{ "id": "6957a393-3f28-402e-bd8b-885e96b0f448", "created_at": "2026-04-06T00:21:40.336876Z", "updated_at": "2026-04-10T03:33:35.60077Z", "deleted_at": null, "sha1_hash": "04e908b255953d78a46af5e47f925525f495550d", "title": "The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3057047, "plain_text": "The InterPlanetary Storm: New Malware in Wild Using\r\nInterPlanetary File System’s (IPFS) p2p network\r\nBy Anomali Threat Research\r\nArchived: 2026-04-05 19:39:05 UTC\r\nA new malware was found that uses peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p\r\nnetwork, and is difficult to spot.\r\nSummaryIntroductionServer-Client ModelP2P ModelTechnical breakdownAnalysisConclusionIOCsMitre\r\nATT\u0026CKReferences\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 1 of 10\n\nSummary\r\nIn May 2019, a new malware was found in the wild that uses a peer-to-peer (p2p) network on top of InterPlanetary\r\nFile System’s (IPFS) p2p network. The malware found in the wild targets Windows machines and allows the\r\nthreat actor to execute any arbitrary PowerShell code on the infected machines. The use of a legitimate p2p\r\nnetwork can make it difficult to discover the malicious traffic as it potentially is blended in with legitimate traffic\r\nto the legitimate p2p network. It can also make it harder to sinkhole the botnet since there is a risk the legitimate\r\np2p network is also taken down with it.\r\nIntroduction\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 2 of 10\n\nWhen a threat actor wants to commandeer a machine, a Command and Control (C2) communication channel\r\nneeds to be established. With this communication channel, the threat actor can send commands to the infected\r\nmachines and the response can be sent back from the infected machines to the actor. In general, there are two\r\ntypes of schemes that can be used. The first type is a p2p model, and the second type is a server-client model.\r\nServer-Client Model\r\nIn a server-client model, the infected machines connect to a set of C2 servers that provides the infected machines\r\nwith instructions and handles the responses sent back. A threat actor may use these C2 servers directly to control\r\nthe infected machines by having the administrator panel hosted on these servers. Another option is that the threat\r\nactor uses a second layer of C2 servers. These servers never talk directly to the infected machines. Instead, the\r\ncommands are sent from the second layer to the first, which relays the commands and the responses between\r\ninfected machines and the second row of C2 servers, acting more like a proxy. This has the potential of protecting\r\nthe second layer from being detected and possibly taken over by the authorities. Using two layers of C2 servers\r\nmay also increase stealth. The threat actor can, for example, use a non-malicious website to proxy or relay the\r\ncommunication.\r\nIn recent years, threat actors have started using legitimate web services for C2 communications. For example,\r\nTwitter, Github, and Instagram are legitimate services that have been misused by threat actors.[1] The use of\r\nlegitimate services have multiple advantages to the threat actor. By default, all of these services are using\r\nencrypted communication via TLS. This means the threat actors do not need to configure and maintain certificates\r\nbecause it is all done for them. Another benefit is that these services are common on home and corporate\r\nnetworks. The malware talks to the same servers as normal web browsers visiting the websites, essentially\r\nallowing the malicious traffic to blend in with the legitimate communications. While this method allows malware\r\ntraffic to hide better, it is easier for authorities to take down. One way of making takedowns harder is to use a p2p\r\nmodel instead of a server-client model.\r\nP2P Model\r\nIn a p2p model, the infected machines are not necessarily communicating directly with servers controlled by the\r\nthreat actor. Instead, the machines are connected directly to each other via a p2p network, commonly called a p2p\r\nbotnet. All the threat actor has to do is send a single command to one infected machine and that command will\r\nautomatically propagate to all other infected machines. A p2p model is generally more difficult for a threat actor to\r\nimplement because there are different problems that need to be solved than when using the server-client model.\r\nThe first problem is bootstrapping. How does the newly infected machine find other infected machines to connect\r\nto? One method is to include a list of known peers in the malware that it can connect to. On the defender side, a\r\nknown bootstrapping list can be used for both detection and prevention; blocking access to the machines on the\r\nlist at the perimeter. The other problem the threat actor needs to solve is Network Address Translation (NAT)\r\ntraversal for machines not directly connected to the internet.