A targeted cyberattack was executed by the hacker group Cavalry Werewolf against a Russian government-owned entity in July 2025. The attack began with a phishing campaign using password-protected archives disguised as legitimate documents, deploying a previously unknown backdoor (BackDoor.ShellNET.1) based on open-source Reverse-Shell-CS code. This allowed remote command execution, persistence via Windows registry edits, and deployment of additional malware, including the Trojan.FileSpyNET.5 infostealer designed to exfiltrate documents, spreadsheets, images, and system data to an external server.The attackers leveraged Windows BITSAdmin to download further payloads, established SOCKS5 tunnels for covert communication, and used Telegram bots to control compromised systems. Trojanized versions of WinRAR, 7-Zip, and Visual Studio Code were also distributed to launch secondary infections. The group gathered confidential government data, internal network configurations, and user credentials via Windows commands (`whoami`, `ipconfig /all`, `net user`), indicating a focused effort on espionage and long-term infiltration.Cavalry Werewolf, linked to prior campaigns targeting Russian state agencies and industrial firms (energy, mining, manufacturing), employed custom tools like FoalShell and StallionRAT, suggesting advanced capabilities with potential ties to other threat actors (Silent Lynx, YoroTrooper). The breach risks compromised national security data, operational disruptions, and further escalation if the group expands targeting to critical infrastructure or civilian systems.
Source: https://hackread.com/cavalry-werewolf-russia-government-shellnet-backdoor/
TPRM report: https://www.rankiteo.com/company/transneft-jsc
"id": "tra3192431110625",
"linkid": "transneft-jsc",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Russia',
'type': 'Government Organization'}],
'attack_vector': ['Phishing Emails',
'Password-Protected Malicious Archives',
'Reverse Shell (BackDoor.ShellNET.1)',
'BITSAdmin for Payload Delivery',
'Trojanized Software (WinRAR, 7-Zip, VS Code)',
'Telegram Bot C2'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Documents',
'Spreadsheets',
'Text Files',
'Images',
'Configuration Files'],
'sensitivity_of_data': 'High (Government/Industrial '
'Espionage)',
'type_of_data_compromised': ['Corporate Documents',
'System/Network Configurations',
'User Credentials',
'Local Files (Images, Text, '
'Spreadsheets)']},
'date_detected': '2025-07',
'date_publicly_disclosed': '2025-07',
'description': 'Cybersecurity researchers at Doctor Web discovered a targeted '
'attack against a Russian government-owned organization by the '
'hacker group Cavalry Werewolf. The operation began in July '
'2025 after the organization noticed spam emails sent from its '
'own corporate address. The attack involved a phishing '
'campaign using password-protected archives posing as '
'legitimate documents, deploying a new backdoor '
'(BackDoor.ShellNET.1) based on open-source Reverse-Shell-CS '
'code. Attackers used Windows’ BITSAdmin to download '
'additional payloads, including Trojan.FileSpyNET.5 '
'(infostealer) and BackDoor.Tunnel.41 (SOCKS5 tunnel for '
'covert communication). The group relied on open-source '
'frameworks, custom backdoors (C#, C++, Golang), and Telegram '
'bots for command-and-control. Trojanized versions of WinRAR, '
'7-Zip, and Visual Studio Code were also used to deploy '
'secondary malware. The goal was to collect confidential '
'information and internal network configurations.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage '
'(Government Entity Targeted)'],
'data_compromised': ['Documents',
'Spreadsheets',
'Text Files',
'Images',
'System/Network Configurations',
'User Information'],
'operational_impact': ['Unauthorized Remote Command Execution',
'Data Exfiltration',
'Persistence via Registry/Scheduled Tasks',
'Covert Communication Channels']},
'initial_access_broker': {'backdoors_established': ['BackDoor.ShellNET.1',
'BackDoor.Tunnel.41',
'FoalShell (Past '
'Operations)',
'StallionRAT (Past '
'Operations)'],
'entry_point': 'Phishing Emails (Password-Protected '
'Archives)',
'high_value_targets': ['Russian State Agencies',
'Energy Sector',
'Mining Sector',
'Manufacturing Sector'],
'reconnaissance_period': ['May 2025 – August 2025 '
'(Observed Campaign '
'Window)']},
'investigation_status': 'Ongoing (Doctor Web Analysis)',
'lessons_learned': ['Avoid downloading software from third-party/unverified '
'sources.',
'Verify all email attachments, especially '
'password-protected archives.',
'Monitor for abuse of legitimate tools (e.g., BITSAdmin, '
'Telegram bots).',
'Scan files via VirusTotal/antivirus before execution.',
'Cavalry Werewolf reuses and tweaks malware tools across '
'campaigns, indicating persistent evolution.'],
'motivation': ['Espionage', 'Data Theft', 'Intelligence Gathering'],
'post_incident_analysis': {'root_causes': ['Successful phishing leading to '
'malware execution.',
'Abuse of legitimate utilities '
'(BITSAdmin, Telegram bots).',
'Lack of detection for trojanized '
'software (WinRAR, 7-Zip, VS '
'Code).',
'Persistence via Windows '
'registry/scheduled tasks.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement stricter email security controls (e.g., '
'sandboxing, attachment scanning).',
'Restrict execution of scripts/tools like BITSAdmin via '
'least-privilege policies.',
'Monitor for unusual outbound traffic (e.g., SOCKS5 '
'tunnels, Telegram C2).',
'Educate employees on phishing risks, especially '
'spear-phishing impersonating officials.',
'Audit systems for persistence mechanisms (registry '
'edits, scheduled tasks).',
'Use official software sources and verify file '
'integrity.'],
'references': [{'source': 'Doctor Web Technical Report'},
{'source': 'Hackread.com (Translated Article)',
'url': 'https://www.hackread.com/cavalry-werewolf-russian-government-hack/'}],
'response': {'incident_response_plan_activated': True,
'third_party_assistance': ['Doctor Web (Investigation)']},
'threat_actor': 'Cavalry Werewolf',
'title': 'Targeted Attack by Cavalry Werewolf on Russian Government-Owned '
'Organization',
'type': ['Targeted Attack',
'Phishing',
'Malware Deployment',
'Data Exfiltration',
'Espionage'],
'vulnerability_exploited': ['Human Error (Phishing)',
'Abuse of Legitimate Tools (BITSAdmin)',
'Trojanized Software Supply Chain']}