{ "id": "d4d0e6f5-1529-4e43-b84c-408d7903a468", "created_at": "2026-04-06T00:08:46.336147Z", "updated_at": "2026-04-10T03:33:36.163521Z", "deleted_at": null, "sha1_hash": "1444993e836f6e7037e3e4d0c906f8ee59bdd24e", "title": "Deobfuscating PowerShell Malware Droppers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3100490, "plain_text": "Deobfuscating PowerShell Malware Droppers\r\nBy Ryan Cornateanu\r\nPublished: 2021-09-27 · Archived: 2026-04-05 12:47:21 UTC\r\nI recently saw a video of Ahmed S Kasmani dissecting a ComRAT PowerShell script to obtain the main malware\r\nthat it drops onto the victim’s computer. If you haven’t seen the video yet, I highly encourage you to watch it. This\r\npaper is going to go into similar detail, as well as my own approach to deobfuscating PowerShell scripts to get to\r\nthe main payload. To follow along, you can use this hash to download this script from VirusTotal:\r\n134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8\r\nSo what is ‘ComRAT’ besides a city and municipality in Moldova and the capital of the autonomous region of\r\nGagauzia? It was started by a Turla hacker group, one of Russia’s most advanced state-sponsored hacking groups\r\nthat began in 2007. Although the latest version of ComRAT v4 was created in 2017, it is still being used a bit\r\ntoday.\r\nPress enter or click to view image in full size\r\nComRAT Timeline from ZDnet[.]com\r\nTurla hacking group’s modus operandi was to target government and military facilities. Turla has since been\r\ndubbed by other names such as Snake, Krypton, and Venomous Bear.\r\nAttack Chain\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 1 of 15\n\nMechanism of Attack\r\nIn this paper, we will be going over how the dropper operates, and the logic on how the malware gets to stage 2,\r\nwhich is the DLL payload. This cyber-kill chain graph will be a work in progress on my end as I did not fully\r\nreverse engineer much after the DLL was dropped. Maybe I will turn this into a series, where I go over every part\r\nof the chain, but for now let’s focus on the first three components in the graphic above.\r\nDiving into the PowerShell\r\nFor this lab exercise, we are going to use Visual Studio Code on a Windows VM since they have a great linter for\r\nPowerShell scripts. Let’s open up the file, and dive in.\r\nPress enter or click to view image in full size\r\nOriginal PowerShell opened in VSC\r\nThree major things hit me at first… 1) this is a lot of base64, 2) the PowerShell is not formatted out correctly, and\r\n3) the variable names are completely randomized. First let’s take care of how many lines of code the base64 is\r\ntaking up. We can easily fix this by going to View-\u003eToggle Word Wrap and uncheck it by simply clicking on it.\r\nNow, we want this to be properly formatted, this can be fixed by hitting SHIFT+ALT+F .\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 2 of 15\n\nPress enter or click to view image in full size\r\nPowerShell reformatted\r\nThis looks a lot cleaner! Time to break down the two functions inside this PowerShell and start renaming function\r\n/ variable names. Let’s start with the first one. It looks like some sort of string generator.\r\nObfuscation of Function \u0026 Variable Names\r\nfunction TVM730egf([string[]]$GP50afa) {\r\n $UC33gfa = ((1..(Get-Random -Min 2 -Max 4) |\r\n % { [Char](Get-Random -Min 0x41 -Max 0x5B) }) -join '');\r\n $EQ33abh = ((1..(Get-Random -Min 2 -Max 4) |\r\n % { [Char](Get-Random -Min 0x30 -Max 0x3A) }) -join '');\r\n $OFK689fa = ((1..(Get-Random -Min 2 -Max 4) |\r\n % { [Char](Get-Random -Min 0x61 -Max 0x6B) }) -join '');\r\n $TTG32aa = $UC33gfa + $EQ33abh + $OFK689fa;\r\n if ($GP50afa -contains $TTG32aa) {\r\n $TTG32aa = Get-RandomVar $GP50afa;\r\n }\r\n $GP50afa += $TTG32aa;\r\n return $TTG32aa, $GP50afa;\r\n}\r\nThe first three lines look to be generating only capital letters ranging from 2 to 4 bytes. The second line does\r\nexactly the same thing as line 1 but only generates numbers. The third generator generates a 2 to 4 byte lowercase\r\nstring. Let’s rename a few variables and see how it looks.\r\nfunction rand_string_generator([string[]]$param1_str) {\r\n $rand_upper_str = ((1..(Get-Random -Min 2 -Max 4) ...\r\n $rand_num_str = ((1..(Get-Random -Min 2 -Max 4) ...