode is executed. 

Cavalry Werewolf APT Targets Multiple Sectors Using FoalShell and StallionRAT

A crucial detection tip for defenders: Monitor the creation of archives with document-like names within the %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook directory, a well-known repository for files downloaded through Microsoft Outlook.

FoalShell and StallionRAT

FoalShell: Versatility by Design

FoalShell is a compact reverse shell, with variants written in C#, C++, and Go. Its core goal is to provide attackers with reliable command-line access on infected hosts via a hidden cmd.exe process.

Cavalry Werewolf APT Targets Multiple Sectors Using FoalShell and StallionRATCavalry Werewolf APT Targets Multiple Sectors Using FoalShell and StallionRAT
  • C# Version: Implements a persistent loop connecting to command-and-control (C2) at 188.127.225.191:443, redirecting command and output streams while running command prompts in hidden windows.
  • C++ Variant: Uses a shellcode loader obfuscated inside resources. The code loads and executes shellcode, which connects to C2 at 109.172.85.63 and launches a concealed command prompt for attacker interaction.
  • Go Implementation: Connects to C2 62.113.114.209:443, again running cmd.exe invisibly, leveraging Go’s networking stack for flexibility.

Threat hunting guidance: Watch for suspicious cmd.exe instances spawned by processes in temp directories or with unusual parentage, as well as processes executing multiple system discovery routines in quick succession.

StallionRAT: Telegram-Controlled Espionage

StallionRAT is a feature-rich Remote Access Trojan implemented in Go, PowerShell, and Python, with a unique flair: It leverages Telegram bots for command and control, bypassing many conventional network defenses.

  • PowerShell Variant: Deployed using a C++ dropper, it executes Base64-encoded commands to obfuscate malicious intent from security software.
  • Operations: StallionRAT parses Telegram messages to list compromised hosts, execute arbitrary commands per device, and transfer files—often hiding payloads in C:UsersPublicLibraries.

Persistence is achieved via registry Run keys, while post-compromise operations include deploying tools such as ReverseSocks5Agent (SOCKS5 proxying) to tunnel external traffic, with observed C2 connections at 96.9.125.168:443 and 78.128.112.209:10443. Reconnaissance techniques included commands like ipconfig, netstat, whoami, and net user /dom.

Defenders should correlate the use of the -EncodedCommand parameter in PowerShell, monitor C:UsersPublicLibraries for newly dropped binaries, and watch for suspicious registry persistence.

Indicators reveal a possible expansion of targeting beyond Russian-speaking entities. Files in Tajik and desktop artifacts in Arabic suggest active reconnaissance or test attacks toward Tajikistan and parts of the Middle East. Additionally, traces of AsyncRAT point toward ongoing toolset diversification.

Defense and Recommendations

Cavalry Werewolf’s campaign exemplifies the expanding technical and operational sophistication of modern APTs.

Their adept use of multi-language custom malware, Telegram-based C2, and trust-abusing spear-phishing presents a formidable challenge for defenders.

  • Enforce strict verification of unexpected or unofficial correspondence.
  • Train personnel to check email headers deeply, not just display names.
  • Deploy advanced EDR/XDR monitoring for encoded PowerShell, abnormal cmd.exe hierarchies, and registry Run key manipulations.
  • Flag known proxy tools and monitor lateral movement indicators, especially involving C2 addresses and system reconnaissance tools.
  • FoalShell C2s: 188.127.225.191:443, 109.172.85.63, 62.113.114.209:443
  • StallionRAT/Proxy: 96.9.125.168:443, 78.128.112.209:10443
  • Key paths: %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook, C:UsersPublicLibraries
  • Registry: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Staying vigilant against such multi-vector threats is essential as Cavalry Werewolf adapts and expands its assaults.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.