{
	"id": "1cd153a2-f771-4801-b9b4-5fb674c04a43",
	"created_at": "2026-04-06T00:17:16.492338Z",
	"updated_at": "2026-04-10T03:25:25.321682Z",
	"deleted_at": null,
	"sha1_hash": "17ec872ca374ca2d0b51255ff10c0bf6b602fd4f",
	"title": "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2090118,
	"plain_text": "Kazakhstan-associated YoroTrooper disguises origin of attacks as\r\nAzerbaijan\r\nBy Asheer Malhotra\r\nPublished: 2023-10-25 · Archived: 2026-04-05 15:17:53 UTC\r\nCisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June\r\n2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh\r\nand Russian. The actor also appears to have a defensive interest in the website of the Kazakhstani state-owned email\r\nservice and has rarely targeted Kazakh entities.\r\nYoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious\r\nactivity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region. \r\nYoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the\r\noperators have compromised multiple state-owned websites and accounts belonging to government officials of these\r\ncountries between May and August 2023.\r\nOur findings also indicate that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily\r\non phishing emails that direct victims to credential harvesting sites, an assessment that is in line with recent reporting\r\nfrom ESET.\r\nRecent retooling efforts by YoroTrooper demonstrate a conscious effort to move away from commodity malware and\r\nincreasingly rely on new custom malware spanning across different platforms such as Python, PowerShell, GoLang\r\nand Rust.\r\nYoroTrooper operators likely based in Kazakhstan\r\nTalos assesses with high confidence that YoroTrooper operators are likely based in Kazakhstan based on their language\r\npreferences, use of Kazakhstani currency and very limited targeting of Kazakhstani entities, which only included the\r\ngovernment’s Anti-Corruption Agency. \r\nOur primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of\r\nwhich are official languages of Kazakhstan. YoroTrooper frequently visits websites written in Kazakh and has used Russian\r\nin debugging and logging messages in their custom Python remote access trojans (RATs). For example, we have seen\r\nphrases such as “Сохраняю в {save_dir}” or “Файл загружен!\\nИмя” that translate to “I save in {save_dir}” and “File\r\nuploaded!\\nName” respectively, and the translation of output of commands to CP866 — the code page for Cyrillic. \r\nStarting in June 2023, we saw this actor using Uzbek in their implants, another popular language in Kazakhstan, enabling us\r\nto narrow down their country of origin. While this may be an attempt at generating false flags to masquerade as an Uzbek\r\nadversary, it is highly likely that YoroTrooper operators are simply well-versed in Kazakh, Russian and Uzbek languages.\r\nA second observation that supports our assessment of YoroTrooper’s strong ties to Kazakhstan  is the involvement of\r\nKazakhstani currency in their operations. The threat actor primarily relies on using cryptocurrency to pay for operating\r\ninfrastructure such as domains and servers for hosting their lures, payloads and decoys, and regularly checks for currency\r\nconversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 1 of 12\n\nThe threat actor also uses online exchanges, such as alfachange[.]com, which converts money from Kazakhstani Tenge to\r\nBitcoin via their Visa and Mastercard cards:\r\nTalos’ research found that YoroTrooper has a special defensive interest in repeatedly evaluating the security posture of the\r\nwebsite of the Kazakhstani state-owned email service, mail[.]kz. YoroTrooper will regularly conduct security scans of\r\nmail[.]kz but has never registered any look-a-like domains or created credential harvesting pages spoofing the site, tactics\r\nthe threat actor commonly uses when attempting to target an online service or its users. The image below shows bookmarks\r\npertaining to the evaluation of mail[.]kz’s security posture saved on a browser used by YoroTrooper, indicating that the\r\nthreat actor frequently visits these links to monitor the website for potential security vulnerabilities.