
A new threat actor, YoroTrooper, has been active since at least June 2022. This actor has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign. YoroTrooper uses a combination of commodity and open source stealer malware, such as Ave Maria (aka Warzone RAT), LodaRAT, Meterpreter, and Stink.
These malware programs are used to gather data, such as credentials from multiple applications, browser histories and cookies, system information and screenshots. The data is then exfiltrated via Telegram. YoroTrooper appears to be a Russian-speaking actor, based on victimology patterns and the presence of Cyrillic snippets in some of the implants. However, there is some overlap with the PoetRAT team, which was documented in 2020 as leveraging coronavirus-themed baits to strike government and energy sectors in Azerbaijan.