Kazakhstan-Associated Yorotrooper Disguises Origin of Attacks as Azerbaijan

Cisco Talos has assessed with high confidence that the threat actor known as YoroTrooper is likely based in Kazakhstan. This assessment is based on their use of Kazakh currency, fluency in Kazakh and Russian languages, and limited targeting of Kazakhstani entities. YoroTrooper has been active since June 2022 and primarily targets Commonwealth of Independent States (CIS) countries. They have compromised multiple state-owned websites and accounts belonging to government officials in these countries. YoroTrooper uses various tactics to obfuscate their origins, including using VPN exit nodes in Azerbaijan. They have recently shifted towards using custom malware and rely heavily on phishing emails. The threat actor also shows a defensive interest in the website of the Kazakhstani state-owned email service. YoroTrooper attempts to appear as if they are located in Azerbaijan, but their language preferences and translation practices indicate a strong connection to Kazakhstan. The motivations behind their targeting may be linked to Kazakh state interests or financial gain.