The Cavalry Werewolf threat actor, tracked by BI.ZONE, is a sophisticated cyber espionage group with overlaps to YoroTrooper and other clusters such as SturgeonPhisher and Tomiris, the latter linked to Kazakhstan-based actors. This group has been actively targeting Russian state agencies and critical infrastructure sectors including energy, mining, and manufacturing through spear-phishing campaigns that impersonate Kyrgyz government officials. The initial access vector involves sending emails with malicious RAR archives containing FoalShell and StallionRAT malware. FoalShell is a lightweight reverse shell implemented in Go, C++, and C#, enabling arbitrary command execution via cmd.exe. StallionRAT, written in Go, PowerShell, and Python, provides extensive remote access capabilities including command execution, file upload, and data exfiltration through a Telegram bot interface. Commands such as /list, /go, and /upload facilitate control over compromised hosts. The attackers also deploy tools like ReverseSocks5Agent to maintain persistence and gather system information. The use of compromised legitimate email accounts enhances the phishing campaign’s effectiveness. The presence of English and Arabic filenames suggests a broader targeting scope beyond Russia. While no active exploits have been reported, the campaign’s sophistication and multi-language approach indicate ongoing experimentation and expansion of their malware arsenal. The threat actor’s ties to Central Asian groups and geopolitical context suggest a strategic espionage motive. The campaign was observed between May and August 2025, with continued monitoring recommended. The malware’s modularity and use of legitimate tools for data extraction complicate detection and response efforts.

For European organizations, the direct impact may be limited due to the primary targeting of Russian public sector and related industries. However, European entities with business or governmental ties to Russia, Central Asia, or involved in energy, mining, or manufacturing sectors could be at risk of collateral targeting or supply chain compromise. The malware’s ability to execute arbitrary commands and exfiltrate data poses risks to confidentiality and integrity of sensitive information. Persistent access tools increase the likelihood of prolonged espionage and potential disruption. The use of Telegram bots for command and control complicates network detection due to encrypted and legitimate traffic channels. The phishing tactics leveraging compromised legitimate email accounts highlight the risk of social engineering attacks spreading beyond initial targets. Additionally, the expanding targeting scope suggested by multilingual artifacts raises concerns about future campaigns affecting European organizations. The threat could also be leveraged for geopolitical intelligence gathering or sabotage, impacting critical infrastructure sectors within Europe indirectly. Overall, the threat represents a medium risk with potential for significant espionage and operational disruption if European entities become targeted.

European organizations should implement advanced email security solutions capable of detecting and blocking spear-phishing attempts, especially those impersonating government entities or using RAR archives. Deploy targeted threat hunting for FoalShell and StallionRAT indicators, including monitoring for unusual cmd.exe invocations and Telegram bot traffic patterns. Network monitoring should focus on detecting ReverseSocks5Agent and similar proxy tools to identify persistent access attempts. Employ strict access controls and multi-factor authentication to limit lateral movement post-compromise. Regularly audit and monitor email accounts for signs of compromise, particularly those with external communications. Integrate threat intelligence feeds related to Central Asian and Russian threat actors to stay updated on evolving tactics. Conduct user awareness training emphasizing the risks of phishing emails from seemingly legitimate sources. Implement endpoint detection and response (EDR) solutions with behavioral analytics to identify anomalous command execution and data exfiltration attempts. Finally, collaborate with national cybersecurity agencies to share intelligence and coordinate responses to emerging threats linked to geopolitical actors.