In recent months, a sophisticated campaign dubbed Cavalry Werewolf has emerged, targeting government and critical infrastructure organizations across Russia and neighboring regions.
Adversaries initiated these attacks by sending meticulously crafted phishing emails that impersonate officials from Kyrgyz government agencies.
These emails contain malicious RAR archives, which deploy a suite of custom tools, including the FoalShell reverse shell and a more potent component known as StallionRAT.
With its modular design and Telegram-based command-and-control (C2) infrastructure, StallionRAT has rapidly become the primary tool in the actor’s arsenal.
Bi.Zone analysts identified this cluster of activity between May and August 2025, noting its expansion into mining, energy, and manufacturing sectors.
Victims are lured into opening attachments with authentic-looking logos and editorial styles, often referencing real email addresses harvested from official websites.
.webp)
Once executed, these attachments drop both the reverse shell and a PowerShell-based loader for StallionRAT, ensuring the adversary gains immediate access and maintains long-term control over compromised hosts.
The impact of this campaign has been significant: once inside the network, threat actors have exfiltrated sensitive files, deployed SOCKS5 proxying tools for lateral movement, and leveraged domain enumeration commands to map internal environments.
By masquerading Triton RAT as routine correspondence, the cluster achieves high user execution rates while evading perimeter defenses.
Compromised machines are enrolled in Telegram chats, enabling operators to issue commands, upload additional payloads, and extract data in real time.
Infection Mechanism and Loader Workflow
StallionRAT’s infection mechanism relies on a dual-stage loader implemented in C++. Upon execution, the launcher invokes PowerShell with a Base64-encoded command.
This command decodes and executes the main payload entirely in memory, bypassing disk-based detections:
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand WwBWAHIAYQBiAGkAbABpAHQA...
.webp)
Once decoded, StallionRAT initializes by generating a random DeviceID between 100 and 10 000 and retrieving the host’s computer name via $env:COMPUTERNAME
.
It then enters an infinite loop, calling the getUpdates
function against the Telegram Bot API to fetch new instructions. Responses and errors are sent back to a designated chat, enabling the operator to issue commands such as /go [DeviceID] [command]
to execute arbitrary code through Invoke-Expression
.
This loader architecture not only evades traditional antivirus solutions by avoiding writing the main binary to disk, but also exploits the legitimacy of PowerShell to mask malicious activity.
The use of Telegram as a transport layer further complicates detection, as encrypted HTTPS traffic blends with normal application flows.
By chaining custom C++ and PowerShell components, StallionRAT achieves both stealth and flexibility, making it a formidable threat to even well-defended environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.