The YoroTrooper espionage group likely consists of individuals from Kazakhstan, Cisco’s Talos security researchers report.
Active since at least June 2022 and initially detailed in March this year, YoroTrooper has been observed targeting government entities in Azerbaijan, Kyrgyzstan, Tajikistan, and other Commonwealth of Independent States (CIS) countries.
According to Cisco’s latest report on the advanced persistent threat (APT) actor, the operations appear to be conducted by individuals from Kazakhstan, based on the use of Kazakh currency and of Kazakh, Russian and Uzbek languages.
The threat actor has only targeted one institution in Kazakhstan, namely the government’s Anti-Corruption Agency, it appears to be interested in defending the website of the Kazakhstani state-owned email service, and uses cryptocurrency to purchase infrastructure supporting its operations.
According to Cisco, YoroTrooper “regularly checks for currency conversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google” and has been seen using an online exchange to convert money from Kazakhstani Tenge to Bitcoin.
The group has been observed making efforts to mask its operations and make them appear as originating from Azerbaijan, including by hosting most of its infrastructure in the country, while still targeting local entities.
Following public disclosure in March 2023, the threat actor changed its tactics, techniques, and procedures (TTPs), but continues its nefarious operations against CIS countries.
“YoroTrooper’s targeting of government entities in these countries may indicate the operators are motivated by Kazakh state interests or working under the direction of the Kazakh government. It is also possible, however, that the actors are simply motivated by financial gain achieved by selling restricted state information,” Cisco says.
Over the past several months, the group was seen compromising a Tajiki national, most likely associated with the country’s government, to exfiltrate documents such as government certificates and affidavits.
Relying on vulnerability scanners and open source data, the APT successfully compromised three state-owned Tajiki and Kyrgyzstani websites to host malicious tools on them, Cisco says.
Since January 2023, YoroTrooper has been targeting Uzbeki government entities, successfully compromising a high-ranking official from the Uzbek Ministry of Energy in August 2023.
In addition to exploiting known vulnerabilities, the group is relying on VPN accounts in its operations, regularly sends spear phishing messages to steal victims’ credentials, and has added intermediate steps to its infection mechanism over the past several months.
The group has ported their custom-built Python implants to PowerShell scripts, has started using a custom-built Windows executable-based interactive reverse shell, and has started experimenting with new types of delivery vehicles.
In September, the APT started using a Rust-based implant and Golang ports of its Python-based RAT.