In July 2025, a Russian government institution fell victim to a sophisticated targeted cyber attack by the threat group *Cavalry Werewolf*. The breach began with phishing emails containing malicious attachments (e.g., fake government documents like *‘Служебная записка от 16.06.2025’* and *‘О ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ.exe’*), delivered via the BackDoor.ShellNET.1 backdoor. Upon execution, attackers gained remote command control, deployed file-stealing malware (Trojan.FileSpyNET.5) to exfiltrate sensitive documents (.doc, .pdf, .xlsx, images), and established persistent SOCKS5 tunnels (BackDoor.Tunnel.41) for covert access.The group used legitimate tools (Bitsadmin, PowerShell, curl) and tampered software (WinRar, 7-Zip, VS Code) to evade detection while mapping the network for deeper infiltration. Their arsenal included custom backdoors (Trojan.Inject5.57968, BackDoor.ReverseProxy.1), some controlled via Telegram bots, and registry modifications for persistence. The attack compromised confidential government data, risked critical infrastructure access, and demonstrated advanced operational security posing a persistent threat to national security. The institution’s network configuration, internal communications, and classified documents were exposed, with potential escalation to wider geopolitical consequences if critical systems were breached.
Source: https://gbhackers.com/cavalry-werewolf/
TPRM report: https://www.rankiteo.com/company/ministry-of-finance-of-the-russian-federation
"id": "min4933149110725",
"linkid": "ministry-of-finance-of-the-russian-federation",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector / Government',
'location': 'Russian Federation',
'name': 'Unnamed Government-Owned Organization '
'(Russian Federation)',
'type': 'Government Agency'}],
'attack_vector': ['Phishing Emails',
'Malicious Attachments (Password-Protected Archives)',
'BackDoor.ShellNET.1 (Reverse-Shell-CS)',
'Bitsadmin for Payload Delivery'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['.doc',
'.docx',
'.xlsx',
'.pdf',
'Image Files'],
'sensitivity_of_data': ['High (Confidential Government '
'Information)'],
'type_of_data_compromised': ['Government Documents (.doc, '
'.docx, .xlsx, .pdf)',
'Image Files',
'Network Configuration Data']},
'date_detected': 'July 2025',
'description': 'In July 2025, Doctor Web’s anti-virus laboratory detected a '
'critical network compromise in a Russian government-owned '
'organization. The attack, orchestrated by the threat actor '
'group Cavalry Werewolf, involved phishing emails with '
"malicious attachments (e.g., 'Служебная записка от "
"16.06.2025', 'О ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ ДЛЯ ПОДГОТОВКИ "
"СОВЕЩАНИЯ.exe') disguised as legitimate documents. The "
'attackers used BackDoor.ShellNET.1 (a Reverse-Shell-CS-based '
'backdoor) to establish remote command execution, followed by '
'deployment of Trojan.FileSpyNET.5 (file stealer) and '
'BackDoor.Tunnel.41 (SOCKS5 tunnel creator). The campaign '
'included extensive reconnaissance, persistence mechanisms via '
'registry modifications, and tampering with legitimate '
'software (WinRar, 7-Zip, VS Code, PDF readers). The primary '
'objectives were stealing confidential data and mapping '
'network configurations for deeper infiltration into critical '
'infrastructure.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Government Cybersecurity',
'Reputation Damage Due to Data Breach'],
'data_compromised': ['Confidential Government Information',
'Network Configuration Data'],
'operational_impact': ['Unauthorized Remote Command Execution',
'Data Exfiltration',
'Persistence via Registry Modifications',
'Covert Network Access (SOCKS5 Tunnels)'],
'systems_affected': ['Corporate Email Servers',
'Endpoints (Windows Systems)',
'Legitimate Software (WinRar, 7-Zip, VS Code, '
'PDF Readers)',
