October 25, 2023 at 01:38PM
YoroTrooper, a Kazakhstan attack group known for phishing messages, poses as an Azerbaijani group. It primarily targets government entities in former Soviet republics but disguises its origin by hosting its infrastructure in Azerbaijan. However, researchers from Cisco Talos have concluded that the group is from Kazakhstan based on language preferences and the use of Kazakhstani currency.
According to the meeting notes, a Kazakhstan attack group known as YoroTrooper has been sending phishing messages while disguising their activities as Azerbaijan-based. The group primarily targets former Soviet republics such as Russia, Armenia, Belarus, Moldova, and Azerbaijan, focusing on government entities. However, despite their use of Azerbaijani infrastructure and limited targeting of Azerbaijani entities, researchers from Cisco Talos have determined with high confidence that the group is actually from Kazakhstan. This conclusion is drawn from the group’s language preferences (Kazakh and Russian), use of Kazakhstani currency, and frequent visits to websites in the Kazakh language. YoroTrooper also employs Russian in debugging and logging messages within their custom Python Remote Access Trojans.