Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan

  • Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian. The actor also appears to have a defensive interest in the website of the Kazakhstani state-owned email service and has rarely targeted Kazakh entities.
  • YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region. 
  • YoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries, and the operators have compromised multiple state-owned websites and accounts belonging to government officials of these countries between May and August 2023.
  • Our findings also indicate that, in addition to commodity and custom malware, YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites, an assessment that is in line with recent reporting from ESET.
  • Recent retooling efforts by YoroTrooper demonstrate a conscious effort to move away from commodity malware and increasingly rely on new custom malware spanning across different platforms such as Python, PowerShell, GoLang and Rust.

Talos assesses with high confidence that YoroTrooper operators are likely based in Kazakhstan based on their language preferences, use of Kazakhstani currency and very limited targeting of Kazakhstani entities, which only included the government’s Anti-Corruption Agency. 

Our primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of which are official languages of Kazakhstan. YoroTrooper frequently visits websites written in Kazakh and has used Russian in debugging and logging messages in their custom Python remote access trojans (RATs). For example, we have seen phrases such as “Сохраняю в {save_dir}” or “Файл загружен!nИмя” that translate to “I save in {save_dir}” and “File uploaded!nName” respectively, and the translation of output of commands to CP866 — the code page for Cyrillic. 

Starting in June 2023, we saw this actor using Uzbek in their implants, another popular language in Kazakhstan, enabling us to narrow down their country of origin. While this may be an attempt at generating false flags to masquerade as an Uzbek adversary, it is highly likely that YoroTrooper operators are simply well-versed in Kazakh, Russian and Uzbek languages.

A second observation that supports our assessment of YoroTrooper’s strong ties to Kazakhstan  is the involvement of Kazakhstani currency in their operations. The threat actor primarily relies on using cryptocurrency to pay for operating infrastructure such as domains and servers for hosting their lures, payloads and decoys, and regularly checks for currency conversion rates between Kazakhstani Tenge (KZT), Kazakhstan’s official currency and Bitcoin (BTC) on Google.

The threat actor also uses online exchanges, such as alfachange[.]com, which converts money from Kazakhstani Tenge to Bitcoin via their Visa and Mastercard cards:

Talos’ research found that YoroTrooper has a special defensive interest in repeatedly evaluating the security posture of the website of the Kazakhstani state-owned email service, mail[.]kz. YoroTrooper will regularly conduct security scans of mail[.]kz but has never registered any look-a-like domains or created credential harvesting pages spoofing the site, tactics the threat actor commonly uses when attempting to target an online service or its users. The image below shows bookmarks pertaining to the evaluation of mail[.]kz’s security posture saved on a browser used by YoroTrooper, indicating that the threat actor frequently visits these links to monitor the website for potential security vulnerabilities.

This monitoring activity indicates YoroTrooper values mail[.]kz, as they have conducted similar security scanning for their own malicious infrastructure to verify that it is not vulnerable to exploitation. For example, YoroTrooper queried IP address 168[.]100[.]8[.]242 on Shodan, which hosted domain mail[.]asco[.]az-link[.]email on July 11, 2022 that was used by YoroTrooper to target entities in Azerbaijan in November 2022:

YoroTrooper checking one of their own IP addresses in Shodan.

Finally, Talos’ analysis of YoroTrooper’s victimology found that the only institution targeted in Kazakhstan was the government’s Anti-Corruption Agency. YoroTrooper facilitated this attack by creating a malicious subdomain mail[.]antikor[.]gov[.]kz[.]openingfile[.]net, that spoofed the legitimate government domain antikor[.]gov[.]kz:.