\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 3 of 15\n\n$rand_lower_str = ((1..(Get-Random -Min 2 -Max 4) ...\r\n $rand_str_gen = $rand_upper_str\r\n + $rand_num_str\r\n + $rand_lower_str;\r\n if ($param1_str -contains $rand_str_gen) {\r\n $rand_str_gen = Get-RandomVar $param1_str;\r\n }\r\n $param1_str += $rand_str_gen;\r\n return $rand_str_gen, $param1_str;\r\n}\r\nNow we can copy this function, and paste it into a PowerShell command line, and see what the output will look\r\nlike.\r\nPS C:\\Users\\ryancor\u003e rand_string_generator(\"test\")\r\nFN36dd\r\ntest\r\nFN36dd\r\nEasy enough, this looks like it feeds in a string, and does a check to make sure the random string it generates does\r\nnot match the string parameter. If they are a match, it will get a random byte from the parameter string and add it\r\nto the random string. Looks like this function gets referenced about 10 times throughout the program.\r\n$rand_string_array = @();\r\n[string]$PS061hh, [string[]]$rand_string_array =\r\n rand_string_generator $rand_string_array;\r\n[string]$RPW45dij, [string[]]$rand_string_array =\r\n rand_string_generator $rand_string_array;\r\n[string]$RIZ505ia, [string[]]$rand_string_array =\r\n rand_string_generator $rand_string_array;\r\n...PS C:\\Users\\ryancor\u003e $rand_string_array\r\nXLA320efe\r\nYUP59cg\r\nCB456fgb\r\nBW13chi\r\nNQG095gg\r\nNP120ceh\r\nYG27gf\r\nOXN26bd\r\nVE440ihi\r\nGH90ggd\r\nIf we look at the array and the single random strings returned, they never get referenced again in the program.\r\nWith that being said, if we pay attention to the how the function and variable names are specifically labeled, we\r\nfind a massive similarity to the output above. The string generator takes in a string and concatenates an array of\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 4 of 15\n\nrandomized bytes that start with two to three uppercase letters, followed by two to three integers, then lastly, two\r\nto three lowercase letters. This entire script follows this XXX000xxx naming convention. So it’s safe to say this is\r\nhow they obfuscated the entire dropper as I assume the author’s copy of this PowerShell script has debug symbols\r\nthat helped the malware writers QA their work before shipping this out to their targets/victims.\r\nExecuting Embedded C# Code\r\nTime to move on over to function PAZ488af which referenced the random string generator, but we are going to\r\nstart from the top as it has important information about what’s going to be dropped, while also renaming some\r\nvariables to better understand what is happening here. Starting with the first 10 lines, there is already so much\r\ngoing on:\r\n$task_sched = New-Object -ComObject('Schedule.Service');\r\n$task_sched.connect('localhost');\r\n$objFoldr = $task_sched.GetFolder($param2);\r\n$null_task = $task_sched.NewTask($null);[string]$filename = [System.IO.Path]::GetTempFileName();\r\nRemove-Item -Path $filename -Force;\r\n[string]$ps1_name = [System.IO.Path]::GetFileName($filename);$ascii = New-Object System.Text.ASCIIEnc\r\n$base64_decoded_bytes =\r\n [Convert]::FromBase64String(\"cHVibGljIHN0YXRpY....\");\r\n$ps_decoded_class = $ascii.GetString($base64_decoded_bytes, 0,\r\n $base64_decoded_bytes.Length);\r\ntry {\r\n Add-Type $ps_decoded_class -erroraction 'silentlycontinue' }\r\n catch {\r\n return;\r\n }\r\nThe first four lines are dedicated to testing the presence of a folder, and scheduling a task at\r\nMicrosoft\\Windows\\Customer Experience Improvement Program , we don’t know what significance this has yet\r\nbut maybe we will find out later. If you’re wondering how I found out what $param2 was in\r\n$task_sched.GetFolder($param2); was, all I had to do was trace out how this function was being called, and the\r\nsecond to last line of this PowerShell dropper shows the string arguments that were used.\r\nPress enter or click to view image in full size\r\nString Arguments Used\r\nThe next 3 lines will grab the PowerShell script name and remove the path from it until it is just a filename string.\r\nNow, the last few lines of the script above are decoding a large base64 string, so we can use cyberchef to see this\r\nis.