YoroTrooper Stealing Credentials and Information from Government and Energy Organizations


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022.

"Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a Tuesday analysis.

  • Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.
  • YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.
  • Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.
  • YoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.
  • The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations.


Level 15
Top Poster
Mar 13, 2022
A newly identified threat actor has been observed targeting government and energy organizations in the Commonwealth of Independent States (CIS) region for espionage and data theft, Cisco warns.

Dubbed YoroTrooper, the group has been active since at least June 2022, mainly hitting governments across Eastern Europe, but was also seen compromising accounts at a European Union healthcare agency and the World Intellectual Property Organization (WIPO).

Believed to consist of Russian-speaking individuals, the group successfully compromised organizations in Azerbaijan, Kyrgyzstan, Tajikistan, and other CIS countries, and is believed to be also targeting other entities in Europe, as well as Turkish government agencies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.