Connect with us

Hi, what are you looking for?


Malware & Threats

‘YoroTrooper’ Espionage Group Linked to Kazakhstan

Cisco links the espionage-focused ‘YoroTrooper’ threat actor to Kazakhstan.

The YoroTrooper espionage group likely consists of individuals from Kazakhstan, Cisco’s Talos security researchers report.

Active since at least June 2022 and initially detailed in March this year, YoroTrooper has been observed targeting government entities in Azerbaijan, Kyrgyzstan, Tajikistan, and other Commonwealth of Independent States (CIS) countries.

According to Cisco’s latest report on the advanced persistent threat (APT) actor, the operations appear to be conducted by individuals from Kazakhstan, based on the use of Kazakh currency and of Kazakh, Russian and Uzbek languages.

The threat actor has only targeted one institution in Kazakhstan, namely the government’s Anti-Corruption Agency, it appears to be interested in defending the website of the Kazakhstani state-owned email service, and uses cryptocurrency to purchase infrastructure supporting its operations.

According to Cisco, YoroTrooper “regularly checks for currency conversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google” and has been seen using an online exchange to convert money from Kazakhstani Tenge to Bitcoin.

The group has been observed making efforts to mask its operations and make them appear as originating from Azerbaijan, including by hosting most of its infrastructure in the country, while still targeting local entities.

Following public disclosure in March 2023, the threat actor changed its tactics, techniques, and procedures (TTPs), but continues its nefarious operations against CIS countries.

“YoroTrooper’s targeting of government entities in these countries may indicate the operators are motivated by Kazakh state interests or working under the direction of the Kazakh government. It is also possible, however, that the actors are simply motivated by financial gain achieved by selling restricted state information,” Cisco says.

Advertisement. Scroll to continue reading.

Over the past several months, the group was seen compromising a Tajiki national, most likely associated with the country’s government, to exfiltrate documents such as government certificates and affidavits.

Relying on vulnerability scanners and open source data, the APT successfully compromised three state-owned Tajiki and Kyrgyzstani websites to host malicious tools on them, Cisco says.

Since January 2023, YoroTrooper has been targeting Uzbeki government entities, successfully compromising a high-ranking official from the Uzbek Ministry of Energy in August 2023.

In addition to exploiting known vulnerabilities, the group is relying on VPN accounts in its operations, regularly sends spear phishing messages to steal victims’ credentials, and has added intermediate steps to its infection mechanism over the past several months.

The group has ported their custom-built Python implants to PowerShell scripts, has started using a custom-built Windows executable-based interactive reverse shell, and has started experimenting with new types of delivery vehicles.

In September, the APT started using a Rust-based implant and Golang ports of its Python-based RAT.

Related: ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns

Related: Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool

Related: Hackers Can Exploit GE Historian Vulnerabilities for ICS Espionage, Disruption

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.