\r\nThis monitoring activity indicates YoroTrooper values mail[.]kz, as they have conducted similar security scanning for their\r\nown malicious infrastructure to verify that it is not vulnerable to exploitation. For example, YoroTrooper queried IP address\r\n168[.]100[.]8[.]242 on Shodan, which hosted domain mail[.]asco[.]az-link[.]email on July 11, 2022 that was used by\r\nYoroTrooper to target entities in Azerbaijan in November 2022:\r\nYoroTrooper checking one of their own IP addresses in Shodan.\r\nFinally, Talos’ analysis of YoroTrooper’s victimology found that the only institution targeted in Kazakhstan was the\r\ngovernment’s Anti-Corruption Agency. YoroTrooper facilitated this attack by creating a malicious subdomain\r\nmail[.]antikor[.]gov[.]kz[.]openingfile[.]net, that spoofed the legitimate government domain antikor[.]gov[.]kz:.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 2 of 12\n\nThreat actor attempts to masquerade as Azerbaijani\r\nWe assess with high confidence that YoroTrooper made numerous efforts to disguise their origin by hosting a majority of\r\ntheir infrastructure in Azerbaijan while still targeting institutions in Azerbaijan, using malicious sub-domains such as:\r\nmail[.]economy[.]qov[.]az-link[.]email\r\nmail[.]gov[.]az-link[.]email\r\nmail[.]mfa[.]az-link[.]email\r\nYoroTrooper employs numerous tactics to obfuscate the origin of their activity, attempting to appear as if they are located in\r\nAzerbaijan. We observed that most of YoroTrooper’s operations are routed via Azerbaijan, though notably, the threat actor\r\ndoes not appear to speak the Azerbaijani language. Intelligence obtained by Talos indicates the adversary regularly translates\r\ninformation from Azerbaijani to Russian, the second official language in Kazakhstan.\r\nYoroTrooper using Google Translate to convert text from Azerbaijani to Russian for an account verification message.\r\nFurthermore, the operator drafts lures in Russian and then translates them to Azerbaijani to use in their phishing attacks:\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 3 of 12\n\nYoroTrooper makes an effort to have their operations appear as if they originate from Azerbaijan, looking to use VPN exit\r\nnodes in the country:\r\nFinally, we have also seen the threat actor searching for random contact information for Azerbaijani individuals, likely to use\r\nwhen setting up their infrastructure and tools:\r\nTargeting activity focuses on prominent government officials and organizations in CIS\r\ncountries\r\nYoroTrooper modified and expanded their tactics, techniques and procedures (TTPs) after Talos’ seminal disclosure on this\r\nthreat actor in March 2023, and continued their targeting efforts against Commonwealth of Independent States (CIS)\r\ncountries with these new TTPs starting in June 2023. Some of these tactics included: \r\nPorting their Python-based implant to PowerShell.\r\nIncreasingly adopting the use of custom implants and abandoning previously used commodity malware.\r\nYoroTrooper’s targeting of government entities in these countries may indicate the operators are motivated by Kazakh state\r\ninterests or working under the direction of the Kazakh government. It is also possible, however, that the actors are simply\r\nmotivated by financial gain achieved by selling restricted state information. Talos is pursuing further research on\r\nYoroTrooper’s intelligence collection goals to ascertain the group’s potential state sponsorship. \r\nA number of prominent and successful YoroTrooper intrusions took place in recent months, beginning in June 2023 when\r\nthe adversary compromised a Tajiki national. Although we could not determine the identity of the victim, Talos assesses that\r\nthe victim is associated with the Tajik government, based on the nature of the data that YoroTrooper exfiltrated from them,\r\nwhich amounted to 165MB of documents. Many of these documents consisted of government certificates and affidavits,\r\nappearing to belong to someone who has visibility into government personnel management and welfare.