{
	"id": "af90ccec-f909-48cd-9665-a804ca95bfb0",
	"created_at": "2026-04-06T01:31:47.507021Z",
	"updated_at": "2026-04-10T03:22:01.057174Z",
	"deleted_at": null,
	"sha1_hash": "87f173d085568b40be7e301891483e6a261d0f4a",
	"title": "PoetRAT: Malware targeting public and private sector in Azerbaijan evolves",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 909495,
	"plain_text": "PoetRAT: Malware targeting public and private sector in\r\nAzerbaijan evolves\r\nBy Warren Mercer\r\nPublished: 2020-10-06 · Archived: 2026-04-06 01:17:59 UTC\r\nTuesday, October 6, 2020 10:52\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nThe Azerbaijan public sector and other important organizations are still targeted by new versions of\r\nPoetRAT.\r\nThis actor leverages malicious Microsoft Word documents alleged to be from the Azerbaijan government.\r\nThe attacker has moved from Python to Lua script.\r\nThe attacker improves their operational security (OpSec) by replacing protocol and performing\r\nreconnaissance on compromised systems.\r\nExecutive summary\r\nCisco Talos discovered PoetRAT earlier this year. We have continued to monitor\r\nthis actor and their behavior over the preceding months. We have observed\r\nmultiple new campaigns indicating a change in the actor's capabilities and\r\nshowing their maturity toward better operational security. We assess with medium\r\nconfidence this actor continues to use spear-phishing attacks to lure a user to\r\ndownload a malicious document from temporary hosting providers. We currently\r\nbelieve the malware comes from malicious URLs included in the email, resulting in\r\nthe user clicking and downloading a malicious document. These Word documents\r\ncontinue to contain malicious macros, which in turn download additional payloads\r\nonce the attacker sets their sites on a particular victim. Previous versions of\r\nPoetRAT deployed a Python interpreter to execute the included source code which\r\nresulted in a much larger file size compared to the latest version's switch to Lua\r\nscript. As the geopolitical tensions grow in Azerbaijan with neighbouring\r\ncountries, this is no doubt a stage of espionage with national security implications\r\nbeing deployed by a malicious actor with a specific interest in various Azerbajiani\r\ngovernment departments.\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 1 of 8\n\nNew campaigns\r\nCampaign of September 2020\r\nThe malicious document alleged to be a letter with the National Emblem of Azerbaijan in the top\r\ncorners:\r\nThe document we observed used multiple filenames: the first being \"argument.doc\" and another named\r\n\"siyahı.doc\" (Azeri word for \"List\"). As previously with PoetRAT, the Word document contained a macro:\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 2 of 8\n\nThe macro still contains literature references as on the previous version we documented. This time, the text is\r\nfrom the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer).\r\nThe malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT\r\nmalware, though.\r\nFirst, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA\r\nrules:\r\nThe obfuscation is a base64 and an LZMA compression algorithm.\r\nSecondly, the author split the malware in a couple of different files. For example, the variables are stored in a\r\n\"Constant.py\" file containing the C2 server and the configuration.\r\nThe malware also changed a small amount of its code. The most notable change is the protocol used to download\r\nand upload files. The first version of PoetRAT used FTP, while the new version supports HTTP protocol:\r\nThese few changes allow the attacker to avoid tracking based on signature and stay under the radar by using a\r\nmost common protocol for exfiltration — thus improving their opsec.\r\nCampaign of October 2020\r\nIn this campaign, the decoy document is a Microsoft Office document alleged to be from the State\r\nService for Mobilization and Conscription of Azerbaijan:\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 3 of 8\n\nDue to current events in Azerbaijan, the President of the Republic of Azerbaijan has signed a decree \"about\r\ndeclaring partial mobilization in the Republic of Azerbaijan.\" More information can be found here. The Office\r\ndocument was saved six days after the announcement.\r\nThe malware author changed the embedded payload. A macro is executed by the Office document:\r\nThe macro inflates and creates a ZIP file on the targeted system and executes a Lua script in this archive. The\r\narchive contains the Lua payload and luajit, a Lua interpreter for Windows. Here is the script:\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 4 of 8\n\nThis script downloads and executes an additional payload. We did not receive the payload. However, the operator\r\nsent us a text file named 'FUCK-YOU.txt' with hundred of lines of explitives.\r\nSame victimology\r\nAs with the previous campaigns, the targets of the new campaigns are linked to Azerbaijan. In the\r\nprevious campaigns, the attacker was mainly interested in the energy sector, more specifically\r\nthose involved with wind turbines.\r\nThe attacker is still attracted to VIPs and the public sector. In the recent campaign we identified the attacker had\r\naccess to sensitive information, such as diplomatic passports belonging to citizens of Azerbaijan.\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 5 of 8\n\nConclusion\r\nWith recent geopolitical events in Azerbaijan, it is fair to expect some cyber\r\nattacks. The PoetRAT malware was used against this country a few months ago\r\nand new campaigns from this threat actor appeared after the armed conflict.\r\nThe malware slightly evolved since our previous publication. The developer implemented a new exfiltration\r\nprotocol to hide its activities. There's also additional obfuscation to avoid detection based on strings or signatures.\r\nThe latest evolution of PoetRAT shows us an evolution from Python to Lua. The code is easy to parse — nothing\r\nadvanced — but our analysis showed us that the campaigns are efficient. The attacker obtained access to sensitive\r\ndocuments from the compromised systems, even if the technical aspects are not as evolved as expected in this\r\nkind of context and targeted attacks.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 6 of 8\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nMalicious documents\r\nThis includes newly observed hashes and also previously observed PoetRAT hashes.\r\ndc565146cd4ecfb45873e44aa1ea1bac8cfa8fb086140154b429ba7274cda9a2 - Oct 2020\r\n64aeffe15aece5ae22e99d9fd55657788e71c1c52ceb08e3b16b8475b8655059 - Sept 2020\r\nac4e621cc5895f63a226f8ef183fe69e1ae631e12a5dbef97dd16a6dfafd1bfc - April 2020\r\na703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d - April 2020\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 7 of 8\n\n208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407 - April 2020\r\ne4e99dc07fae55f2fa8884c586f8006774fe0f16232bd4e13660a8610b1850a2 - April 2020\r\nC2 Infrastructure\r\nslimip[.]accesscam[.]org\r\nSource: https://blog.talosintelligence.com/poetrat-update/\r\nhttps://blog.talosintelligence.com/poetrat-update/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/poetrat-update/"
	],
	"report_names": [
		"poetrat-update"
	],
	"threat_actors": [],
	"ts_created_at": 1775439107,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87f173d085568b40be7e301891483e6a261d0f4a.pdf",
		"text": "https://archive.orkl.eu/87f173d085568b40be7e301891483e6a261d0f4a.txt",
		"img": "https://archive.orkl.eu/87f173d085568b40be7e301891483e6a261d0f4a.jpg"
	}
}