\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 5 of 15\n\nLooks like some interesting embedded C#! So what I like to do since that classname will most likely be referenced\r\nin our script, is copy and paste this into our dropper file. Yes, you can execute C# functions from PowerShell, and\r\nthat’s what the try,except statement is attempting to do. As shown in Microsoft’s documentation, the Add-Type cmdlet lets you define a Microsoft .NET Core class in your PowerShell session. You can then instantiate\r\nobjects, by using the New-Object cmdlet, and use the objects just as you would use any .NET Core object.\r\nGet Ryan Cornateanu’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSo let’s rename the classname RZP645be to decryption_class , and the function within XD014ic to decrypt ,\r\nsince this looks to be a simple multi-key byte XOR decryption. You’ll notice as we are replacing this in the script,\r\nwe can see it is being called a couple of times throughout the PowerShell script.\r\n$TEX262hh = 'H4sIAAAAAAAEAIy5xw7ETJIeeB9g3qEhCJAEzgy9KQ...'\r\n$HT29hh = [Convert]::FromBase64String($TEX262hh);\r\n$MO67cc = 'H4sIAAAAAAAEAIy5xw7ETJIeeB9g3qEhCJAEzgy9KQ...'\r\n$PVU468aa = [Convert]::FromBase64String($MO67cc);\r\n$GS459ea = \"$((1..(Get-Random -Min 8 -Max 10) | %\r\n {[Char](Get-Random -Min 0x3A -Max 0x5B)}) -join '')\r\n $((1..(Get-Random -Min 5 -Max 8) | % {[Char](Get-Random\r\n -Min 0x30 -Max 0x3A)}) -join '')\r\n $((1..(Get-Random -Min 8 -Max 10) | %{[Char](Get-Random\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 6 of 15\n\n-Min 0x61 -Max 0x7B)}) -join '')\";\r\n[byte[]]$JQ587aa = [decryption_class]::decrypt($HT29hh,\r\n $ascii.GetBytes($GS459ea));\r\n[byte[]]$QIG418ba = [decryption_class]::decrypt($PVU468aa,\r\n $ascii.GetBytes($GS459ea));\r\n$AT85ced = [Convert]::ToBase64String($JQ587aa);\r\n$ARO88iab = [Convert]::ToBase64String($QIG418ba);\r\nLet’s break this down, we have two extremely large base64 strings, and so we will start with those using\r\ncyberchef. Once you use the base64 decoder, you’ll notice both of these encoded strings have very similar\r\nheaders, so it has to mean something:\r\n...........¹Ç.ÄL..x.`Þ¡!...Î.½)\r\nThe problem is, we have no idea what type of file format this is. So we can use cyberchef’s Detect File Type\r\nplugin to help us identify.\r\nPress enter or click to view image in full size\r\nDetecting file format of unknown bytes\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 7 of 15\n\nGunzip the bytes\r\nIt looks like we have more PowerShell code being decompressed. So we can start renaming variables to make this\r\nscript look cleaner.\r\nPress enter or click to view image in full size\r\nPowerShell Script Dropper Base64 Encoded Strings\r\nWe are not sure what it’s decrypting, given the fact that these are compressed bytes, and not encrypted bytes from\r\nwhat we were able to prove with cyberchef, but maybe it will become more clear as we move along. At this point,\r\nI took the decompressed code, and moved it to a separate file that I named dropper_part_2.ps1 , and reformatted\r\nit.\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 8 of 15\n\nNew IOC dropper script\r\nLet’s go back to our main dropper script because we have to take a look at this function\r\n( [decryption_class]::decrypt ) a little closer. Once the script decrypts the decoded bytes, it assigns certain\r\npointer values.\r\n[byte[]]$decrypted_ps_bytes_1 =\r\n [decryption_class]::decrypt($ps_decoded_1,\r\n $ascii.GetBytes($rand_key));\r\n[byte[]]$decrypted_ps_bytes_2 =\r\n [decryption_class]::decrypt($ps_decoded_2,\r\n $ascii.GetBytes($rand_key));\r\n$base64_encoded_decrypted_bytes_1 =\r\n [Convert]::ToBase64String($decrypted_ps_bytes_1);\r\n$base64_encoded_decrypted_bytes_2 =\r\n [Convert]::ToBase64String($decrypted_ps_bytes_2);\r\n...$sqmclient_reg_path = \"HKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows\";\r\nif ([System.IntPtr]::Size -eq 4) {\r\n $HQO388ea = $base64_encoded_decrypted_bytes_1;\r\n}\r\nelse {\r\n $HQO388ea = $base64_encoded_decrypted_bytes_2;\r\n}\r\nWe have two ways of figuring out what is the purpose of the decryption, we can simply figure out what\r\n[System.IntPtr]::Size does, or we can actually debug this. The lazy way is to look at the Microsoft docs. It\r\nstates that the size of a pointer or handle in this process is measured in bytes. The value of this property is 4 in a\r\n32-bit process, and 8 in a 64-bit process. You can define the process type by setting the /platform switch when\r\nyou compile your code with the C# and Visual Basic compilers. Now we know why there were basically two\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 9 of 15\n\nidentical PowerShell scripts being decoded, one will most likely drop a 64-bit DLL or EXE, and the other script\r\nwill drop a 32-bit one.