\r\nYoroTrooper consistently relies on vulnerability scanners such as Acunetix and open-source data from search engines such\r\nas Shodan to locate and infiltrate a target’s infrastructure. This exercise turned out to be extremely fruitful for YoroTrooper,\r\nwho from May to July 2023, successfully compromised three state-owned Tajiki and Kyrgyzstani websites and hosted\r\nmalware payloads on them, with some malware still being hosted as of September 2023. The first website compromised in\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 4 of 12\n\nMay 2023 was tpp[.]tj, which is managed by the country’s Chamber of Commerce and Industry of the Republic of\r\nTajikistan.\r\nSubsequently, in July, YoroTrooper compromised and hosted malware on akn[.]tj, another state-owned website belonging to\r\nthe Drug Control Agency under the President of the Republic of Tajikistan, as well as kyrgyzkomur[.]gov[.]kg, which\r\nbelongs to Kyrgyzstan's state-owned coal enterprise.YoroTrooper also compromised a user from the Ministry of Transport\r\nand Roads of the Kyrgyz Republic, successfully harvesting some browser credentials from the user.\r\nYoroTrooper began its campaign to target Uzbeki government entities as early as January 2023. About eight months of\r\naggressive attack attempts yielded success in August 2023, when YoroTrooper successfully compromised a high-ranking\r\nofficial from the Uzbek Ministry of Energy. While Talos confirmed the compromise, we could not determine what data was\r\nstolen from this individual.\r\nThe following timeline provides an updated view and details of various geographies targeted since June 2023. \r\nTimeframe Targeted geography Salient TTPs\r\nSeptember 2023 Tajikistan\r\n• Used an agreement statement between Bulgaria and\r\nTajikistan as a lure.\r\n• Reused compromised Tajiki website for the Chamber of\r\nCommerce and Industry to host malware.\r\n• Deployed PowerShell-based implants and used Telegram\r\nAPIs.\r\nAugust 2023 Kyrgyzstan\r\n• Used a Kyrgyz Ministry of Transport circular as a\r\nlure/decoy document.\r\n• Used attacker-owned infrastructure to host malware.\r\n• Targeted and compromised an Uzbek Ministry of Energy\r\nsenior official.\r\n• Reused custom-built reverse shell EXEs first seen in\r\nJune 2023.\r\n• Reused a PyInstaller-wrapped, Python-based Google\r\nChrome credential stealer that was first seen in January\r\n2023, though this version did not include an upload\r\ncapability.\r\nJuly 2023\r\nTajikistan and\r\nKyrgyzstan\r\n• Tajik Drug Control Agency’s website  akn[.]tj\r\ncompromised to host payloads.\r\n• Kyrgyz state-owned coal enterprise KyrgyzKomur’s\r\nwebsite, kyrgyzkomur[.]gov[.]kg, compromised and used\r\nto host malware.\r\nJune 2023 Tajikistan\r\n• Takij Ministry of Foreign Affairs targeted using the\r\nfollowing lures:\r\n• Publication from the International Atomic Energy\r\nAgency (IAEA) and OECD Nuclear Energy Agency\r\n(NEA) on  Uranium: Resources, Production and Demand.\r\n• Used a compromised Tajiki website for the Chamber of\r\nCommerce and Industry to host malware.\r\n• First instance of deploying custom-built reverse shell\r\nEXEs.\r\n• Python implants ported to PowerShell and used Telegram\r\nAPIs.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 5 of 12\n\nYoroTrooper relies heavily on learning-on-the-go to carry on their malicious activities. We’ve observed the operator\r\nconstantly attempting to buy new tools, such as VPN connections. Our research also indicated that the group actively relies\r\non vulnerability scanners, such as Acunetix, and open-source data, such as the information available on Shodan, to locate\r\nand infiltrate the public-facing servers of their targets.\r\nReconnaissance\r\nYoroTrooper frequently conducts open-source searches of infrastructure they are interested in targeting, using search engines\r\nsuch as Google, Shodan and Censys to find vulnerabilities and leakages in a target's infrastructure. This research includes\r\nsearching for vulnerable PHP-based servers and identifying content management systems (CMS) to find open directories. \r\nTalos identified a number of operational email accounts and other infrastructure used by YoroTrooper to facilitate their\r\noperations. YoroTrooper primarily uses the email address “anadozz[at]tuta[.]io” to register and purchase tools and services\r\nsuch as VPN accounts. For example, in 2022, the actors used this email address to obtain a subscription to NordVPN, valid\r\nfrom 2022 to 2025, from darkstore[.]su:\r\nYoroTrooper has also extensively used and maintained access to two other email addresses, “n.ayyubov[at]mail[.]ru” and\r\n“danyjackson120293[at]proton[.]me”, via their remote machines. It is unclear if these email addresses actually belong to the\r\noperators or are just compromised accounts being leveraged by YoroTrooper.