"YoroTrooper Group Targets European, CIS Countries in Cyberespionage Campaigns"

During the past nine months, a previously unknown Russian-speaking threat actor has launched cyber espionage campaigns against government, energy, and international organizations in Azerbaijan, Kyrgyzstan, Tajikistan, as well as European nations. The campaigns involve various commodity and custom malware tools. Researchers from Cisco Talos have identified the group behind the campaigns as YoroTrooper. According to Cisco Talos, the YoroTrooper campaigns have been running since at least June 2022. The threat actor uses phishing as the initial attack vector and customizes the emails and attachments for each target company by establishing typosquatting or lookalike domains. YoroTrooper has compromised Turkmenistan and Azerbaijan embassies and stole credentials from at least one European health care agency account. In its campaigns, the gang uses Remote Access Trojans (RATs) and information-stealing malware, but it also has custom Python implants. Researchers have determined that YoroTrooper is a separate entity with its own operations, despite having some overlaps and connections with existing attack groups, such as the PoetRAT gang. This article continues to discuss researchers' findings and observations regarding the YoroTrooper group. 

Decipher reports "YoroTrooper Group Targets European, CIS Countries in Cyberespionage Campaigns"