Unmasking YoroTrooper: The Cyber Misfits from Kazakhstan Shaking Up the CIS World

Meet YoroTrooper, the new threat actor from Kazakhstan, with a penchant for attacking their own, especially the government’s Anti-Corruption Agency. Fluent in Kazakh and Russian, they’re experts in spear-phishing and credential harvesting. Don’t be fooled by their supposed Azerbaijan operations, YoroTrooper is as Kazakh as they come.

Hot Take:

Here comes another band of cyber misfits, YoroTrooper! And according to Cisco Talos, they’re not shy about their roots. From their fluency in Kazakh and Russian to the fact that they pay their internet bills in Tenge, it’s pretty clear they’re from Kazakhstan. But don’t let their love for their homeland fool you. They’re more than happy to target their own, especially the government’s Anti-Corruption Agency. Guess they don’t like to be told off for bad behavior. Oh, and they also try to throw us off their scent by pretending to operate from Azerbaijan. Nice try, YoroTrooper, but we’re onto you!

Key Points:

  • YoroTrooper is a new threat actor likely hailing from Kazakhstan.
  • They show a preference for attacking entities in the Commonwealth of Independent States (CIS).
  • Spear-phishing and credential harvesting are their preferred methods for causing chaos.
  • They’ve recently upgraded their toolkit from commodity malware to custom tools coded in Python, PowerShell, Golang, and Rust.
  • They’re constantly on the lookout for security vulnerabilities in mail[.]kz, a state-owned email service in Kazakhstan.

Need to know more?

The Russian Connection

YoroTrooper has been active since at least June 2022 and has a particular fondness for targeting state-owned entities in the CIS countries. They're tracked by ESET under the name SturgeonPhisher, so they're clearly making a name for themselves in the cybersecurity world. They love a good spear-phishing campaign and aren't above using credential harvesting to get their grubby hands on sensitive data.

Changing Tactics

With their activities now in the public eye, YoroTrooper has decided to change up its game. They've moved from using common malware to custom tools coded in several programming languages. They've also stepped up their surveillance on mail[.]kz, a state-owned email service, indicating they're always on the hunt for new ways to exploit vulnerabilities.

Money Talks

YoroTrooper likes to keep its operations local, even when it comes to finances. They regularly check the conversion rates between Tenge and Bitcoin and use alfachange[.]com to convert their earnings for infrastructure upkeep. They've also been known to use email accounts to purchase tools and services, including a NordVPN subscription and a VPS instance from netx[.]hosting.

Expanding Horizons

Since June 2023, YoroTrooper has been honing its skills and expanding its target list. They've started using vulnerability scanners and open-source data from search engines to infiltrate victim networks. Some of their recent targets include Tajikistan's Chamber of Commerce, the Drug Control Agency, and the Ministry of Energy of the Republic of Uzbekistan. They've also been experimenting with different types of delivery vehicles for their backdoors, so they're definitely not resting on their laurels.
Tags: data theft, Kazakh Cyber Attacks, Malware-Based Operations, Remote Access Trojan, Spear-phishing, SturgeonPhisher, YoroTrooper