A cyber-espionage unit attacks high-level targets in the EU

Threatener YoroTrooper has compromised the accounts of critical EU healthcare institutions, a number of embassies and the World Intellectual Property Organization (WIPO).

a report from Cisco Talos (via Beeping computer) has revealed that massive amounts of data, such as login credentials, cookies, and browser history, have been stolen from a number of infected endpoints.

These include those of government agencies and energy companies of countries that are part of Eurasia’s Commonwealth of Independent States (CIS).

YoroTrooper’s unique threat activity

While BleepingComputer notes that YoroTrooper was previously known to distribute known malware such as PoetRAT and LodaRAT, Cisco believes it has moved to designing its own Remote Access Trojans (RATs) written in Python to get the job done.

In the summer of 2022, Belarusian organizations were hit by infected PDF files sent from email domains posing as organizations from Belarus or Russia. In September of that year, YoroTrooper registered typosquatting domains to resemble Russian government agencies as closely as possible.

This strategy is based on the fact that YoroTrooper’s phishing emails need to look as legitimate as possible, especially since the latest ruse involves adding infected RAR and ZIP attachments to access national security information in the whole region.

In 2023, the threat group is well on its way. In January, it began releasing an infostealer script that pulls credentials from Chromium-based browsers, but by February it had already moved to a new modular tool called “Stink.”

In addition to Chromium browser infiltration and basic system information, the new tool also steals data from FTP client Filezilla and messaging apps Discord and Telegram.

YoroTrooper’s motives, resources, and backers are currently unknown, but the move to custom tools could prove to be a worrying development for the corporate world.

• Here’s our list of the best firewalls straight away