Cavalry Werewolf hacker group attacks Russian state institutions

The Doctor Web report documents a July 2025 targeted intrusion by the Cavalry Werewolf group against a Russian government organization: initial access via spearphishing with password-protected archives deployed various reverse-shell backdoors (e.g., BackDoor.ShellNET, ReverseProxy, ReverseShell), stealers (Trojan.FileSpyNET), and additional payloads delivered via legitimate tools (BITS, PowerShell, curl). It provides file names, SHA1 hashes, C2 IPs, observed commands and persistence methods, notes the group's preference for open-source tooling and Telegram-based control, and maps the activity to MITRE ATT&CK techniques.