\r\nA couple of months before purchasing the NordVPN account, YoroTrooper configured and purchased a VPS instance from\r\nnetx[.]hosting for $16 USD a month. This is likely another remote machine that the threat actor used to expand their\r\nmalicious operations.\r\nTalos also found that YoroTrooper accesses their malicious infrastructure several times over the course of their campaigns in\r\norder to upload malware and access URLs hosted on their servers, such as:\r\nhxxps[://]e[.]mail[.]az-link[.]email/public/security/files/login[.]php?email=1\r\nhxxp[://]206[.]166[.]251[.]146/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 6 of 12\n\nhxxps[://]mail[.]asco[.]az-link[.]email/Login[.]aspx\r\nhxxps[://]auth[.]mail-ru[.]link/public_html/home/files/login[.]php?email=1\r\nPhishing \r\nYoroTrooper regularly sends spearphishing messages to victims that direct to attacker-controlled pages designed to harvest\r\nthe target’s credentials. The operators collect and deploy phishing pages on servers specific to a target country. Some of the\r\nmalicious credential-harvesting pages found on YoroTrooper’s VPS systems were:\r\nC[:/]Users/Professional/Desktop/DESSKTOP/1/mail[.]ady[.]az[.]logiin[.]email/index[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/remote[.]mfa[.]gov[.]az/logon[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/BackUp%20site/ru[.]auth[.]logiin[.]email/public/security/index[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/sample_mailru_trap.html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Desktop/AZ%20mail%20box%20-%20Copy[.]html\r\nD[:/]135%20%D0%9C%D0%97%D0%AB/mail[.]socar[.]az[.]logiin[.]email/owa/auth/logon[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/mfa%20send%20box/mfaRC[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/remote[.]mfa[.]gov[.]az/logon[.]html#form_title_text\r\nC[:/]Users/Professional/Desktop/DESSKTOP/beeline_send1%20-%20Copy[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/mincom-caa[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/RoundtoMail[.]ru[.]html\r\nC[:/]Users/Professional/Desktop/DESSKTOP/BackUp%20site/mail[.]mincom[.]gov-az[.]site/owa/auth/logon[.]html\r\nThe practice of credential-harvesting runs complimentary to YoroTrooper’s malware-based operations with the end goal\r\nbeing data theft. The vast majority of YoroTrooper malware analyzed by Talos belongs to different families of information\r\nstealers. \r\nAfter Talos released our report on YoroTrooper earlier this year, we have seen the operators make slight adjustments to their\r\ninfection chains. The infection mechanisms have become more modular with:\r\nNew intermediate steps and scripts added.\r\nNew decoys/lures were introduced, seemingly to target additional victims.\r\nAdjustments to the final implants that are deployed, so they consist of two components: either their custom-made\r\nPowerShell scripts used for file exfiltration to Telegram channels, or Windows executables consisting of commodity\r\nmalware or custom-made reverse shells.\r\nWhile many of their mechanisms and implants have seen slight variation, Talos assesses with high confidence that\r\nYoroTrooper is changing their final malware implants and looking to develop and adopt new malware families into their\r\narsenal.\r\nAs part of their exercise of retooling, YoroTrooper has also ported their custom-built Python implants that were previously\r\npackaged into executables using frameworks such as Nuitka and PyInstaller, to PowerShell scripts that are now directly run\r\nfrom the central HTA script.\r\nThe new infection chain is outlined in the graphic below.