In a recent wave of targeted phishing campaigns, the Cavalry Werewolf cluster has escalated its operations by impersonating government officials and deploying both FoalShell and StallionRAT malware. These tactics underscore the urgency of maintaining continuous cyber intelligence monitoring and implementing robust email authentication measures.
Cavalry Werewolf began its campaign by registering or compromising email addresses belonging to Kyrgyz government agencies.
Attackers posed as employees of the Ministry of Economy and Commerce, the Ministry of Culture, Information, Sports and Youth Policy, and the Ministry of Transport and Communications.
In one striking example, they used a legitimately sourced address from the Kyrgyz Republic’s regulatory authority—likely compromised in a prior operation—to lend credibility to phishing lures.
The phishing emails arrived with RAR attachments named to mimic official documents. Some packages contained FoalShell, a reverse-shell trojan written in Go, C++ and C#, while others concealed StallionRAT, a versatile remote access trojan that leverages a Telegram bot for command-and-control.
By both impersonating officials and hijacking authentic accounts, attackers increased the likelihood of successful delivery—highlighting that defenders must verify not only sender identity but also scrutinize email content, embedded links, and attachments to detect anomalies.
Detecting FoalShell
FoalShell operates through a hidden cmd.exe session with thread-redirected input/output. Known file names observed in this campaign include Russian-titled executables such as “О результатах трёх месяцев совместной работы [redacted].exe” and “Список сотрудников выдвинутых к премии ко Дню России.exe.”
Both C# and C++ variants rely on loading shellcode into memory via WinAPI calls (VirtualAlloc with RWE permissions, followed by ZwResumeThread), enabling stealthy execution.
Threat hunters can identify FoalShell activity by tracking the creation of suspicious archives in the %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook directory—where Outlook stores downloaded attachments.
Additionally, monitoring for cmd.exe processes launched by parent processes with document-like names in temporary or user directories may surface reverse-shell execution.
File names mimicking government memos or project plans can serve as red flags when seen outside expected contexts.
StallionRAT Campaign
StallionRAT, noted via a C++ launcher, executes PowerShell with a Base64-encoded command that spawns the RAT and establishes communication with a Telegram bot.
Common file names include “Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe.”
Once active, StallionRAT assigns a random DeviceID (100–10,000) and continuously polls the Telegram API for commands using getUpdates. Operators issue instructions such as:
/listto enumerate infected hosts./go [DeviceID] [command]to execute arbitrary commands./upload [DeviceID]to deploy files via Telegram’s file API.
Analysis revealed commands on DeviceID 9139 that added a persistent Run key (WinRVN) in HKCU and launched SOCKS5 proxy agents (rev.exe, revv2.exe) to relay traffic, as well as environment reconnaissance commands (ipconfig /all, netstat, whoami).
Hunters should search for PowerShell processes invoked with -EncodedCommand, -ExecutionPolicy Bypass, and -WindowStyle Hidden.
Besides, there is reason to believe that, in addition to the identified malware, the attackers may have used other tools, such as AsyncRAT.
Although these flags are used legitimately, correlating them with unexpected parent processes or document-named executables in C:UsersPublicLibraries can reduce noise.
Intelligence Portals
Even when attacks remain undisclosed publicly, intelligence feeds and regional cyber portals provide timely insights into emerging threat clusters like Cavalry Werewolf.
Organizations must subscribe to these sources to prioritize detection rules, update email authentication protocols (SPF, DKIM, DMARC), and enforce rigorous attachment sandboxing.
Automating email reputation scoring and sandbox detonation of RAR-packed executables can intercept malicious payloads before delivery.
By maintaining up-to-date threat hunting hypotheses—tracking suspicious file creations in Outlook cache, anomalous Run registry modifications, and stealthy PowerShell invocations—security teams can outpace adversaries who continuously evolve their toolkits.
Vigilance, combined with real-time intelligence, is essential to thwart the sophisticated impersonation and RAT deployments wielded by this growing threat cluster.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
