Cavalry Werewolf, a malicious actor group, targeted Russian state agencies and enterprises in the energy, mining, and manufacturing sectors from May to August 2025. The attackers used targeted phishing emails, posing as Kyrgyz government officials, to gain initial access. They employed custom malware, including FoalShell reverse shells and StallionRAT, controlled via Telegram. The group impersonated or compromised real email accounts from Kyrgyz agencies. Their arsenal includes various versions of FoalShell (Go, C++, C#) and StallionRAT (Go, PowerShell, Python). The attackers executed commands for system reconnaissance, file uploads, and SOCKS5 proxying. Evidence suggests potential expansion to targets in Tajikistan and Middle Eastern countries.