\r\nCustom-built reverse shell\r\nYoroTrooper has started using a simple, custom-built, Windows executable-based interactive reverse shell to run commands\r\non infected endpoints via cmd[.]exe:\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 7 of 12\n\nPython-based RAT now ported to PowerShell\r\nSince February 2023, YoroTrooper has ported their Python-based RAT to PowerShell. This is likely an attempt to reduce the\r\nfootprint of the malware on the infected systems, as a Python-based RAT packaged into an EXE using PyInstaller or\r\nNUITKA usually results in a binary of a few megabytes, however the same code in PowerShell is only a few kilobytes and\r\nruns natively on the system. The core functionality remains the same, with the RAT taking commands and exfiltrating data\r\nto Telegram-based C2s.\r\nPython-based RAT (left) vs. the ported PowerShell code (right).\r\nExpansion of malware arsenal\r\nIn July 2023, YoroTrooper began experimenting with multiple types of delivery vehicles for their implants and adopting\r\nother malware families into their arsenal.\r\nOne such example is a Windows executable that is designed to work in lieu of the entire LNK and HTA-based infection\r\nchain previously used by the actors. This executable is a PyInstaller-wrapped binary where the Python code will:\r\nDownload an implant from the attacker-controlled server and run it.\r\nDownload a decoy document from a legitimate CIS government’s website and open/display it.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 8 of 12\n\nWe found one sample from July 2023 that downloads and displays a decoy document from the KyrgyzKomur website,\r\nwhich belongs to the coal division within the Kyrgyz Ministry of Energy. This document is a memo on a transportation\r\nagreement between the Republic of Bulgaria and Tajikistan. The sample consists of a mere 13 lines of Python code packed\r\ninto a 6MB PyInstaller binary:\r\nThe malware payload downloaded is the Python-based RAT that YoroTrooper has used for quite some time now, and is the\r\nsame RAT that was recently ported by the actors to PowerShell.\r\nRust and Golang-based implants\r\nAs recently as September 2023, YoroTrooper began using a Rust-based implant that opens an interactive reverse-shell via\r\nthe command:\r\ncmd.exe /d /c \u003ccommand_from_C2\u003e\r\nTheir Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2\r\ncommunication. So far we have seen the Python-based RAT already being ported to two other languages, PowerShell and\r\nGolang.\r\nGoLang implant checking for “/run” command from the C2.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 9 of 12\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found in our GitHub repository here.\r\nHashes\r\nArchives\r\n8131bd594aff4f4e233ac802799df3422f423dc28e96646a09a2656563c4ad7c\r\na3b1c3faa287f6ba2f307af954bb2503b787ae2cd59ec65e0bdd7a0595ea8c7e\r\nLNKs\r\nEd8c04a3e2d95d5ad8e2327a56d221715f06ed84eb9dc44ff86acff4076629d7\r\nHTAs\r\n9b81c5811ef3742cd4f45b6c3ba1ace70a0ce661acc42d974beaeddf307dd53d\r\nB6a5d6696cbb1690f75b0d9a42df8cefd444cfd3749be474535948a70ff2efd2\r\nF55b41ca475f411af10eaf082754c6e8b7a648da4fa72c23cbfea9fa13a91d88\r\nE0c7479e36b20cd7c3ca85966968b258b1148eb645a544230062ec5dff563258\r\nJS\r\nab6a8718dffbe48fd8b3a74f4bcb241cde281acf9e378b0c2370a040e4d827da\r\na5d8924f7f285f907e7e394635f31564a371dd58fad8fc621bacd5a55ca5929b\r\nE95e64e7ba4ef18df0282df15fc97cc76ba57ea250a0df51469337f561cc67d3\r\n832d58d9e067730a5705c8c307fd51c044d9697911043be9564593e05216e82a\r\nDa75326cfebcca12c01e4a51ef77547465e03316c5f6fbce901ddcfe6425b753\r\n1e350b316cbc42917f10f6f12fa2a0b8ed2fa6b0159c36141bce18edb6ea7aa0\r\n57d0336c0dbaf455229d2689bf82f9678eb519e017d40ba60a6d6b90f87321f8\r\n30a969fa0492479b1c6ef6d23f8fcccf3d7af35b235d74cab2c0c2fc8c212ad4\r\nPS1\r\n5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634\r\na25db1457cf6b52be481929755dd9699ed8d009aa30295b2bf54710cb07a2f22\r\n56fc680799999e38ce84c80e27788839f35ee817816de15b90aa39332fcc5aee\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 10 of 12\n\nEXE\r\n37c369f9a9cac898af2668b1287dea34c753119071a1c447b0bfecd171709340\r\n93829ee93688a31f90572316ecb21702eab04886c8899c0a59deda3b2f96c4be\r\n0a9908d8c4de050149883ca17625bbe97830ba61c3fe6b0ef704c65361027add\r\n1828e2df0ad76ea503af7206447e40482669bb25624a60b0f77743cd70f819f6\r\n941be28004afc2c7c8248a86b5857a35ab303beb33c704640852741b925558a1\r\n8921c20539fc019a9127285ca43b35610f8ecb0151872cdd50acdaa12c23722d\r\nb4eac90e866f5ad8af37b43f5e9459e59ee1e7e2cbb284703c0ef7b1a13ee723\r\nNetwork