EXECUTIVE SUMMARY
Cavalry Werewolf is changing its toolkit and testing new ways to attack, so defenders need fast, clear info about the tools and methods the group uses. The threat actors send emails that look like official messages and sometimes use real, already compromised addresses found online. That makes it hard to tell real messages from fake ones. Many emails carry compressed files that hide programs meant to open a command line on the victim–s computer or to run a remote access tool. File names are chosen to look like routine documents, so people are more likely to open them. Because not all incidents are shared publicly, their region. Simple checks help a lot: confirm who sent the message, do not open unknown attachments, and treat any link or file as suspicious until it is checked. Monitoring for downloads that land in email cache folders and for files created with document-like names can help spot attacks early.
The group uses small reverse shells and RATs built in a few programming languages so the same action can run on many hosts. One tool is a reverse shell that starts a hidden command window and sends input and output to a remote operator. In one version attackers pack the shell inside another program and run it from memory, which avoids leaving a normal file on disk. Another tool is a RAT launched by a small program that runs a hidden PowerShell command which decodes and runs the real payload. That RAT talks to a messaging service as its control channel. The tools create persistence by adding entries to run keys, so the code runs after a reboot. They also can upload and download files, run commands to gather system, and network info, and start proxy tools to let attackers route traffic through the compromised host. Known clues include shadow debug paths left by builders, reused build IDs, and document-like file names.
Useful hunting signals are processes launching cmd.exe or powershell.exe from odd folders, Base64 encoded PowerShell commands using hidden window flags, new files in public libraries folders, and registry keys added to autorun locations. This set of attacks shows a steady pattern of testing and reuse rather than flashy, complex tools. The adversary favors tried and true methods: social engineering with realistic file names, multi-language builds of the same tool, and using common system features to hide activity. Because they may use real email and should verify attachments and links before opening. Prioritize logging from mail clients and from the common folders where email attachments are cached and add rules to flag encoded PowerShell runs and cmd.exe started by uncommon parents. Record simple markers such as build IDs, debug paths, and repeated file name styles in your intelligence store so you can spot reuse quickly. Combine mail-layer controls, endpoint monitoring, and focused hunting queries to reduce the window in which the attacker can act. Regularly updating detection rules with the small clues above will make it harder for this group Threat.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.001 | Spearphishing Attachment | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | Deobfuscate/Decode Files or Information |
| Defense Evasion | T1564.001 | Hide Artifacts | Hidden Window |
| Defense Evasion | T1036.006 | Masquerading | Space after Filename |
| Discovery | T1087.002 | Account Discovery | Domain Account |
| Discovery | T1083 | File and Directory Discovery | – |
| Discovery | T1082 | System Information Discovery | – |
| Discovery | T1016.001 | System Network Configuration Discovery | Internet Connection Discovery |
| Discovery | T1033 | System Owner/User Discovery | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Command and Control | T1095 | Non-Application Layer Protocol | – |
| Command and Control | T1090.002 | Proxy | External Proxy |
| Command and Control | T1102.002 | Web Service | Bidirectional Communication |
| Exfiltration | T1567.002 | Exfiltration Over Web Service | Exfiltration Over Web Service |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cavalry-werewolf-apt-targets-russian-agencies-with-foalshell-and-telegram-c2/
https://bi.zone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/?utm_source=x&utm_medium=social&utm_campaign=cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami