Cavalry Werewolf
Cavalry Werewolf is a suspected Kazakhstan-affiliated APT group tracked by BI.ZONE and reported by Dr.Web as conducting espionage-focused intrusions against Russian government organizations, state agencies, and critical enterprises, including entities in the energy, mining, and manufacturing sectors. BI.ZONE assesses overlaps and commonalities with YoroTrooper and clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris; BI.ZONE states that ties to Tomiris support a hypothesis of Kazakhstan affiliation, and Microsoft previously attributed Tomiris activity to a Kazakhstan-based actor tracked as Storm-0473. The group’s operations observed in 2025 relied primarily on targeted phishing for initial access. Reported lures included emails impersonating government agencies and official correspondence from Kyrgyz government officials, including at least one case using a compromised legitimate email account associated with a Kyrgyz Republic regulatory authority. Delivered payloads included RAR archives and attachments disguised as official documents. Cavalry Werewolf has been reported using reverse-shell backdoors and remote access tooling, including FoalShell and StallionRAT. FoalShell is described as a lightweight reverse shell available in Go, C++, and C# variants that allows arbitrary command execution via cmd.exe. StallionRAT, reported in Go, PowerShell, and Python versions, supports arbitrary command execution, loading additional files, and data exfiltration. The group has also used Telegram for command and control: Dr.Web reported frequent use of the Telegram API to control infected computers, and BI.ZONE reported StallionRAT exfiltrating data through a Telegram bot with commands such as /list, /go, and /upload. Additional tooling observed on compromised hosts included ReverseSocks5Agent and ReverseSocks5, and Dr.Web noted the use of multiple malicious instruments, including open-source tools. The activity has also been described as involving trusted relationship attacks against Russia’s public sector.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- government
Associated malware families
4 malware families attributed to this actor across reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targeted intrusion against a Russian government organization; characterized by phishing-based initial access, reverse-shell backdoors, and Telegram API-based C2/control.
Targeted intrusion against a Russian government organization; initial access via phishing emails with malware disguised as official documents; post-compromise use of reverse shells and Telegram API for C2/control.
Conducted a targeted intrusion against a Russian state institution; the report notes use of multiple malicious instruments including open-source tools and describes typical post-compromise actions in victim networks.
Cavalry Werewolf is a suspected Kazakhstan APT group targeting Russian government institutions.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.