[2] A p2p network works by having the peers\r\nconnected to each other. If a machine is not directly connected to the internet but instead is connected via a NAT\r\nrouter, it cannot be reached by a machine on the internet. This is because the NAT router will only let through\r\ncommunication that is initiated from behind the NAT. This means if the p2p network has all nodes behind NAT,\r\nnone of the nodes would be able to connect to each other.\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 3 of 10\n\nWhen comparing to the server-client model, p2p botnets do not have the opportunity to hide their traffic amongst\r\nlegitimate traffic. Up until recently, p2p communication on a corporate network could be taken as suspicious\r\nactivity. In present day, more and more legitimate services are utilizing p2p technology that is slowly creeping into\r\nthe enterprise space. For example, Microsoft Windows 10 has a feature called “Delivery Optimization” that\r\ndelivers updates to machines via a p2p network established by machines connected to the same Active Directory\r\ndomain.[3] Similar to misusing web services to hide malicious traffic, threat actors misuse legitimate p2p network\r\nto hide their traffic. In addition to blending with the normal traffic, the botnet is intertwined with the legitimate\r\nnodes in such a way making it impossible to take down the malicious botnet without taking down the legitimate\r\np2p network. In May 2019, a new botnet was discovered that utilizes the IPFS p2p network.\r\nIPFS is a project that aims to improve today’s internet by making it more decentralized.[4] The project is designed\r\nto be a distributed p2p filesystem, and the filesystem can be used to host any kind of files, including static web\r\npages that can be viewed with a web browser. The files hosted on IPFS can be accessed by using a client or via\r\npublic gateways. For example, Cloudflare runs a public IPFS gateway.[5] The network code for IPFS is released\r\nas an open source project called “libp2p”, which is a modular network stack that allows anyone to take advantage\r\nof the network code used by IPFS (7). The library’s support includes bootstrapping, NAT-traversal, relays, peer\r\ndiscovery, pubsub functionality. It can be used to construct an independent p2p network by providing\r\nbootstrapping nodes.The library also includes IPFS’s bootstrapping nodes that can be used to layer the new p2p\r\nnetwork on top of IPFS’s p2p network. A functionality that can be appealing to threat actors.\r\nThe malware discovered in May 2019 by Anomali Threat Research, does use libp2p to layer its p2p network on\r\ntop of IPFS’s. The malware has been named IPStorm (InterPlanetary Storm) from its use of IPFS’s p2p network\r\nand the project name used by the threat actor.\r\nTechnical breakdown\r\nIPStorm is a malware written in Go (Golang). The samples found in the wild have been targeting the Windows\r\noperating system. The analyzed binaries include the path “/Users/brokleg/go/src/storm/” which suggests it has\r\nbeen developed on a macOS machine and the malware author has named the project “storm”, possibly after 2007’s\r\nworm named Storm that used a p2p network for C2 communication. The malware is a large, with the unpacked\r\nbinary being around 15 MB in size. The code is split up into multiple Go packages. The packages are listed below:\r\nstorm/avbypass\r\nstorm/backshell\r\nstorm/ddb\r\nstorm/filetransfer\r\nstorm/logging\r\nstorm/node\r\nstorm/powershell\r\nstorm/util\r\nstorm/ddbinterface\r\nstorm/nodeinterface\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 4 of 10\n\nThe malware has some simple antivirus (AV) evasion techniques. It uses sleeps, memory allocations and\r\ngeneration of random numbers. The “allocateMemory” function is very simple. The core function body is shown\r\nin Figure 1. It allocates 100 byte arrays with a size of 3 MB each.\r\nmemoryAllocation function\r\nFigure 1: Showing memoryAllocation function. The function creates 100 (0x64) byte arrays with space for 3 MB\r\n(0x2dc6c0).