Cyber Incident Victim: World Intellectual Property Organization
Date:
Jun 2022
Location:
Switzerland
Summary
The threat actor YoroTrooper compromised accounts at the World Intellectual Property Organization and a European Union health care agency through phishing campaigns delivering malicious archives containing shortcut files and decoy documents. The attacks employed Python-based information stealers, custom scripts leveraging open-source tools, and commodity malware like Warzone RAT and LodaRAT to exfiltrate credentials, browser histories, cookies, system data, and screenshots. Targeting primarily Commonwealth of Independent States governments and embassies, the espionage-focused group utilized Telegram-based command-and-control infrastructure and exhibited Russian language artifacts in their tooling, suggesting operational familiarity with Cyrillic systems. Stolen information was assessed to facilitate lateral movement or future phishing operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The espionage campaign attributed to the threat actor YoroTrooper compromised the World Intellectual Property Organization (WIPO) around June 2022, alongside other high-value targets including a European Union health care agency and multiple embassies. Cisco Talos identified YoroTrooper as a Russian-speaking actor targeting Commonwealth of Independent States (CIS) governments, energy sectors, and diplomatic entities through phishing emails delivering malicious archives. These archives contained shortcut files (LNKs) and decoy PDF documents designed to appear legitimate. The LNK files triggered infections by executing remote HTA scripts via mshta.exe, leading to the deployment of information stealers and remote access trojans (RATs). YoroTrooper’s toolset included Python-based custom malware wrapped into executables using Nuitka or PyInstaller, alongside commodity malware like AveMaria/Warzone RAT, LodaRAT, and Meterpreter. The actor successfully exfiltrated credentials, browser histories, cookies, system information, and screenshots from compromised endpoints.
YoroTrooper’s operations against WIPO involved stealing credentials from internet-exposed systems, though the exact method of initial access—whether through targeted phishing domains or broader credential harvesting—remained unclear. The actor registered typo-squatted domains mimicking legitimate entities, such as “maileecommission[.]inro[.]link,” to host malicious payloads. Stolen data included sensitive authentication details from applications like Google Chrome, FileZilla, Discord, and Telegram, which could facilitate lateral movement or future phishing campaigns. The custom Python-based RAT employed Telegram bots for command-and-control communication and data exfiltration, with code snippets containing Cyrillic text and CP866 encoding indicating Russian-language familiarity. While YoroTrooper shared victimology and tactics with the PoetRAT group—notably targeting Azerbaijani embassies and energy sectors—no direct infrastructure overlaps confirmed a link. The incident highlighted the actor’s evolution from commodity malware to bespoke tools, reflecting increased operational sophistication following successful breaches.