Caviar Scammers: The Sophisticated Operations of the SturgeonPhisher APT Group

SturgeonPhisher, also known as YoroTrooper, is a cyberespionage group active since at least October 2021. The group focuses on spearphishing and webmail-credential stealing. It targets government officials, think-tanks, and employees of state-owned companies in countries bordering the Caspian Sea – the Russian Federation being one of the most targeted countries.

SturgeonPhisher’s activities are not limited to credentials stealing, they also use a recently updated arsenal including some reverse shells, password stealers, remote access trojans (like RustyRAT), and a Telegram backdoor as a way of performing espionage campaigns on selected targets. In order to deliver their malicious payloads, we observed the compromission of legitimate websites in addition to traditional spearphishing.

In their phishing operations, this threat actor registered many domains similar to the legitimate ones used by the targeted entities and hosted a copy of the target website. The initial attack vector in their espionage campaigns is mostly spearphishing emails with an attachment.

In this presentation, we will describe a few typical compromise chains with some examples of phishing websites and analysis of multi-stage malware. For now, we have made no attribution of the group’s origin, but it is likely that it is operated from a Central Asian country, given the operating time zone and narrow targeting.