The threat actor group known as Cavalry Werewolf conducted a targeted cyber espionage campaign against Russian public sector entities, specifically focusing on state agencies and enterprises within the energy, mining, and manufacturing sectors from May to August 2025. The attackers leveraged trusted relationship attacks by impersonating Kyrgyz government officials in spear-phishing campaigns to gain initial access. This social engineering tactic involved sending highly targeted phishing emails that appeared to originate from legitimate Kyrgyz agencies, sometimes by compromising real email accounts, thereby increasing the likelihood of successful compromise. Once inside the network, the attackers deployed custom malware tools, primarily FoalShell and StallionRAT, which are remote access trojans (RATs) with multiple language variants (Go, C++, C#, PowerShell, Python). FoalShell functions as a reverse shell, enabling the attackers to execute arbitrary commands, perform system reconnaissance, upload files, and establish SOCKS5 proxy tunnels to pivot within the network. StallionRAT complements these capabilities with additional remote control features and is controlled via Telegram, indicating the use of a popular messaging platform for command and control (C2) communications, which can help evade traditional detection mechanisms. The attackers executed a range of tactics consistent with MITRE ATT&CK techniques such as T1566 (phishing), T1082 (system information discovery), T1049 (network reconnaissance), T1071.001 (application layer protocol: Web protocols), and T1547.001 (boot or logon autostart execution). Although the campaign primarily targeted Russian entities, there is evidence suggesting potential expansion to neighboring countries like Tajikistan and some Middle Eastern nations. No known exploits in the wild or specific vulnerable software versions were identified, indicating the attack relies heavily on social engineering and custom malware rather than exploiting publicly disclosed vulnerabilities.

For European organizations, the direct impact of this campaign is currently limited given the primary focus on Russian public sector targets. However, the tactics and malware used by Cavalry Werewolf demonstrate a sophisticated approach to gaining trusted access and persistence that could be adapted or replicated against European entities, especially those with geopolitical or economic ties to the targeted sectors (energy, mining, manufacturing). European organizations involved in critical infrastructure or with business relationships in Central Asia or Russia should be aware of the potential for similar phishing campaigns leveraging trusted relationships or compromised third-party accounts. The use of Telegram for C2 communications also highlights the evolving threat landscape where attackers exploit popular communication platforms to evade detection. If the group expands operations into Europe or targets European subsidiaries of affected sectors, the impact could include data exfiltration, espionage, disruption of industrial operations, and potential lateral movement within networks leading to broader compromise. Additionally, the campaign underscores the risk posed by supply chain and third-party trust exploitation, which is a growing concern for European critical infrastructure and government agencies.

1. Enhance email security by implementing advanced phishing detection solutions that analyze sender reputation, email content, and attachment behavior, with special attention to emails purporting to come from government or trusted third-party domains. 2. Deploy multi-factor authentication (MFA) on all email and remote access accounts to reduce the risk of account compromise. 3. Conduct targeted user awareness training focused on spear-phishing tactics, especially impersonation of trusted entities and recognition of subtle social engineering cues. 4. Monitor and restrict the use of unauthorized messaging platforms like Telegram for command and control by implementing network traffic analysis and endpoint detection and response (EDR) tools capable of identifying anomalous encrypted traffic patterns. 5. Implement strict network segmentation and least privilege principles to limit lateral movement opportunities if initial access is gained. 6. Regularly audit and monitor third-party and partner accounts for suspicious activity, particularly those with access to sensitive systems. 7. Employ threat hunting exercises focused on detecting FoalShell and StallionRAT indicators, including unusual reverse shell connections, SOCKS5 proxy usage, and suspicious process execution patterns. 8. Maintain up-to-date endpoint protection solutions capable of detecting multi-language malware variants and custom RATs. 9. Establish incident response plans that include scenarios involving trusted relationship attacks and supply chain compromise to ensure rapid containment and remediation.