Threat actors known to share overlap with hacking groups called Yorotroopers have been observed to target the Russian public sector, which has malware families such as Foalshell and Stallionrat.
Cybersecurity vendor bi.zone tracks activities under Monica Cavalry werewolves. It is also appreciated that it has similarities with clusters tracked as Sturgeon Fisher, Silent Links, Comrade Saiga, Shadow Silk and Tomyris.
“To gain initial access, the attackers sent targeted phishing emails that disguised them as official communications from Kyrgyz government officials,” Bi.Zone said. “The main targets of the attack were not only energy, mining and manufacturing companies, but also Russian state institutions.”
In August 2025, Group-IB revealed a Shadowsilk-powered attack targeting government agencies (APAC) in Central Asia and Asia Pacific (APAC) and used a reverse proxy tool and a remote access trojan written in Python and later ported to Powershell.
Cavalry Werewolf’s connection to Tomiris is important. In particular, this is because it gives further credibility to the hypothesis that he is a threat actor associated with Kazakhstan. In a report late last year, Microsoft attributed Tomiris’ backdoor to a Kazakhstan-based threat actor, who was tracked as Storm-0473.
The latest phishing attacks observed between May and August 2025 include sending email messages using fake email addresses that deliver Foalshell or Stallionrat by impersonating a Kyrgyzstan government employee.
In at least one case, the threat actor is said to have compromised legitimate email addresses associated with the Kyrgyz Republic’s regulators to send messages. Foalshell is a lightweight inverse shell that appears in GO, C++, and C# versions, allowing operators to execute arbitrary commands using CMD.EXE.
Stallionrat is written in Go, Powershell, and Python, allowing attackers to execute arbitrary commands, load additional files, and use telegram bots to exftrate collected data. Some of the commands supported by the bot are –
/Receive a list, a list of compromised hosts (DeviceID and computer names) connected to a command and control (C2) server /go [DeviceID] [command]execute the specified command using invoke-expression /upload [DeviceID]Upload the file to the victim’s device
The compromised hosts are also run tools such as Reversesocks5Agent and Reversesocks5, as well as commands to collect device information.
The Russian cybersecurity vendor also said they have discovered various file names in English and Arabic, suggesting that the target focus of cavalry wolves may be broader than previously expected.
“Cavalry Werewolf is actively experimenting with expanding its arsenal,” says Bi.zone. “This underscores the importance of quick insight into the tools used in clusters. Otherwise, it would be impossible to maintain current measures to prevent and detect such attacks.”
This disclosure comes when analysis of publications on telegram channels or underground forums by both financially motivated attackers and hattivists over the past year revealed that at least 500 Russian companies have identified compromises.
“In 86% of cases, attackers published stolen data from compromised public web applications.” “After gaining access to a public web application, the attacker installed GS-NetCat on the compromised server to ensure permanent access. The attacker could load additional web shells.
Source link
