YoroTrooper Threat Group Targets Commonwealth of Independent States Countries and Embassies

YoroTrooper is a newly discovered advanced persistent threat (APT) group that has been targeting government and energy organizations across Europe, with a particular focus on CIS countries and embassies. CIS stands for the Commonwealth of Independent States, which is a regional intergovernmental organization made up of former Soviet republics. The CIS was formed in 1991 after the collapse of the Soviet Union and currently consists of Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, and Uzbekistan.

YoroTrooper Tactics, Techniques, and Procedures (TTPs):

YoroTrooper uses a variety of tactics, techniques, and procedures (TTPs), including phishing emails with malicious attachments, Python-based information stealers, and commodity malware like AveMaria/Warzone RAT, LodaRAT, and Meterpreter.

Open-Source Information Stealers

An open-source information stealer is a type of malware that is built using publicly available source code and used to create malware that is freely available for anyone to view, use, and modify. This makes it easier for threat actors to create custom malware tailored to their specific needs. Open-source information stealers are typically designed to collect sensitive information from infected systems, such as login credentials, browser history, and system information.

The fact that YoroTrooper’s arsenal includes open-source information stealers is important to understand because it provides insights into the group’s capabilities and tactics. By analyzing the code used in these open-source information stealers, researchers gain a better understanding of how the malware works and what types of data it is designed to steal. This can help researchers identify patterns and similarities across different campaigns, and potentially link different attacks to the same threat actor.

Additionally, the use of open-source information stealers highlights the broader trend of cybercriminals leveraging publicly available tools and resources to conduct attacks. This trend makes it easier for threat actors to enter the cybercrime ecosystem, as they do not need to develop their own malware from scratch, and can instead modify existing code to suit their needs.

Commodity Malware

AveMaria, Warzone RAT, LodaRAT, and Meterpreter are all Remote Access Trojan (RAT) tools used by threat actors for various malicious purposes. These RATs are designed to give an attacker remote access and control over a compromised system, allowing them to steal data, perform surveillance, or carry out other malicious activities.

These RAT tools share common features that make them dangerous tools for attackers; they can be used to execute commands remotely, capture keystrokes, take screenshots, steal files, and persist on the system. By executing commands remotely, the attacker can gain complete control over the compromised device. Capturing keystrokes enables attackers to steal sensitive information, such as passwords. Taking screenshots allows attackers to monitor the user’s activity. Stealing files provides attackers access to sensitive data. These RATs can also persist on the compromised system, making it difficult for the victim to remove them even after a reboot. Using commodity malware allows threat actors like YoroTrooper to leverage pre-existing tools and infrastructure to conduct their attacks.

Commodity malware is readily available on the dark web and can be purchased or downloaded for free by threat actors with minimal technical skills. This allows threat actors to quickly and easily build a cyberattack capability without investing the time and resources required to create their own custom malware.

In addition, the use of commodity malware can make it more difficult for defenders to detect and respond to attacks. Since these tools are widely available and used by many different threat actors, their use may not be indicative of a specific actor or campaign, making it harder for defenders to attribute an attack to a particular threat actor or group.

YoroTrooper and PoetRAT

According to Cisco’s Talos researchers who uncovered the group, YoroTrooper’s attacks began at least as early as June 2022, and the group has been consistently introducing new malware into their infection chains over the course of their campaign. The researchers also noted similarities in TTPs and victimology between YoroTrooper and another APT group called PoetRAT.

Both the PoetRAT and YoroTrooper attacks are examples of advanced persistent threats (APTs) that target government and utility companies using various TTPs to gain access to sensitive data. These attacks involve the use of various types of malware, including open-source information stealers and commodity RATs such as AveMaria, Warzone RAT, LodaRAT, and Meterpreter.

These RATs share similar functionality, including the ability to execute remote commands, capture keystrokes, take screenshots, steal files, and persist on the system, allowing attackers to gain complete control over the victim’s system. Similarly, both attacks used phishing emails as a means of delivering the malware to the victim’s system.

The PoetRAT attack targeted the Azerbaijan government and utility companies, with the malicious code designed to infect supervisory control and data acquisition (SCADA) systems, widely used in the energy and manufacturing industries. The YoroTrooper attack, on the other hand, targeted government and energy organizations across Europe, with a particular focus on CIS countries and embassies.

In both attacks, the attackers used a range of TTPs to evade detection, including the use of URLs that mimic legitimate domains, weaponized Microsoft Word documents, and sandbox evasion techniques. The use of open-source information stealers in the YoroTrooper attack highlights the broader trend of cybercriminals leveraging publicly available tools and resources to conduct attacks, making it easier for them to enter the cybercrime ecosystem.


Although the researchers did not definitively attribute YoroTrooper to any specific nation-state or actor, some evidence collected suggests that the group may be Russian speaking. The group’s arsenal and evolving TTPs demonstrate an increasing level of sophistication and effort on the part of the threat actor.

For more updates on emerging threats, follow Critical Start’s Cyber Threat Intelligence (CTI) Threat Research page, and the Critical Start Intelligence Hub

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar