Security Experts:

Connect with us

Hi, what are you looking for?



New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

A newly identified threat actor named YoroTrooper is targeting organizations in Europe and the CIS region for espionage and data theft.

A newly identified threat actor has been observed targeting government and energy organizations in the Commonwealth of Independent States (CIS) region for espionage and data theft, Cisco warns.

Dubbed YoroTrooper, the group has been active since at least June 2022, mainly hitting governments across Eastern Europe, but was also seen compromising accounts at a European Union healthcare agency and the World Intellectual Property Organization (WIPO).

Believed to consist of Russian-speaking individuals, the group successfully compromised organizations in Azerbaijan, Kyrgyzstan, Tajikistan, and other CIS countries, and is believed to be also targeting other entities in Europe, as well as Turkish government agencies.

To date, Cisco has identified at least three different clusters of activity with overlapping infrastructure and has seen YoroTrooper using both in-house and commodity malware families, including AveMaria/Warzone RAT and LodaRAT.

The group tricks victims with malicious domains and typosquatted domains that resemble the legitimate websites of CIS entities.

YoroTrooper targets potential victims with phishing emails that typically have an archive attached, carrying a shortcut file (.lnk) that triggers the infection and a decoy PDF document.

In the observed attacks, the hacking group dropped commodity RATs and information stealers (such as Stink Stealer), along with a custom-built implant based on Python, and self-developed stealers based on the open-sourced Lazagne project, targeting Google Chrome.

The group’s custom malware relies on Telegram bots for data exfiltration and for receiving commands from the attackers’ command-and-control (C&C) server. The custom-built Python-based RAT can run arbitrary commands and exfiltrate files via Telegram.

YoroTrooper was also seen using reverse shell implants such as a simple Python-based reverse shell and Meterpreter binaries. A C-based custom keylogger was also identified.

The threat actor obtained compromised credentials at a European Union healthcare company and the WIPO, registered malicious domains mimicking those of legitimate European Union government agencies, and compromised embassies belonging to Turkmenistan and Azerbaijan.

Cisco’s investigation into YoroTrooper uncovered potential connections with other threat actors, including some overlaps with Kasablanka, the operators of LodaRAT, and stronger overlaps in both tooling and target choices with the activity of Stibnite, the operators of PoetRAT.

Related: Russia-Linked APT ‘Winter Vivern’ Targeting Governments in Europe, Asia

Related: Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Related: EU Organizations Warned of Chinese APT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.