'Network Infrastructure']},
'initial_access_broker': {'backdoors_established': ['BackDoor.ShellNET.1 '
'(Reverse-Shell-CS)',
'BackDoor.Tunnel.41 '
'(ReverseSocks5-based)',
'BackDoor.ReverseProxy.1 '
'(SOCKS5 Proxy)',
'Trojan.Inject5.57968 '
'(Process Injection)',
'BackDoor.Siggen2.5463',
'BackDoor.RShell.169'],
'entry_point': ['Phishing Emails with Malicious '
'Attachments (BackDoor.ShellNET.1)'],
'high_value_targets': ['Confidential Government '
'Data',
'Network Configuration '
'Details',
'Critical Infrastructure '
'Access'],
'reconnaissance_period': ['Extensive (Systematic '
'Network Mapping via '
'ipconfig, PowerShell, '
'Bitsadmin)']},
'investigation_status': 'Ongoing (as of July 2025)',
'lessons_learned': ['Sophisticated threat actors leverage open-source tools '
'(Reverse-Shell-CS, ReverseSocks5) to evade detection.',
'Legitimate utilities (Bitsadmin, PowerShell, curl) can '
'be weaponized for malicious payload delivery.',
'Password-protected archives with deceptive filenames '
'bypass traditional email security measures.',
'Persistence via registry modifications and tampering '
'with legitimate software (e.g., WinRar) complicates '
'detection.',
'Telegram bots can be used for command-and-control (C2) '
'distribution in multi-stage attacks.'],
'motivation': ['Espionage',
'Data Theft',
'Critical Infrastructure Infiltration',
'Network Mapping'],
'post_incident_analysis': {'corrective_actions': ['Enhance email filtering to '
'block password-protected '
'archives with executable '
'content.',
'Deploy EDR/XDR solutions '
'to detect reverse shells '
'and SOCKS5 tunnels.',
'Implement application '
'whitelisting to prevent '
'tampering with legitimate '
'software.',
'Restrict use of Bitsadmin, '
'PowerShell, and curl to '
'authorized administrative '
'tasks.',
'Segment networks to limit '
'lateral movement in case '
'of compromise.',
'Conduct red team exercises '
'to test defenses against '
'multi-stage, '
'open-source-based '
'attacks.'],
'root_causes': ['Successful phishing attack due to '
'lack of email security controls.',
'Inadequate endpoint detection to '
'identify reverse shell '
'connections.',
'Abuse of legitimate tools '
'(Bitsadmin, PowerShell) for '
'payload delivery.',
'Persistence mechanisms via '
'registry modifications and '
'tampered software.',
'Open-source malware '
'(Reverse-Shell-CS, ReverseSocks5) '
'evading signature-based '
'detection.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement robust email filtering to block phishing '
'attempts with malicious attachments.',
'Deploy endpoint detection and response (EDR) solutions '
'to identify anomalous behavior (e.g., reverse shells, '
'SOCKS5 tunnels).',
'Enforce network segmentation to limit lateral movement '
'within critical infrastructure.',
'Monitor for abuse of legitimate tools (Bitsadmin, '
'PowerShell, curl) in unusual contexts.',
'Restrict modifications to the Windows registry and '
'public directories (e.g., C:\\users\\public\\pictures).',
'Conduct regular audits of software integrity to detect '
'tampering with legitimate applications.',
'Educate employees on recognizing phishing emails, '
'especially those mimicking official government '
'correspondence.'],
'references': [{'source': 'Doctor Web Anti-Virus Laboratory'}],
'response': {'enhanced_monitoring': ['Recommended as Mitigation'],
'incident_response_plan_activated': True,
'network_segmentation': ['Recommended as Mitigation'],
'third_party_assistance': ['Doctor Web Anti-Virus Laboratory']},
'threat_actor': 'Cavalry Werewolf',
'title': 'Sophisticated Targeted Attack by Cavalry Werewolf on Russian '
'Government Organization',
'type': ['Targeted Cyberattack',
'Espionage',
'Data Theft',
'Network Reconnaissance'],
'vulnerability_exploited': ['Human Error (Phishing)',
'Lack of Email Filtering',
'Legitimate Tools Abuse (Bitsadmin, PowerShell, '
'curl)',
'Weak Endpoint Detection']}