Cisco Talos assesses that YoroTrooper is a Kazakhstan-origin, espionage-focused threat actor active since June 2022, with language and currency cues pointing to Kazakhstan and a focus on CIS government targets. The group disguises its operations as Azerbaijan, relies on phishing and credential harvesting, and is shifting from commodity malware to custom multi-language implants deployed across Python, PowerShell, Go, and Rust. #YoroTrooper #Kazakhstan #Azerbaijan #mail.kz #KZT
Keypoints
- YoroTrooper is likely Kazakh-origin, based on language use (Kazakh, Russian) and currency (Kazakhstani Tenge), with a defensive interest in mail.kz.
- The group disguises activity as Azerbaijan, routing much of its infrastructure and traffic through Azerbaijan (e.g., VPN exit nodes) to mislead attribution.
- Victimology centers on CIS governments; multiple state-owned websites and government officials’ accounts were compromised from May–August 2023.
- Phishing remains central to their operations, directing victims to credential-harvesting sites in open web pages and hosting landing pages on attacker-controlled servers.
- In 2023 they retooled toward custom malware, expanding beyond commodity malware across languages (Python, PowerShell, Go, Rust) and porting implants between languages.
- Recon and infrastructure discovery rely on vulnerability scanners (Acunetix), and OSINT sources (Shodan, Google) to locate targets and hosting, with ongoing monitoring of Kazakhstan’s mail service posture.
MITRE Techniques
- [T1566.002] Spearphishing via Link – Direct victims to credential harvesting pages; “phishing emails that direct victims to credential harvesting sites”
- [T1090] Proxy – Obfuscate origin by using VPN exit nodes local to the Azerbaijan region; “using VPN exit nodes local to that region”
- [T1078] Valid Accounts – Compromised state-owned websites and government official accounts; “accounts belonging to government officials”
- [T1036] Masquerading – Spoofed subdomains and a government domain; “malicious subdomain mail.antikor.gov.kz.openingfile.net … spoofed the legitimate government domain antikor.gov.kz”
- [T1071.001] Web Protocols – Telegram-based C2 and file exfiltration via Telegram APIs and channels
- [T1105] Ingress Tool Transfer – Download and execute implants and decoys from attacker-controlled servers; “Download an implant from … attacker-controlled server and run it”
- [T1059.001] PowerShell – Porting Python-based implants to PowerShell for execution
- [T1059.006] Python – Use Python-based RAT and related implants, later ported to PowerShell and Go/Rust variants
- [T1059.004] Windows Command Shell – Custom-built reverse shell that runs commands on infected endpoints via cmd.exe
Indicators of Compromise
- [IP] – 168.100.8.21, 168.100.8.242 — used in hosting and monitoring activities
- [IP] – 46.161.27.151, 46.161.40.164 — infrastructure hosting and payload delivery
- [Domain/URL] – tpp.tj, akn.tj, kyrgyzkomur.gov.kg, mail.az-link.email — domains hosting lures/payloads
- [URL] – tpp.tj/T/rat.php, 46.161.40.164/main.exe, 168.100.8.242/0075676763663A2F2F31302E3130302E3230302E32/index_files/Az.pdf — examples of hosted malware/lures
- [Hash] – 8131bd594aff4f4e233ac802799df3422f423dc28e96646a09a2656563c4ad7c (Archives)
- [Hash] – a3b1c3faa287f6ba2f307af954bb2503b787ae2cd59ec65e0bdd7a0595ea8c7e (Archives)
- [LNK] – Ed8c04a3e2d95d5ad8e2327a56d221715f06ed84eb9dc44ff86acff4076629d7
- [HTA] – 9b81c5811ef3742cd4f45b6c3ba1ace70a0ce661acc42d974beaeddf307dd53d
- [JS] – ab6a8718dffbe48fd8b3a74f4bcb241cde281acf9e378b0c2370a040e4d827da, a5d8924f7f285f907e7e394635f31564a371dd58fad8fc621bacd5a55ca5929b
- [EXE] – 37c369f9a9cac898af2668b1287dea34c753119071a1c447b0bfecd171709340, 93829ee93688a31f90572316ecb21702eab04886c8899c0a59deda3b2f96c4be
- [Archive] – 8131bd59… (see above); additional archive-related hashes listed in the report
Read more: https://blog.talosintelligence.com/attributing-yorotrooper/