“PoetRAT” Is Targeting Key Organizations and the Public Sector in Azerbaijan

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Cyberwarfare is now an integral part of any military conflict, and the ongoing clashes between Azerbaijan and Armenia create the conditions for higher rates of malware deployment. Cisco Talos researchers have identified a new variant of the “PoetRAT,” which is being deployed against the public sector of Azerbaijan, as well as various key organizations in the country.

Cisco has been following the particular actors and the specific tool in the past few months, and they have noticed some changes in the most recent versions. Most notably, the hackers have improved their operational security, as they now perform more analytical reconnaissance on their targets. Additionally, the malware author moved from a Python to a Lua script, which should make the code easier to parse and less demanding in terms of wrapping it with interpreters.

Read More: Taiwan Accuses Chinese Hackers of Lengthy and Catastrophic Cyber-Attacks

Other updates and changes concern the theming of the attacks, as the documents used back in September have changed from the ones used this month. The macro code in them remains the same, though, creating a ZIP file on the compromised system and executing the script inside the archive. The script downloads and executes the additional payload, but the researchers only managed to get a mocking .txt file at this point.

The most recent file used by the actors in this campaign is one that supposedly comes from the State Service for Mobilization and Conscription of Azerbaijan. The content has to do with a declaration of partial mobilization in the Republic of Azerbaijan, which is based on a real statement published by President Ilham Aliyev a week ago. This indicates that the trickery is adjusted quickly, and it will almost certainly not stay the same for long.

Source: Cisco Talos

Talos confirms that the attackers have already managed to access sensitive networks and data in Azerbaijan, so the campaign has been very effective so far. Unfortunately, though, the researchers couldn’t discern any details about the source of the attacks and who could be hiding behind them.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: