The attackers used Windows BITSAdmin to download additional payloads, including the infostealer Trojan.FileSpyNET.5, which exfiltrates documents, spreadsheets, text files, and images to an external server.

Initial information‑gathering relied on standard Windows commands (whoami, ipconfig /all, net user) and examination of local files and network configurations to plan subsequent stages.

BackDoor.Tunnel.41 established a SOCKS5 tunnel for covert control, with implants overseen via Telegram bots to manage infected hosts.

A new backdoor named BackDoor.ShellNET.1 was identified, built on open‑source Reverse-Shell-CS code, enabling remote command execution through a reverse shell.

Analysts warn that the evolving toolkit and code reuse raise the risk of broader impact, including potential spread to ordinary users through trojanized popular software.

Cavalry Werewolf previously targeted Russian state agencies and large industrial players in 2025, including energy, mining, and manufacturing sectors, using spear‑phishing that impersonated Kyrgyz officials and showing overlaps with groups like Silent Lynx and YoroTrooper.

The threat toolkit includes custom backdoors in C#, C++, and Golang, along with trojanized utilities such as WinRAR, 7-Zip, and Visual Studio Code to facilitate lateral movement and pivot within compromised networks.

Cavalry Werewolf conducted a targeted cyberattack on a Russian government‑owned organization beginning in mid‑2025, with spoofed spam emails sent from the organization’s own address to aid initial intrusion.

Security practices recommendations emphasize avoiding third‑party downloads, using official platforms, and performing pre‑install scanning with VirusTotal and antivirus tools.