Hackers posing as Kyrgyz officials target Russian agencies in cyber espionage campaign therecord.media/hackers-p…

A hacker group known as Cavalry Werewolf has launched a months-long cyber espionage campaign against Russian government agencies and industrial firms, using phishing emails disguised as Kyrgyz government correspondence, researchers said.

Between May and August 2025, the group — also tracked as YoroTrooper and Silent Lynx — targeted Russia’s public sector as well as energy, mining and manufacturing companies, according to a report by the Turkish cybersecurity firm Picus Security released this week.

The attackers sent spear-phishing emails that appeared to come from Kyrgyz ministries, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications, sometimes using compromised government email accounts. The messages contained malicious RAR files that installed custom malware dubbed FoalShell and StallionRAT.

Once deployed, FoalShell gave attackers remote access to infected computers, while StallionRAT used the Telegram messaging app as a command-and-control channel, allowing hackers to execute commands, steal files and exfiltrate data.

The emails used convincing file names such as “three-month results of joint operations” or “shortlist of employees to receive bonuses” to trick victims into opening them.

While the latest wave of attacks primarily focused on Russia, researchers said the group is likely broadening its reach. A Tajik-language file found on an infected system points to possible interest in Tajikistan, while Arabic-named files suggest reconnaissance in the Middle East.

“This expansion, coupled with testing of additional tools like AsyncRAT, highlights a rapidly evolving and ambitious threat actor,” Picus researchers said.