MalwareUsed by 2 actors

FoalShell

FoalShell is a lightweight reverse shell used in campaigns attributed by BI.ZONE to the threat actor Cavalry Werewolf, which is assessed to overlap with YoroTrooper and several related clusters, with reported ties to Tomiris. It has been observed targeting the Russian public sector, including state agencies and organizations in the energy, mining, and manufacturing sectors. The malware has been delivered via targeted phishing emails observed between May and August 2025, where messages impersonated Kyrgyz government officials and distributed RAR archives that installed FoalShell or StallionRAT; in at least one case, a legitimate email account associated with a Kyrgyz regulatory authority was reportedly compromised and used for delivery. FoalShell is reported to exist in Go, C++, and C# variants and allows operators to execute arbitrary commands through cmd.exe. It was described alongside Telegram-based C2 activity in reporting on the campaign. Associated tooling in the broader intrusion set included ReverseSocks5Agent and ReverseSocks5 for reverse proxying. No specific FoalShell IOCs were provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

YoroTrooper

The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT. ... FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe.

via the hacker newsthehackernews.com

Cavalry Werewolf

"Cavalry Werewolf APT Targets Russian Agencies with FoalShell and Telegram C2"

via security online infosecurityonline.info

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

security online infoNews

Oct 3, 2025

Cavalry Werewolf APT Targets Russian Agencies with FoalShell and Telegram C2

Named malware referenced as being used by the Cavalry Werewolf APT to target Russian agencies; described in the context of using Telegram as a command-and-control (C2) channel.

risky biz rssNews

Oct 3, 2025

Risky Bulletin: Scam compound operators sentenced to death in China

Custom reverse shell used in espionage campaigns attributed to the Cavalry Werewolf/YoroTrooper cluster.

the hacker newsNews

Oct 3, 2025

New "Cavalry Werewolf" Attack Hits Russian Agencies with FoalShell and StallionRAT

A lightweight reverse shell (implemented in Go, C++, and C#) used to provide remote command execution on compromised hosts via cmd.exe.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.