Menu
Browse

Cyber Threat Actor: YoroTrooper

Actor Type Location Known Incidents
 Icon
Spy
Russia
1 incident
Profile

YoroTrooper is athreat actor tracked by Cisco Talos under the alias YoroTrooper, with observed activity dating back to at least June 2022. The group is described as espionage‑focused, primarily targeting government and energy organizations in Commonwealth of Independent States countries such as Azerbaijan, Tajikistan and Kyrgyzstan, as well as embassies of European nations including Azerbaijan and Turkmenistan. In addition to these regional targets, YoroTrooper has successfully compromised accounts at a European Union health care agency and the World Intellectual Property Organization, indicating a broader interest in international institutions. The actor’s strategic objective, as inferred from the stolen data types and the use of credential stealers and remote access tools, is to gather intelligence that can support lateral movement or future phishing operations rather than financial gain or disruptive effects.

The typical infection chain begins with a phishing email containing a malicious archive (ZIP or RAR) that holds a shortcut file (LNK) and a decoy document. The LNK file uses mshta.exe to download and execute a remote HTA file, which in turn runs PowerShell commands to deploy a malicious EXE‑based dropper and a second decoy document. Once executed, the actor employs a mix of custom and commodity malware: a Python‑based remote access trojan that communicates via Telegram bots to run arbitrary commands and exfiltrate files, a custom stealer script that harvests Chrome login data and sends it through the same Telegram channel, and open‑source tools such as the Stink stealer (wrapped with Nuitka or PyInstaller) to collect credentials, cookies, screenshots and system information. YoroTrooper also relies on established remote access trojans including AveMaria/Warzone RAT, LodaRAT and Meterpreter, and has been observed deploying Python‑based reverse shells and a C‑based custom keylogger to capture keystrokes. The tooling frequently contains Russian language artifacts, such as Cyrillic strings and code that decodes output using Code Page 866, indicating familiarity with Russian‑language environments.

Attribution assessments note that the operators are Russian language speakers, but there is no public evidence linking them to a specific state sponsor or confirming that they are Russian nationals. The group's victimology—focused on CIS governments and embassies—suggests a regional interest rather than a global criminal enterprise. While YoroTrooper has used LodaRAT, which is associated with the Kasablanka developer, Talos emphasizes that LodaRAT is employed by multiple actors and therefore does not constitute a definitive link to Kasablanka. Similarities in victimology and tactics with the PoetRAT team have been observed, but insufficient overlap exists to assert a direct affiliation. Consequently, the actor remains classified as a distinct espionage‑oriented threat group whose tactics, techniques and procedures are grounded in phishing‑driven delivery of modular Python and commodity malware, with exfiltration facilitated through Telegram‑based command and control.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source