YoroTrooper

Description

(Talos) Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.

YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.

Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.

Names

Name	Name-Giver
YoroTrooper	Talos
Silent Lynx	Seqrite

Country

• Kazakhstan

Motivation

• Information theft and espionage

First Seen

2022

Observed Sectors

• Energy
• Financial
• Government

Observed Countries

• Azerbaijan
• Kyrgyzstan
• Tajikistan
• Turkey
• Turkmenistan
• Europe

Tools

• Loda
• Meterpreter
• Stink
• Warzone RAT

Information

• https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
• https://blog.talosintelligence.com/attributing-yorotrooper/
• https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/

Other Information

Uuid

097d091b-0509-488b-b8e1-31b1fc8fa478

Last Card Change

2025-02-22