Caviar Scammers: Uncovering the SturgeonPhisher APT Group

Botconf 2024
2024-04-25 | 16:15 – 16:55

Damien Schaeffer 🗣

SturgeonPhisher is a cyberespionage group active since at least October 2021 and that is also known as YoroTrooper. The group targets government officials, think-tanks, and employees of state-owned companies mostly in countries bordering the Caspian Sea – the Russian Federation being one of the most targeted countries.

SturgeonPhisher has carried out spearphishing and webmail-credential stealing operations, and they also use a recently updated arsenal including some custom reverse shells, password stealers, multiple remote access trojans, and some Telegram-based backdoors as a way of performing espionage campaigns on selected targets.

We will describe numerous techniques SturgeonPhisher employs to compromise its targets. In their phishing operations, this threat actor used clever techniques to trick users to provide their credentials. We’ve also put in place a monitoring of their infrastructure and observed their operations over time. This gave us valuable insights about their TTPs and modus operandi.

In this presentation, we will describe a few typical compromise chains with some examples of phishing websites and analysis of multi-stage malware. We will also highlight their network infrastructure, talk about the victimology and post-compromise activities. Finally, we will provide hints about the group’s attribution and operating location based on our research.

Scroll to Top