A new threat actor named 'YoroTrooper' has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.
According to Cisco Talos, the threat actor has compromised accounts of a critical European Union agency engaged in healthcare, the World Intellectual Property Organization (WIPO), and various European embassies.
YoroTrooper's tools include a combination of commodity and custom information stealers, remote access trojans, and Python-based malware. The infection happens via phishing emails containing malicious LNK attachments and decoy PDF documents.
Cisco Talos reports having evidence of YoroTrooper exfiltrating large volumes of data from infected endpoints, including account credentials, cookies, and browsing histories.
While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, Cisco's analysts have enough indications to believe this is a new cluster of activity.
YoroTrooper is of unknown origin, and its sponsors or affiliations remain murky.
However, the espionage threat group's use of custom malware tools indicates they are skillful and knowledgeable threat actors.
#APT #Campaign #IoCs