A group of cybercriminals, known as YoroTroopermade up of hackers of probable Kazakh origin.
The collective, identified for the first time and cataloged by Cisco Talosappears to be fluent in languages such as Kazakh and Russian, as well as using hold to pay for the tools used during the campaigns.
For security researchers Asheer Malhotra e Vitor Ventura “YoroTrooper attempts to obfuscate the origin of its operations, employing various tactics to make its malicious activities appear to originate from Azerbaijan, such as using local VPN exit nodes in that region“.
YoroTrooper members operate primarily in the former Soviet Union
First documented by the aforementioned cybersecurity firm in March 2023, the group is known to have been active since at least June 2022, with activities targeting several state entities in Commonwealth of Independent States (CIS) countries. The attack cycles implemented by YoroTrooper are mainly based on spear-phishing to distribute a mix of malware stealer and other malicious agents.
According to the researchers “The practice of credential harvesting is complementary to YoroTrooper’s malware-based operations with the ultimate goal being data theft“. What makes the group even more fearsome is its chameleonic nature, characterized by a continuous renewal of its arsenal, moving from commercial malware to customized tools programmed in Python, PowerShell, Golang e Rust.
Thanks to the research it was possible to notice how YoroTrooper uses cryptocurrencies, such as Bitcoin, to pay for the maintenance of its infrastructure. Although the collective’s activities are currently concentrated on a specific geographical area, given its evolution, it is not certain that its actions will soon become evident in the West as well.
Given the elusive nature of the group, cybersecurity experts continue to monitor the actions of these hackers with some concern.