Espionage clusters disguise themselves as Kyrgyz state officials

In some cases the adversaries compromise real official emails to use them in attacks on companies

October 2, 2025

All summer long, Cavalry Werewolf attacked Russian organizations, posing as Kyrgyz government officials. The targets of the summer campaign were state agencies, as well as energy, mining, and manufacturing enterprises. The cluster’s motive is espionage.

Posing as officials from various Kyrgyz ministries, the attackers disseminated malicious emails containing seemingly important documents. In actual fact, the emails were laced with RAR archives, which concealed malware. This was not commercial wide‑spread malware purchasable on underground resources. The adversaries relied on the malware of its own design: FoalShell reverse shells and StallionRAT controlled via Telegram. These tools allowed them to remotely control a compromised device.

For the mailing campaigns, the threat actors typically created email accounts that resembled real addresses of government officials. However, in some cases, the email address used was in fact a real address that had been compromised earlier. It was listed as a contact address on the website of one of the republic’s government agencies.

Cavalry Werewolf phishing emails did not deviate from the style of official correspondence. A distinctive feature of espionage clusters is to craft phishing letters to look very plausible. They also leverage own software and actively experiment with various tools, thereby making it difficult to spot any wrongdoing. Their main goal is to remain undetected in a compromised infrastructure for as long as possible.

The threat actors exploit the information and political agenda for their own benefit. Impersonating civil servants from CIS countries is a way to gain victims’ trust and encourage them to open an email with attachments. It is important to remember that the organizations whose brands are abused by attackers are not liable for the actions of criminals and the associated damage.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

BI.ZONE Threat Intelligence has also discovered files with names in Tajik and Arabic created by the cluster, which suggests that they may be preparing attacks against Tajikistan and countries in the Middle East. The cluster continues to modify its arsenal and test new malware, in particular the AsyncRAT remote access trojan. Unlike the proprietary tools that the cluster used in its summer campaign against Russian organizations, this trojan is free and available on a popular developer platform. Though, the attackers, rather than choosing the basic C# version of the program, went with a modified version rewritten in Rust.

Previously, BI.ZONE Threat Intelligence reported that the share of attacks motivated by espionage continues to grow. In 2023, this figure stood at 15% of all incidents, by the end of 2024 it had risen to 21%, and by the end of the first half of 2025 it had reached a record high of 36%.

Most cyberattacks on organizations in Russia and other CIS countries begin with phishing emails. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your communications. Its mechanism allows for illegitimate emails to be blocked, while secure emails continue to be delivered without delay. Portals such as BI.ZONE Threat Intelligence, help build proactive protection for companies and accelerate response to incidents by providing detailed information about current attacks, threat actors, their tactics, techniques, tools, and information from underground resources.