Threat Actors Pose as Government Officials to Attack Organizations with StallionRAT

In a recent wave of targeted phishing campaigns, the Cavalry Werewolf cluster has escalated its operations by impersonating government officials and deploying both FoalShell and StallionRAT malware. These tactics underscore the urgency of maintaining continuous cyber intelligence monitoring and implementing robust email authentication measures.

Cavalry Werewolf began its campaign by registering or compromising email addresses belonging to Kyrgyz government agencies.

Attackers posed as employees of the Ministry of Economy and Commerce, the Ministry of Culture, Information, Sports and Youth Policy, and the Ministry of Transport and Communications.

In one striking example, they used a legitimately sourced address from the Kyrgyz Republic’s regulatory authority—likely compromised in a prior operation—to lend credibility to phishing lures.

The phishing emails arrived with RAR attachments named to mimic official documents. Some packages contained FoalShell, a reverse-shell trojan written in Go, C++ and C#, while others concealed StallionRAT, a versatile ...