IOCs\r\n168[.]100[.]8[.]21\r\n46[.]161[.]27[.]151\r\nhxxp[://]46[.]161[.]27[.]151:80/c1[.]exe\r\nhxxp[://]46[.]161[.]40[.]164/wwser[.]exe\r\nhxxp[://]tpp[.]tj/T/rat[.]php\r\nhxxps[://]tpp[.]tj/T/rat[.]php\r\nhxxp[://]46[.]161[.]40[.]164/resoluton[.]exe\r\nhxxp[://]tpp[.]tj/285/file[.]js\r\nhxxp[://]tpp[.]tj/285/png[.]php\r\nhxxp[://]tpp[.]tj/285/startpng[.]js\r\nhxxp[://]tpp[.]tj/285/uap[.]txt\r\nhxxp[://]tpp[.]tj/285/update[.]hta\r\nhxxp[://]168[.]100[.]8[.]21/file[.]js\r\nhxxp[://]168[.]100[.]8[.]21/mshostss[.]rar\r\nhxxp[://]168[.]100[.]8[.]21/png[.]php\r\nhxxp[://]168[.]100[.]8[.]21/rat[.]js\r\nhxxp[://]168[.]100[.]8[.]21/rat[.]php\r\nhxxp[://]168[.]100[.]8[.]21/startpng[.]js\r\nhxxp[://]168[.]100[.]8[.]21/win[.]hta\r\nhxxp[://]46[.]161[.]40[.]164/main2[.]exe\r\nhxxp[://]46[.]161[.]40[.]164/main[.]exe\r\nhxxp[://]tpp[.]tj/BossMaster[.]txt\r\nhxxp[://]tpp[.]tj/T/rat[.]js\r\nhxxps[://]tpp[.]tj/main[.]exe\r\nhxxps[://]tpp[.]tj/T/file[.]js\r\nhxxps[://]tpp[.]tj/T/png[.]php\r\nhxxps[://]tpp[.]tj/T/startpng[.]js\r\nhxxps[://]tpp[.]tj/T/sys[.]hta\r\nhxxps[://]tpp[.]tj/rightupsbot[.]txt\r\nhxxp[://]168[.]100[.]8[.]242/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 11 of 12\n\nhxxp[://]168[.]100[.]8[.]242/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/220\r\nhxxp[://]168[.]100[.]8[.]242/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/Az[\r\nhxxp[://]168[.]100[.]8[.]242/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/logout\u0026_token=\r\nhxxp[://]168[.]100[.]8[.]36/+CSCO+0075676763663A2F2F31302E3130302E3230302E32++/+CSCO+0075676763663A2F2F31302E3130302E3230302\r\nhxxp[://]168[.]100[.]8[.]36/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/file[.\r\nhxxp[://]168[.]100[.]8[.]36/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/login\r\nhxxp[://]168[.]100[.]8[.]36/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/logout\u0026_token=D\r\nhxxp[://]206[.]166[.]251[.]146/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/A\r\nhxxp[://]206[.]166[.]251[.]146/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/logout\u0026_toke\r\nhxxps[://]auth[.]mail-ru[.]link/public_html/home/files/login[.]php?email=1\r\nhxxps[://]e[.]mail[.]az-link[.]email/\r\nhxxps[://]e[.]mail[.]az-link[.]email/public/security/files/Az%C9%99rbaycan_Litva[.]jpg\r\nhxxps[://]e[.]mail[.]az-link[.]email/public/security/files/login[.]php?email=1\r\nhxxps[://]mail[.]asco[.]az-link[.]email/5676763663A2F2F31302E3130302E3230302E32/75676763663A2F2F31302E3130302E3230302E32/login[.]php\r\nhxxps[://]mail[.]asco[.]az-link[.]email/Login[.]aspx\r\nhxxps[://]redirect[.]az-link[.]email/\r\nhxxps[://]redirect[.]az-link[.]email/5676763663A2F2F31302E3130302E3230302E32/75676763663A2F2F31302E3130302E3230302E32/Login[.]aspx\u0026_token=oazjTiA255F2D\r\nSource: https://blog.talosintelligence.com/attributing-yorotrooper/\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/attributing-yorotrooper/"
	],
	"report_names": [
		"attributing-yorotrooper"
	],
	"threat_actors": [
		{
			"id": "c416152c-d268-40a3-8887-01d2ec452b7c",
			"created_at": "2023-04-27T02:04:45.481771Z",
			"updated_at": "2026-04-10T02:00:04.987067Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Silent Lynx"
			],
			"source_name": "ETDA:YoroTrooper",
			"tools": [
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Meterpreter",
				"Nymeria",
				"Warzone",
				"Warzone RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "322248d6-4baf-4ada-af8e-074bc6c10132",
			"created_at": "2023-11-05T02:00:08.072145Z",
			"updated_at": "2026-04-10T02:00:03.397406Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Comrade Saiga",
				"Salted Earth",
				"Sturgeon Fisher",
				"ShadowSilk",
				"Silent Lynx",
				"Cavalry Werewolf",
				"SturgeonPhisher"
			],
			"source_name": "MISPGALAXY:YoroTrooper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434636,
	"ts_updated_at": 1775791525,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17ec872ca374ca2d0b51255ff10c0bf6b602fd4f.pdf",
		"text": "https://archive.orkl.eu/17ec872ca374ca2d0b51255ff10c0bf6b602fd4f.txt",
		"img": "https://archive.orkl.eu/17ec872ca374ca2d0b51255ff10c0bf6b602fd4f.jpg"
	}
}