\r\nInstead of using Mutexes or window names to ensure singe execution, IPStorm uses the third-party package\r\n“single” (github.com/marcsauter/single). Single uses lock files to ensure only one instance is running. The\r\n“single” name used by the malware is “n3R1PYfY”, the lock file is placed in the %TMP% folder (%TMP%\r\n3R1PYfY.lock). When the malware is sure only one instance is running, it performs an enumeration of the\r\ninfected machine. It uses the third-party package goInfo (github.com/matishsiao/goInfo) and PowerShell\r\ncommands to collect most of the information. The collected user information is published to the p2p network is\r\nshown in the struct below:\r\n type node.NodeInfo struct { HostID string Version string Platform string SystemInfo\r\nTo ensure the malware can connect to the p2p network, it adds a rule to the firewall. For the networking part, the\r\nmalware uses “libp2p”. The underlying protocol used by the library is “protobuf”. The malware uses the PubSub\r\nfunctionality provided by the project. It uses two topics: “info” and “cmd”. To find other peers, it uses libp2p’s\r\nsupport for distributed hash tables (DHT). The new bot uses a hardcoded string to advertise its presence and to\r\nfind other peers.\r\nThe malware has support for downloading and uploading files. It is performed by sending the content over the\r\nPubSub network. Each bot in the network serve its executable file and the threat actor uses this method to\r\ndistribute newer versions of the bot. It also has a “reverse shell” (called “backshell” by the author) functionality.\r\nWith this functionality, the threat actor can execute any arbitrary PowerShell code on the infected machine. The\r\nmalware installs itself under the following location:\r\n \\.PHYSICALDRIVE0AppDataLocalPackages%s_%sAppData\r\nFor the first “%s”, the malware does a random selection from one of the folder names in the list below.\r\nMicrosoft.AAD.BrokerPlugin\r\nMicrosoft.AccountsControl\r\nMicrosoft.AsyncTextService\r\nMicrosoft.BioEnrollment\r\nMicrosoft.CredDialogHost\r\nMicrosoft.ECApp\r\nMicrosoft.LockApp\r\nAdobe.Photoshop\r\nAdobe.Illustrator\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 5 of 10\n\nAdobe.Reader\r\nThe second “%s” is replaced with a random string of 13 characters. The malware selects characters from the\r\nfollowing alphabet: “qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890”.\r\nThe name of the executable is randomly selected from the following list:\r\nsvchost\r\ncsrss\r\nrundll32\r\nwinlogon\r\nsmss\r\ntaskhost\r\nunsecapp\r\nAdobeARM\r\nwinsys\r\njusched\r\nBCU\r\nwscntfy\r\nconhost\r\ncsrss\r\ndwm\r\nsidebar\r\nADService\r\nAppServices\r\nacrotray\r\nctfmon\r\nlsass\r\nrealsched\r\nspoolsv\r\nRTHDCPL\r\nRTDCPL\r\nMSASCui\r\nFor persistence, the malware adds an entry to “HKCU:SoftwareMicrosoftWindowsCurrentVersionRun”.\r\nAnalysis\r\nThe malware has a relatively simple set of core functionalities but utilizes a complex network stack. The use of\r\nIPFS’s network stack allows the malicious botnet to hide within a legitimate p2p network. This makes it unclear\r\nwhich peers are infected bots or legitimate IPFS peers. Just as an example during the bootstrap processing, the\r\nmalware uses the same bootstrapping peers as the IPFS network does. It is likely the bots are in the development\r\nprocess and more functions will be added in the future. Bot version found in the analyzed samples ranges from\r\n“0.0.2n” to “0.0.2y”, suggesting early stage of the bot evolution.\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 6 of 10\n\nFrom the analysis of an estimated source code tree structure, generated using metadata in the samples, it is\r\npossible the malware either can be compiled for other operating systems than Windows or are in the process of\r\nbeing developed for other operating systems. The tree structure below shows that most of the code for the\r\n“backshell” was located in the file “backshell.go” while one function is located in the file named\r\n“backshell_windows.go”. This suggests the author uses Go’s build tags support to select which “openLocalShell”\r\nfunction to compile depending on the target operating system. It can also be concluded that the malware was\r\ncompiled on a macOS machine.\r\n Package storm/backshell: /Users/brokleg/go/src/storm/backshell File: backshell.go (init)ializ\r\nThe botnet size is likely in the lower thousands because during a ten-hour collection, 2847 unique p2p nodes\r\nannounced themselves with the identifier used by the malware and were added to the DHT. This number does not\r\ncorrespond the number of bots in the botnet since the bot generates a new libp2p id each time it is started up but is\r\na good estimate of the upper bound of the botnet size. The size of the botnet may be indicative of it still being in\r\nits early stage of evolution.\r\nConclusion\r\nIn general, the network architecture for botnets can be described either as a server-client model or a p2p model.