A hacker group known as Cavalry Werewolf has launched a months-long cyber espionage campaign against Russian government agencies and industrial firms, using phishing emails disguised as Kyrgyz government correspondence, researchers said.
Between May and August 2025, the group — also tracked as YoroTrooper and Silent Lynx — targeted Russia’s public sector as well as energy, mining and manufacturing companies, according to a report by the Turkish cybersecurity firm Picus Security released this week.
The attackers sent spear-phishing emails that appeared to come from Kyrgyz ministries, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications, sometimes using compromised government email accounts. The messages contained malicious RAR files that installed custom malware dubbed FoalShell and StallionRAT.
Once deployed, FoalShell gave attackers remote access to infected computers, while StallionRAT used the Telegram messaging app as a command-and-control channel, allowing hackers to execute commands, steal files and exfiltrate data.
The emails used convincing file names such as “three-month results of joint operations” or “shortlist of employees to receive bonuses” to trick victims into opening them.
While the latest wave of attacks primarily focused on Russia, researchers said the group is likely broadening its reach. A Tajik-language file found on an infected system points to possible interest in Tajikistan, while Arabic-named files suggest reconnaissance in the Middle East.
“This expansion, coupled with testing of additional tools like AsyncRAT, highlights a rapidly evolving and ambitious threat actor,” Picus researchers said.
Suspected Kazakh links
Picus did not attribute the group to any nation-state, but previous research by Cisco Talos said Cavalry Werewolf is likely based in Kazakhstan, citing the use of Kazakh currency, fluency in Kazakh and Russian, and the group’s regional focus.
Active since June 2022, the hackers have previously targeted a European Union healthcare agency, the World Intellectual Property Organization (WIPO) and several embassies in Turkmenistan and Azerbaijan, according to Cisco Talos.
Russian cybersecurity firm Bi.Zone also reported earlier this year that YoroTrooper carried out phishing attacks on Russian institutions using Kyrgyz government lures. Researchers also noted that the geography of the group’s attacks appears to be “quite broad” and is not limited to Russia or other countries of the Commonwealth of Independent States (CIS) region.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
