Cavalry Werewolf Raids Russia’s Public Sector With Trusted Relationship Attacks

    Tuesday, October 21, 2025 In: Threat Research Print

    Date: 10/21/2025

    Severity: High

    Summary

    Cavalry Werewolf, a sophisticated cyber threat group, is actively expanding its arsenal to target Russia's public sector. The group uses trusted relationship attacks, including email compromise and phishing, to impersonate officials or directly hijack their accounts. This highlights the need for constant vigilance and up-to-date security measures to detect and prevent such attacks. Even when these attacks aren't publicly disclosed, they still pose significant threats, making it crucial for organizations to monitor cyber intelligence portals for real-time insights and prioritize defenses accordingly.

    Indicators of Compromise (IOC) List

    IP Address

    188.127.225.191

    94.198.52.200

    91.219.148.93

    185.244.180.169

    109.172.85.95

    185.231.155.111

    185.173.37.67

    188.127.227.226

    62.113.114.209

    96.9.125.168

    78.128.112.209

    Hash

    27a11c59072a6c2f57147724e04c7d6884b52921da2629fb0807e0bb93901cbc

    3cd7f621052919e937d9a2fdd4827fc7f82c0319379c46d4f9b9dd5861369ffc

    c3df16cce916f1855476a2d1c4f0946fa62c2021d1016da1dc524f4389a3b6fa

    e15f1a6d24b833ab05128b4b34495ef1471bd616b9833815e2e98b8d3ae78ff2

    dae3c08fa3df76f54b6bae837d5abdc309a24007e9e6132a940721045e65d2bb

    8404f8294b14d61ff712b60e92b7310e50816c24b38a00fcc3da1371a3367103

    8e6d7c44ab66f37bf24351323dc5e8d913173425b14750a50a2cbea6d9e439ba

    fa6cdd1873fba54764c52c64eadca49d52e5b79740364ef16e5d86d61538878d

    0e7b65930bc73636f2f99b05a3bb0af9aaf17d3790d0107eb06992d25e62f59d

    c9ffbe942a0b0182e0cd9178ac4fbf8334cae48607748d978abf47bd35104051

    04769b75d7fb42fbbce39d4c4b0e9f83b60cc330efa477927e68b9bdba279bb8

    7da82e14fb483a680a623b0ef69bcfbd9aaaedf3ec26f4c34922d6923159f52f

    c26b62fa593d6e713f1f2ccd987ef09fe8a3e691c40eb1c3f19dd57f896d9f59

    1dfe65e8dc80c59000d92457ff7053c07f272571a8920dbe8fc5c2e7037a6c98

    a8ada7532ace3d72e98d1e3c3e02d1bd1538a4c5e78ce64b2fe1562047ba4e52

    cc9e5d8f0b30c0aaeb427b1511004e0e4e89416d8416478144d76aa1777d1554

    ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17

    8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c

    b13b83b515ce60a61c721afd0aeb7d5027e3671494d6944b34b83a5ab1e2d9f4

    af3d740c5b09c9a6237d5d54d78b5227cdaf60be89f48284b3386a3aadeb0283

    4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288

    22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab

    148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda

    7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf

    ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d

    6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252

    cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06

    fbf1bae3c576a6fcfa86db7c36a06c2530423d487441ad2c684cfeda5cd19685

    a3ec2992e6416a3af54b3aca3417cf4a109866a07df7b5ec0ace7bd1bf73f3c6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("188.127.225.191","94.198.52.200","91.219.148.93","185.244.180.169","109.172.85.95","185.231.155.111","185.173.37.67","188.127.227.226","62.113.114.209","96.9.125.168","78.128.112.209") or srcipaddress IN ("188.127.225.191","94.198.52.200","91.219.148.93","185.244.180.169","109.172.85.95","185.231.155.111","185.173.37.67","188.127.227.226","62.113.114.209","96.9.125.168","78.128.112.209") or ipaddress IN ("188.127.225.191","94.198.52.200","91.219.148.93","185.244.180.169","109.172.85.95","185.231.155.111","185.173.37.67","188.127.227.226","62.113.114.209","96.9.125.168","78.128.112.209")

    Detection Query 2 :

    sha256hash IN ("cc9e5d8f0b30c0aaeb427b1511004e0e4e89416d8416478144d76aa1777d1554","b13b83b515ce60a61c721afd0aeb7d5027e3671494d6944b34b83a5ab1e2d9f4","e15f1a6d24b833ab05128b4b34495ef1471bd616b9833815e2e98b8d3ae78ff2","a8ada7532ace3d72e98d1e3c3e02d1bd1538a4c5e78ce64b2fe1562047ba4e52","af3d740c5b09c9a6237d5d54d78b5227cdaf60be89f48284b3386a3aadeb0283","6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252","8e6d7c44ab66f37bf24351323dc5e8d913173425b14750a50a2cbea6d9e439ba","cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06","22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab","ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d","27a11c59072a6c2f57147724e04c7d6884b52921da2629fb0807e0bb93901cbc","3cd7f621052919e937d9a2fdd4827fc7f82c0319379c46d4f9b9dd5861369ffc","1dfe65e8dc80c59000d92457ff7053c07f272571a8920dbe8fc5c2e7037a6c98","c26b62fa593d6e713f1f2ccd987ef09fe8a3e691c40eb1c3f19dd57f896d9f59","0e7b65930bc73636f2f99b05a3bb0af9aaf17d3790d0107eb06992d25e62f59d","c9ffbe942a0b0182e0cd9178ac4fbf8334cae48607748d978abf47bd35104051","7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf","4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288","c3df16cce916f1855476a2d1c4f0946fa62c2021d1016da1dc524f4389a3b6fa","dae3c08fa3df76f54b6bae837d5abdc309a24007e9e6132a940721045e65d2bb","8404f8294b14d61ff712b60e92b7310e50816c24b38a00fcc3da1371a3367103","fa6cdd1873fba54764c52c64eadca49d52e5b79740364ef16e5d86d61538878d","04769b75d7fb42fbbce39d4c4b0e9f83b60cc330efa477927e68b9bdba279bb8","7da82e14fb483a680a623b0ef69bcfbd9aaaedf3ec26f4c34922d6923159f52f","ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17","8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c","148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda","fbf1bae3c576a6fcfa86db7c36a06c2530423d487441ad2c684cfeda5cd19685","a3ec2992e6416a3af54b3aca3417cf4a109866a07df7b5ec0ace7bd1bf73f3c6")

    Reference:

    https://bi.zone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/


    Tags

    Threat ActorCavalry WerewolfPhishingRussia

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.