Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian. The actor also appears to have a defensive interest in the website of the Kazakhstani state-owned email service and has rarely targeted Kazakh entities.YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region. YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023.Our findings also indicate that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites, an assessment that is in line with recent reporting from ESET.Recent retooling efforts by YoroTrooper demonstrate a conscious effort to move away from commodity malware and increasingly rely on new custom malware spanning across different platforms such as Python, PowerShell, GoLang and Rust.

YoroTrooper operators likely based in Kazakhstan

Talos assesses with high confidence that YoroTrooper operators are likely based in Kazakhstan based on their language preferences, use of Kazakhstani currency and very limited targeting of Kazakhstani entities, which only included the government’s Anti-Corruption Agency. 

Our primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of which are of ..

Support the originator by clicking the read the rest link below.