YoroTrooper

YoroTrooper is an espionage-focused threat actor identified by Cisco Talos, active since at least June 2022. Reporting in the provided content describes the group as likely Kazakhstan-affiliated and notes aliases/overlapping clusters including Silent Lynx, Cavalry Werewolf, SturgeonPhisher, Comrade Saiga, ShadowSilk, and Tomiris. BI.ZONE states Cavalry Werewolf overlaps with YoroTrooper and that ties to Tomiris support a Kazakhstan-affiliation hypothesis; Microsoft previously attributed Tomiris to a Kazakhstan-based actor tracked as Storm-0473. Cisco Talos separately assessed the operators are likely Russian-language speakers based on Cyrillic snippets and CP866 handling. The group has targeted government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan, and other CIS/Eurasian Economic Union member states. Additional victims mentioned in the content include Russian state agencies and Russia’s energy, mining, and manufacturing sectors, a critical European Union health care agency, the World Intellectual Property Organization (WIPO), European embassies including those tied to Azerbaijan and Turkmenistan, and likely other organizations across Europe and Turkish government agencies. Observed initial access relies heavily on targeted phishing. Talos reported phishing emails delivering archives containing malicious LNK shortcut files, often alongside decoy PDFs; the LNKs invoked mshta.exe to fetch remote HTA content, followed by PowerShell-based download-and-execute chains. The content also states YoroTrooper used PDF lures, phishing pages, cloud-based file-sharing services hosting malware, typosquatted domains impersonating CIS and EU entities, and in some Russia-focused activity VHDX-based distribution and direct curl-based downloads. BI.ZONE reported May-August 2025 phishing emails impersonating Kyrgyz government officials, including at least one case using a compromised legitimate Kyrgyz regulatory authority email account, to deliver RAR archives installing FoalShell or StallionRAT. Tooling described in the content includes custom Python implants and commodity malware such as AveMaria/Warzone RAT, LodaRAT, Meterpreter, the open-source Stink stealer, Python reverse shells, Meterpreter reverse shells, and a custom C-based keylogger. Python malware was packaged with Nuitka and PyInstaller. Talos reported use of Telegram bots for command-and-control and exfiltration, and Discord and Telegram were also cited as C2 channels. BI.ZONE attributed FoalShell and StallionRAT to overlapping activity: FoalShell is a lightweight reverse shell seen in Go, C++, and C# variants that executes arbitrary commands via cmd.exe; StallionRAT, written in Go, PowerShell, and Python, supports arbitrary command execution, loading additional files, and exfiltration via a Telegram bot, with commands such as /list, /go, and /upload. ReverseSocks5Agent and ReverseSocks5 were also executed on compromised hosts. The actor’s objectives in the provided reporting are consistent with cyber espionage. Talos reported theft of application credentials, browser histories and cookies, system information, screenshots, and documents of interest, including follow-on deployment of additional malware in embassy environments. The broader reporting explicitly characterizes current activity associated with YoroTrooper as espionage rather than destructive operations. Talos noted victimology and TTP similarities with PoetRAT but stated evidence was insufficient for a confident linkage.