We assess with high confidence that YoroTrooper made numerous efforts to disguise their origin by hosting a majority of their infrastructure in Azerbaijan while still targeting institutions in Azerbaijan, using malicious sub-domains such as:

  • mail[.]economy[.]qov[.]az-link[.]email
  • mail[.]gov[.]az-link[.]email
  • mail[.]mfa[.]az-link[.]email

YoroTrooper employs numerous tactics to obfuscate the origin of their activity, attempting to appear as if they are located in Azerbaijan. We observed that most of YoroTrooper’s operations are routed via Azerbaijan, though notably, the threat actor does not appear to speak the Azerbaijani language. Intelligence obtained by Talos indicates the adversary regularly translates information from Azerbaijani to Russian, the second official language in Kazakhstan.

YoroTrooper using Google Translate to convert text from Azerbaijani to Russian for an account verification message.

Furthermore, the operator drafts lures in Russian and then translates them to Azerbaijani to use in their phishing attacks:

YoroTrooper makes an effort to have their operations appear as if they originate from Azerbaijan, looking to use VPN exit nodes in the country:

Finally, we have also seen the threat actor searching for random contact information for Azerbaijani individuals, likely to use when setting up their infrastructure and tools:

Targeting activity focuses on prominent government officials and organizations in CIS countries

YoroTrooper modified and expanded their tactics, techniques and procedures (TTPs) after Talos’ seminal disclosure on this threat actor in March 2023, and continued their targeting efforts against Commonwealth of Independent States (CIS) countries with these new TTPs starting in June 2023. Some of these tactics included: 

  • Porting their Python-based implant to PowerShell.
  • Increasingly adopting the use of custom implants and abandoning previously used commodity malware.

YoroTrooper’s targeting of government entities in these countries may indicate the operators are motivated by Kazakh state interests or working under the direction of the Kazakh government. It is also possible, however, that the actors are simply motivated by financial gain achieved by selling restricted state information. Talos is pursuing further research on YoroTrooper’s intelligence collection goals to ascertain the group’s potential state sponsorship. 

A number of prominent and successful YoroTrooper intrusions took place in recent months, beginning in June 2023 when the adversary compromised a Tajiki national. Although we could not determine the identity of the victim, Talos assesses that the victim is associated with the Tajik government, based on the nature of the data that YoroTrooper exfiltrated from them, which amounted to 165MB of documents. Many of these documents consisted of government certificates and affidavits, appearing to belong to someone who has visibility into government personnel management and welfare.

YoroTrooper consistently relies on vulnerability scanners such as Acunetix and open-source data from search engines such as Shodan to locate and infiltrate a target’s infrastructure. This exercise turned out to be extremely fruitful for YoroTrooper, who from May to July 2023, successfully compromised three state-owned Tajiki and Kyrgyzstani websites and hosted malware payloads on them, with some malware still being hosted as of September 2023. The first website compromised in May 2023 was tpp[.]tj, which is managed by the country’s Chamber of Commerce and Industry of the Republic of Tajikistan.

Subsequently, in July, YoroTrooper compromised and hosted malware on akn[.]tj, another state-owned website belonging to the Drug Control Agency under the President of the Republic of Tajikistan, as well as kyrgyzkomur[.]gov[.]kg, which belongs to Kyrgyzstan’s state-owned coal enterprise.YoroTrooper also compromised a user from the Ministry of Transport and Roads of the Kyrgyz Republic, successfully harvesting some browser credentials from the user.

YoroTrooper began its campaign to target Uzbeki government entities as early as January 2023. About eight months of aggressive attack attempts yielded success in August 2023, when YoroTrooper successfully compromised a high-ranking official from the Uzbek Ministry of Energy. While Talos confirmed the compromise, we could not determine what data was stolen from this individual.

The following timeline provides an updated view and details of various geographies targeted since June 2023. 


Targeted geography

Salient TTPs

September 2023


• Used an agreement statement between Bulgaria and Tajikistan as a lure.

Reused compromised Tajiki website for the Chamber of Commerce and Industry to host malware.

• Deployed PowerShell-based implants and used Telegram APIs.

