A cyberspy outfit is attacking high-level targets in the EU

YoroTrooper has changed up its playbook

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Threat actor YoroTrooper has compromised the accounts of critical EU healthcare agencies, a number of embassies, and the World Intellectual Property Organization (WIPO).

Areportfrom Cisco Talos (viaBleepingComputer) has revealed that vast quantities of data, such as credentials, cookies, and browser histories, have been stolen from a number of infected endpoints.

These include those belonging to government agencies and energy companies of countries that are a part of Eurasia’s Commonwealth of Independent States (CIS).

YoroTrooper’s unique threat activity

Though BleepingComputer notes that YoroTrooper has previously been known to disseminate knownmalwarelike PoetRAT and LodaRAT, Cisco thinks it’s moved to designing its own Remote Access Trojans (RATs) written in Python to get the job done.

In Summer 2022, Belarusian organizations were hit by infectedPDFfiles sent from email domains purporting to be organizations from Belarus or Russia. In September that year, YoroTrooper registered typosquatting domains to appear as similar as Russian government agencies as possible.

Russian hackers have been exploiting unknown flaw in Outlook for nearly a year now>UK intelligence services are stepping up against Chinese cyberspies>We’ve also listed the best identity theft protection services right now

This strategy is rooted in YoroTrooper’sphishing emailsneeding to look as legitimate as possible, particularly as its latest ruse involves attaching infected RAR and ZIP attachments to gain access to national security information across the region.

In 2023, the threat group has moved fast. In January, it began issuing an infostealer script that extracts credentials from Chromium-basedbrowsers, but in February, had already moved to a new modular tool called ‘Stink’.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The new tool, in addition to Chromium browser infiltration and basic system information, also steals data from FTP client Filezilla andmessaging appsDiscord and Telegram.

YoroTrooper’s motives, means, and backers are currently unknown, but the move to custom tools could turn out to be a worrying development for the corporate world.

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Google is testing interactive voice searches with results that update in real time