Cavalry Werewolf Hackers Target Energy, Mining Sectors

A newly uncovered cyber-espionage campaign tied to the Cavalry Werewolf hackers targets Russia’s public sector and critical industries, exploiting trusted government communications. Active from May through August 2025, the group—also known as YoroTrooper and Silent Lynx—used spear-phishing emails posing as Kyrgyz government agencies to deliver malware.

These phishing messages distribute FoalShell and StallionRAT through RAR archives disguised as official documents. The malware installs to Outlook cache directories, offering a detection point for security teams. Cavalry Werewolf hackers target sectors such as energy, mining, and manufacturing with variants of FoalShell built in C#, C++, Go, PowerShell, and Python.

FoalShell grants command-line access via cmd.exe and connects to multiple C2 servers using stealth techniques, including memory-based execution and hidden windows. Analysts also discovered files in Tajik and Arabic, suggesting future expansion into Central Asia and the Middle East. The presence of AsyncRAT installers signals a growing, dynamic threat arsenal.

Read the full report at

Cavalry Werewolf APT Hackers Attacking Multiple Industries with FoalShell and StallionRAT