August 2023


• Used a Kyrgyz Ministry of Transport circular as a lure/decoy document.

• Used attacker-owned infrastructure to host malware.

• Targeted and compromised an Uzbek Ministry of Energy senior official.

• Reused custom-built reverse shell EXEs first seen in June 2023.

• Reused a PyInstaller-wrapped, Python-based Google Chrome credential stealer that was first seen in January 2023, though this version did not include an upload capability.

July 2023

Tajikistan and Kyrgyzstan

Tajik Drug Control Agency’s website  akn[.]tj compromised to host payloads.

Kyrgyz state-owned coal enterprise KyrgyzKomur’s website, kyrgyzkomur[.]gov[.]kg, compromised and used to host malware.

June 2023


• Takij Ministry of Foreign Affairs targeted using the following lures:

Publication from the International Atomic Energy Agency (IAEA) and OECD Nuclear Energy Agency (NEA) on  Uranium: Resources, Production and Demand.

Used a compromised Tajiki website for the Chamber of Commerce and Industry to host malware.

• First instance of deploying custom-built reverse shell EXEs.

• Python implants ported to PowerShell and used Telegram APIs.

YoroTrooper relies heavily on learning-on-the-go to carry on their malicious activities. We’ve observed the operator constantly attempting to buy new tools, such as VPN connections. Our research also indicated that the group actively relies on vulnerability scanners, such as Acunetix, and open-source data, such as the information available on Shodan, to locate and infiltrate the public-facing servers of their targets.


YoroTrooper frequently conducts open-source searches of infrastructure they are interested in targeting, using search engines such as Google, Shodan and Censys to find vulnerabilities and leakages in a target’s infrastructure. This research includes searching for vulnerable PHP-based servers and identifying content management systems (CMS) to find open directories. 

Talos identified a number of operational email accounts and other infrastructure used by YoroTrooper to facilitate their operations. YoroTrooper primarily uses the email address “anadozz[at]tuta[.]io” to register and purchase tools and services such as VPN accounts. For example, in 2022, the actors used this email address to obtain a subscription to NordVPN, valid from 2022 to 2025, from darkstore[.]su:

YoroTrooper has also extensively used and maintained access to two other email addresses, “n.ayyubov[at]mail[.]ru” and “danyjackson120293[at]proton[.]me”, via their remote machines. It is unclear if these email addresses actually belong to the operators or are just compromised accounts being leveraged by YoroTrooper.

A couple of months before purchasing the NordVPN account, YoroTrooper configured and purchased a VPS instance from netx[.]hosting for $16 USD a month. This is likely another remote machine that the threat actor used to expand their malicious operations.

Talos also found that YoroTrooper accesses their malicious infrastructure several times over the course of their campaigns in order to upload malware and access URLs hosted on their servers, such as:

  • hxxps[://]e[.]mail[.]az-link[.]email/public/security/files/login[.]php?email=1
  • hxxp[://]206[.]166[.]251[.]146/0075676763663A2F2F31302E3130302E3230302E32/0075676763663A2F2F31302E3130302E3230302E32/index_files/Az[.]pdf
  • hxxps[://]mail[.]asco[.]az-link[.]email/Login[.]aspx
  • hxxps[://]auth[.]mail-ru[.]link/public_html/home/files/login[.]php?email=1


YoroTrooper regularly sends spearphishing messages to victims that direct to attacker-controlled pages designed to harvest the target’s credentials. The operators collect and deploy phishing pages on servers specific to a target country. Some of the malicious credential-harvesting pages found on YoroTrooper’s VPS systems were:

