Cavalry Werewolf used targeted phishing against Russian organizations by spoofing or compromising Kyrgyz governmental email addresses to deliver RAR attachments containing FoalShell or StallionRAT. The malware provides remote shell access and Telegram-controlled RAT functions, enabling command execution, persistence, data exfiltration, and SOCKS5 proxying. #FoalShell #StallionRAT
Keypoints
- Cavalry Werewolf sent spear-phishing emails impersonating Kyrgyz agencies (Ministry of Economy and Commerce; Ministry of Culture, Information, Sports and Youth Policy; Ministry of Transport and Communications) to target Russian organizations.
- Phishing emails contained RAR attachments that deployed either FoalShell (reverse shell) or StallionRAT (Telegram-based RAT).
- Attackers reused or had previously compromised a legitimate Kyrgyz regulatory authority email address to increase credibility of the phishing mailings.
- FoalShell variants (C#, C++, Go) run cmd.exe hidden, redirect I/O, and allow arbitrary command execution; identifiable by document-like file names and PDB paths.
- StallionRAT (Go, PowerShell, Python) uses a Telegram bot for C2, supports command execution, file upload, persistence via Run registry, and SOCKS5 proxying with ReverseSocks5Agent/ReverseSocks5 tools.
- Detected artifacts include suspicious process parents, cmd.exe launched by short-lived or document-named parents, files in %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook and C:UsersPublicLibraries, and PowerShell launched with -EncodedCommand.
- Hunting recommendations: monitor Outlook cache for suspicious archives, detect powershell.exe with -EncodedCommand/-WindowStyle Hidden/-ExecutionPolicy Bypass, watch for file creation and execution in C:UsersPublicLibraries, and registry Run additions.
MITRE Techniques
- [T1566] Phishing – Attackers sent targeted phishing emails impersonating Kyrgyz government agencies and using compromised real email addresses (“it is likely that the attackers had compromised this address earlier to use in future attacks”).
- [T1204] User Execution – Malicious RAR attachments contained FoalShell or StallionRAT executables with document-like names to trick users into running them (“Known file names: … .exe” listing multiple document-themed filenames).
- [T1059] Command and Scripting Interpreter – FoalShell and StallionRAT enable execution of arbitrary commands via cmd.exe and PowerShell (“allows attackers to execute arbitrary commands in the cmd.exe command line interpreter”; “launcher executes PowerShell with a Base64-encoded command”).
- [T1105] Ingress Tool Transfer – StallionRAT uploads and loads additional files via Telegram and Download-TelegramFile functionality (“/upload [DeviceID] loads a file to the victim’s device via Download-TelegramFile and saves to C:UsersPublicLibraries%fileName%”).
- [T1574] Hijack Execution Flow – FoalShell C++ launcher allocates executable memory and runs shellcode from an embedded resource using VirtualAlloc and ZwResumeThread (launcher reads resource, allocates memory with RWE permissions, copies resource and executes shellcode via ZwResumeThread”).
- [T1543] Create or Modify System Process – StallionRAT was configured to add persistence via the Run registry key to start win.exe on user login (“REG ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinRVN /t REG_SZ /d C:userspubliclibrarieswin.exe /f”).
- [T1090] Proxy – Use of SOCKS5 proxying tools (ReverseSocks5Agent, ReverseSocks5) to route traffic (“…use of SOCKS5 proxying tools: ReverseSocks5Agent and ReverseSocks5”).
- [T1113] Screen Capture / [T1082] System Information Discovery – Adversary executed host discovery and information-gathering commands such as ipconfig, netstat, whoami, and net user (commands: “ipconfig /all”, “netstat”, “whoami”, “net user /dom”).
Indicators of Compromise
- [File names] Malicious executables used to masquerade as documents – examples: “О результатах трёх месяцев совместной работы [redacted].exe”, “Служебная записка от 20.08.2025 .exe”.
- [PDB paths] Build/debug artifact paths linking to developer environments – examples: “C:UsersyaadzrrDocumentsreverseShells…Docu_rsnet.pdb”, “C:UsersAdminsourcereposConsoleApplication3x64ReleaseConsoleApplication3.pdb”.
- [Registry changes] Persistence via Run key – context: StallionRAT added startup entry – example command: REG ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinRVN /d C:userspubliclibrarieswin.exe /f.
- [Directories] Dropped/installed locations observed – examples: C:UsersPublicLibraries (win.exe, rev.exe), %LocalAppData%MicrosoftWindowsINetCacheContent.Outlook (suspicious RAR/document cache).
- [Network endpoints] SOCKS5 proxy/C2 endpoints observed – examples: 96.9.125[.]168:443, 78.128.112[.]209:10443 (used with rev.exe/revv2.exe), and Telegram bot C2 (Telegram chat IDs referenced in StallionRAT code).