\r\nThe p2p model is usually much harder to implement but also more resilient against take-downs. A downside to the\r\np2p model is it’s noisier than the server-client model. The server-client model uses legitimate web services to\r\nblend hide its traffic among the legitimate traffic. In May 2019, a new malware was discovered that uses IPFS’s\r\np2p network to hide its p2p traffic. This is the first malware found in the wild that is using IPFS’ p2p network for\r\nits C2 communication. By using a legitimate p2p network, the malware can hide its network traffic among\r\nlegitimate p2p network traffic. This method also provides some protection against takedowns, since sinkholing the\r\np2p network potentially could take down the whole IPFS network. With a good open source library that allows\r\nany threat actor to implement a p2p network with relative ease, is this just the beginning of a new evolution of p2p\r\nbotnets?\r\nThreatstream enterprise users can read a more detailed analysis here.\r\nIOCs\r\n2545175418021b0bcdce1fa055dc292500fa9895857c6df86461f9d74a342d15\r\n41ec6577b3a362cf9e5b136ca3971204147bc6c171b65bab3546f631a5c2efe0\r\n49c3fa3a2b7b5894559a28456ad611fa4692f72c1ec86eee925df81735278d53\r\n5918446d82bd8d6c40c6cdf5ab70a012f27939e9154e26f79a7c9870811cad8c\r\n5d980fa37aef47022941f6afffe718ed0eed4de746edd7f494a407f84e75fd50\r\n7f731d2502dd39cbc16193ca7e9d147fe158c10236e00c634bb0680e2bfc4bfa\r\n8531921258132a4eb9b4b4545e85c72c2815d53c22f72f92822c199a15562a7c\r\n8b24e640338654fbda233f50766136a9cf33f1a5444fd98162edbc2bdaf324c2\r\nc0cfc62c5c349523884d502088234026c3eb67c802d7d02018e7aa9337930e0b\r\nc19b34621a7a57d831113e0b854bbc1fa7217d578ca9bd477d805f56a73a0100\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 7 of 10\n\ncc124869cbc871ec99d3470f2287df816a5f75a05eaf79df65a8ecf9a8283eb9\r\nf987928992a9c43c65429d2abe93b4683a027b520d79246248fca49c31f234d7\r\nfe8dc4955f2e04bbf800e913d29848c2b99999554a802226e72ce68b6d8c71f7\r\n01658e8cc706056aca50304b29bfcab92a60cd38771f2b3069ba94f525661122\r\n039ae75eff58a5b1125c6d3248dfce338573a9040709b3a9e8cf910a1b4ada75\r\n2accb615e375b99bb92c67655ad9558c44782148d8264ef94e5a0a7d4dc1c5da\r\n2e751a9874267b100b10196ebbef58cfcf46644651b099c8a9cd1dd7cee64e8f\r\n3276bcd9b95a28234c1ea5205d8c2358f5040e694331a16cef09d273b6238178\r\n365480a61e39b67234692ba8b75b95749434aba28c952ac32f70ed777d25810a\r\n36d652460b71f6e9aca16ba331197fc384f323f70ea879ec8ea40a7a5f554a7e\r\n4549a271e2c4b157c8abe099d2e84c8f3d7c18782956267429e0be6e17eaed41\r\n500f004eb51f282c14939ba52a5d85ac71f85e1f0ede00803a6ae3a2f01c272d\r\n66d3799fc8132376d87f326f0131c41afecef560b0368bc54cc27b816025d9e6\r\n948042a3071a4a6e1063f2e09717fd70f23e2c37cbdf024ccded76477b94778e\r\na2d36f477e2a87acab32a1988f77b00ce9f24d61a4a21e63a8c67747ff2633fd\r\naf32455f41865094da020cad2675775bddd907020ed12d4ed68de5051ed62643\r\nde0b86fe66be7ef3f30f28d514c8bbced2973e78d9473671f16f4365e05e5a99\r\ne093152a3e44279259839e1c35eeaeb5ea0803611747b8b38acaffd65a83f83a\r\nf5ac2e7a6cfe6ce576a9c0df3721f90c5be93b5e4694716470ec7ea3c7492f59\r\nReferences\r\n1. Jean-Ian Boutin, “Turla’s watering hole campaign: An updated Firefox extension abusing Instagram,”\r\nESET, accessed May 28, 2019, published June 6, 2017, https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/; FireEye Threat Intelligence,\r\n“HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group,” FireEye Blog, accessed May\r\n28, 2019, published July 29, 2015, https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html.\r\n2. James Wyke, “The ZeroAccess Botnet – Mining and Fraud for Massive Financial Gain,” Sophos, accessed\r\nMay 28, 2019, published September 2012, https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf.\r\n3. Windows IT Pro Center, \"Delivery Optimization for Windows 10 updates,\" Microsoft, accessed May 29,\r\n2019, published May 31, 2019, https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization.\r\n4. “A modular network stack,” Protocol Labs, accessed May 31, 2019, https://ipfs.io.\r\n5. “Distributed Web Gateway,” Cloudflare, accessed publication May 31, 2019,\r\nhttps://www.cloudflare.com/distributed-web-gateway.\r\n6. “A modular network stack,” Protocol Labs, accessed May 31, 2019, https://ipfs.io.\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 8 of 10\n\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 9 of 10\n\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nhttps://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network\r\nPage 10 of 10\n\n https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network \nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\n Page 9 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network" ], "report_names": [ "the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04e908b255953d78a46af5e47f925525f495550d.pdf", "text": "https://archive.orkl.eu/04e908b255953d78a46af5e47f925525f495550d.txt", "img": "https://archive.orkl.eu/04e908b255953d78a46af5e47f925525f495550d.jpg" } }