  • C[:/]Users/Professional/Desktop/DESSKTOP/1/mail[.]ady[.]az[.]logiin[.]email/index[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/remote[.]mfa[.]gov[.]az/logon[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/BackUp%20site/ru[.]auth[.]logiin[.]email/public/security/index[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/sample_mailru_trap.html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Desktop/AZ%20mail%20box%20-%20Copy[.]html
  • D[:/]135%20%D0%9C%D0%97%D0%AB/mail[.]socar[.]az[.]logiin[.]email/owa/auth/logon[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/mfa%20send%20box/mfaRC[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/remote[.]mfa[.]gov[.]az/logon[.]html#form_title_text
  • C[:/]Users/Professional/Desktop/DESSKTOP/beeline_send1%20-%20Copy[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/Azerbaijan/mincom-caa[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/RoundtoMail[.]ru[.]html
  • C[:/]Users/Professional/Desktop/DESSKTOP/BackUp%20site/mail[.]mincom[.]gov-az[.]site/owa/auth/logon[.]html

The practice of credential-harvesting runs complimentary to YoroTrooper’s malware-based operations with the end goal being data theft. The vast majority of YoroTrooper malware analyzed by Talos belongs to different families of information stealers. 

After Talos released our report on YoroTrooper earlier this year, we have seen the operators make slight adjustments to their infection chains. The infection mechanisms have become more modular with:

  • New intermediate steps and scripts added.
  • New decoys/lures were introduced, seemingly to target additional victims.
  • Adjustments to the final implants that are deployed, so they consist of two components: either their custom-made PowerShell scripts used for file exfiltration to Telegram channels, or Windows executables consisting of commodity malware or custom-made reverse shells.

While many of their mechanisms and implants have seen slight variation, Talos assesses with high confidence that YoroTrooper is changing their final malware implants and looking to develop and adopt new malware families into their arsenal.

As part of their exercise of retooling, YoroTrooper has also ported their custom-built Python implants that were previously packaged into executables using frameworks such as Nuitka and PyInstaller, to PowerShell scripts that are now directly run from the central HTA script.

The new infection chain is outlined in the graphic below.

Custom-built reverse shell

YoroTrooper has started using a simple, custom-built, Windows executable-based interactive reverse shell to run commands on infected endpoints via cmd[.]exe:

Python-based RAT now ported to PowerShell

Since February 2023, YoroTrooper has ported their Python-based RAT to PowerShell. This is likely an attempt to reduce the footprint of the malware on the infected systems, as a Python-based RAT packaged into an EXE using PyInstaller or NUITKA usually results in a binary of a few megabytes, however the same code in PowerShell is only a few kilobytes and runs natively on the system. The core functionality remains the same, with the RAT taking commands and exfiltrating data to Telegram-based C2s.

Python-based RAT (left) vs. the ported PowerShell code (right).

Expansion of malware arsenal

In July 2023, YoroTrooper began experimenting with multiple types of delivery vehicles for their implants and adopting other malware families into their arsenal.

One such example is a Windows executable that is designed to work in lieu of the entire LNK and HTA-based infection chain previously used by the actors. This executable is a PyInstaller-wrapped binary where the Python code will:

  • Download an implant from the attacker-controlled server and run it.
  • Download a decoy document from a legitimate CIS government’s website and open/display it.

We found one sample from July 2023 that downloads and displays a decoy document from the KyrgyzKomur website, which belongs to the coal division within the Kyrgyz Ministry of Energy. This document is a memo on a transportation agreement between the Republic of Bulgaria and Tajikistan. The sample consists of a mere 13 lines of Python code packed into a 6MB PyInstaller binary:

The malware payload downloaded is the Python-based RAT that YoroTrooper has used for quite some time now, and is the same RAT that was recently ported by the actors to PowerShell.

Rust and Golang-based implants

As recently as September 2023, YoroTrooper began using a Rust-based implant that opens an interactive reverse-shell via the command:

cmd.exe /d /c <command_from_C2>

Their Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2 communication. So far we have seen the Python-based RAT already being ported to two other languages, PowerShell and Golang.

GoLang implant checking for “/run” command from the C2.

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

IOCs for this research can also be found in our GitHub repository here.

































Network IOCs