Cisco’s Talos threat intelligence team released a report detailing a cyber espionage group called “YoroTrooper” that has been targeting multiple state-owned websites and accounts belonging to government officials in Commonwealth of Independent States (CIS) countries.

Active since 2022, the threat actor appears to be based in Kazakhstan. Notably, the group displays a strong familiarity with both the Kazakh and Russian languages, both of which are official languages of Kazakhstan. The group’s limited focus on targets in the country (which only included the government’s Anti-Corruption Agency) further supports this assessment.

In some instances, YoroTrooper was observed employing the Uzbek language, another popular language in Kazakhstan, in their operations.

“While this may be an attempt at generating false flags to masquerade as an Uzbek adversary, it is highly likely that YoroTrooper operators are simply well-versed in Kazakh, Russian and Uzbek languages,” the researchers said.

Most of YoroTrooper’s attacks start with phishing emails and deploy custom-made malware that allows the group to steal data and credentials.

The group has been observed employing various tactics to conceal the origin of its operations, including hosting a majority of its infrastructure in Azerbaijan to appear as if the threat actor is located in this country.

Moreover, the threat actor has demonstrated a keen interest in assessing the security posture of the Kazakhstani state-owned email service, mail[.]kz. They regularly conduct security scans of the service, however, they haven’t been seen creating look-alike domains or credential harvesting pages targeting the service, which is a common technique for malicious actors seeking to compromise online services and their users.

The targeting of CIS countries suggests that YoroTrooper may be motivated by Kazakh state interests or could be acting under the direction of the Kazakh government. Although it may be possible that the threat actor is simply pursuing financial interests like stealing and selling sensitive government data.

Over the recent months, YoroTrooper has evolved its tactics. In particular, the group has moved away from using commodity malware and is increasingly relying on new custom tools written in various programming languages such as Python, PowerShell, GoLang, and Rust.

The researchers observed the threat actor constantly attempting to buy new tools, such as VPN connections. It also relies on vulnerability scanners, such as Acunetix, and open-source data, such as the information available on Shodan, to locate and infiltrate the public-facing servers of their targets.