A danger actor who is known for sharing overlap with a hacking group called Eurotropur, has been seen targeting the Russian public sector with malware families such as Folcell and Stallianrat.
Cyber security vendor is monitoring activity under BI.Zone Monikar Cavelery warewolfIt is also assessed that there are similarities with clusters tracked in the form of struggonfisher, silent links, comrade signs, shadosilk and tomiris.
“To get the initial access, the attackers sent him a disguised fishing email as official correspondence from the government officials of Kyrgyz,” BI.Zone said. “The main goals of the attacks were Russian state agencies, as well as energy, mining and manufacturing enterprises.”
In August 2025, Group-IB revealed the attacks launched by Shadosilk, targeting government institutions in Central Asia and Asia-Pacific (APAC), written in python using reverse proxy tools and remote access trozons and later ported Powercel.
The relationship of Tomiris of Cavalry Warewolf is important, not at least because it further gives credibility to a hypothesis that it is a danger -related actor with Kazakhstan. In a report later last year, Microsoft tracked Tomiris Backdore as Storm -0473, a Kazakhstan -based actor.
The latest phishing attacks seen between May and August 2025 include sending email messages using fake email addresses, replicating to distribute RAR archives to Kyrgyzstan government employees that distribute Folcells or StallianSat.
In at least one case, the actor threatened that a legitimate email address associated with the Regulatory Authority of the Republic of Kyrgyz was compromised to send the message. FoalShell is a mild reverse shell that appears in GO, C ++, and C# versions, allowing operators to run arbitrary commands using CMD.EXE.
Stallionrat is no different that it is written in GO, Powershell, and Python, and enables the attackers to execute arbitrary commands, load additional files and exfiltrate the data collected using Telegram Bot. Some of the commands supported by the bot are included –
- /List, Command-And-Control (C2) to get a list of compromised hosts (devices and computer names) related to the server
- /Go [DeviceID] [command]To execute the command given using the Invoc-X-XP
- /Upload [DeviceID]To upload a file to the victim’s device
The compromised hosts are also executed, which are devices such as reversocks5agent and reversesocks5, as well as commands to gather device information.
The Russian cyber security seller said that it also highlighted various files in English and Arabic, suggesting that the target focus of the Cavalry Warewolf could be compared to the already eclipse.
“Cavalry Warewolf is actively experimenting with expanding his arsenal,” B. Zon said. “It highlights the importance of quick insight into the devices used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks.”
This disclosure comes when the company revealed that analysis of both financially inspired attackers and publications on telegram channels or underground forums in the last one year has identified the agreement of at least 500 companies in Russia, most of which have spread commerce, finance, education and entertainment sectors.
“In 86% of the cases the attackers published the compromised public stolen data.” After achieving access to public web applications, the attackers installed GS ‘NETCAT on the compromised server to ensure frequent access. Sometimes, the attackers will load additional web shells. He also used valid devices such as adminars, phpminiadmin, and mysqldump to extract data from the database. ,
