{ "id": "1060a286-6610-488d-b1c9-e9adeecbf015", "created_at": "2026-04-06T00:10:36.377822Z", "updated_at": "2026-04-10T03:25:25.34107Z", "deleted_at": null, "sha1_hash": "fc2d1eb1acc6c7844433f5eb10a65810aeb506d1", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59145, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:53:23 UTC\n APT group: YoroTrooper\nNames\nYoroTrooper (Talos)\nSilent Lynx (Seqrite)\nCountry Kazakhstan\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(Talos) Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that\nhas been running several successful espionage campaigns since at least June 2022.\nYoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan,\nKyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We\nalso observed YoroTrooper compromise accounts from at least two international organizations:\na critical European Union (EU) health care agency and the World Intellectual Property\nOrganization (WIPO). Successful compromises also included Embassies of European\ncountries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other\norganizations across Europe and Turkish (Türkiye) government agencies.\nInformation stolen from successful compromises include credentials from multiple\napplications, browser histories \u0026 cookies, system information and screenshots.\nObserved\nSectors: Energy, Financial, Government.\nCountries: Azerbaijan, Kyrgyzstan, Tajikistan, Turkey, Turkmenistan and Europe.\nTools used Loda, Meterpreter, Stink, Warzone RAT.\nInformation\nLast change to this card: 22 February 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=097d091b-0509-488b-b8e1-31b1fc8fa478\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=097d091b-0509-488b-b8e1-31b1fc8fa478\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=097d091b-0509-488b-b8e1-31b1fc8fa478" ], "report_names": [ "showcard.cgi?u=097d091b-0509-488b-b8e1-31b1fc8fa478" ], "threat_actors": [ { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775791525, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc2d1eb1acc6c7844433f5eb10a65810aeb506d1.pdf", "text": "https://archive.orkl.eu/fc2d1eb1acc6c7844433f5eb10a65810aeb506d1.txt", "img": "https://archive.orkl.eu/fc2d1eb1acc6c7844433f5eb10a65810aeb506d1.jpg" } }