Cavalry Werewolf: New Threat Actor Targets Russian Public Sector with FoalShell and StallionRAT Malware

A threat actor exhibiting similarities to the YoroTrooper hacking group has been observed targeting the Russian public sector with malware families including FoalShell and StallionRAT. This activity, tracked by cybersecurity firm BI.ZONE under the name Cavalry Werewolf, is assessed to share commonalities with other threat clusters known as SturgeonPhisher, Silent Lynx, and Comrade Saiga. The deployment of Remote Access Trojans (RATs) such as FoalShell and StallionRAT indicates an intent to establish persistent access within targeted networks, enabling data exfiltration and lateral movement. The focus on the Russian public sector suggests a targeted campaign, potentially motivated by espionage or disruptive objectives. The connections to YoroTrooper and other clusters underscore the importance of monitoring overlapping tactics, techniques, and procedures (TTPs) among these threat groups. Cybersecurity professionals are advised to enhance their detection and mitigation strategies for these malware families and remain vigilant against evolving TTPs associated with Cavalry Werewolf and related actors. The emergence of this threat actor highlights the need for continuous threat intelligence sharing and collaborative defense efforts within the cybersecurity community.