\r\nWriting \u0026 Persistence Mechanisms\r\nAs you can see below, after renaming some variables, we can see the main purpose of the rest of the script is to\r\ncreate schedulers, triggers, and executions with the wsqmcons binary, which is a software component of\r\nMicrosoft. Windows SQM consolidator is tasked with collecting and sending usage data to Microsoft. Wsqmcons\r\nis a file that runs the Windows SQM consolidator, and is usually deemed as a safe file for your PC. In this case, it\r\nis used being used for malicious purposes. The modification of the scheduled task shown below indicates the\r\nprimary purpose of this task modification is to decode and execute a PowerShell script contained within the\r\nregistry key HKLM:\\SOFTWARE\\Microsoft\\SQMClient\\Windows = WSqmCons and the script will inject the payload\r\ninto the WsqmCons registry key.\r\nPress enter or click to view image in full size\r\nMalware disguising itself as a safe process\r\nKnowing this now, I feel comfortable to skip the rest of the main script we were looking at. So we can focus our\r\nattention back to the script that we just decoded (the script that we dubbed dropper_part_2.ps1 ).\r\nPE Dropper\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 10 of 15\n\nExecution of C# Script\r\nAnalyzing the first few lines, it looks fairly similar to what we saw before in the main script. I’ll take this base64\r\nstring and decode it in cyberchef. Once you do this you’ll notice another blob of C# code.\r\nPress enter or click to view image in full size\r\nUnder the hood of the C# Script\r\nWhen we highlight some of the public classes and functions, we can see where they are being highlighted in the\r\nPowerShell script. VO01bag , which has the functions XOP22aj \u0026 RJ85ige , looks like a simple gunzip\r\ncompression and decompression, so we can rename those accordingly. The class WQS70fb and function\r\nYQ498hff looks like it takes in an input of bytes and writes them out to a file. I’ve renamed them as well since\r\nwe can see them being used throughout the file. Now if we go back to the decompression function from the\r\ndecoded C# with our renamed variables, it feels like we are getting closer to our PE file.\r\npublic static byte[] decompress_array(byte[] arrayToDecompress)\r\n{\r\n using (MemoryStream inStream = newMemoryStream(arrayToDecompress))\r\n using (GZipStream bigStream = new GZipStream(inStream,\r\n CompressionMode.Decompress))\r\n using (MemoryStream bigStreamOut = new MemoryStream())\r\n {\r\n WriteClass.write_to_file(bigStream, bigStreamOut);\r\n return bigStreamOut.ToArray();\r\n }\r\n}\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 11 of 15\n\nOur WriteClass does not get called in the PowerShell script, but it does get called in C# code within the\r\nDecompressionClass , which tells us that after certain bytes are decompressed, it gets written to a file because if\r\nwe reference this decompress_array function, we can see it being used as such:\r\n$FV18hi = [DecompressionClass]::decompress_array($TEM52cbe);\r\n....\r\n$PEBytes = [DecompressionClass]::decompress_array($PEbytes);\r\nLooks like we found out where our PE bytes are being decompressed, written, and dropped.\r\nPress enter or click to view image in full size\r\nPE Dropper\r\nThe remainder of the script before the PE bytes get written to memory, is the use of a 3DES decryption algorithm\r\nwith an initialization vector of FVADRCORAOSKBHPX to encrypt/decrypt the contents of another PowerShell script\r\nwith a password and salt. It will then be stored in a Windows registry path as seen in the screenshot above. In turn,\r\nit will make analysis of the script impossible without the correct password and salt combination. This command\r\n( IEX ) on the last line will execute the dropped PE file onto the victim machine. You can find the open-source\r\nPowerSploit script here.\r\nFor the moment we have all been waiting for, let’s take the base64 string I labeled as $pe_encoded_bytes and\r\nthrow it into cyber chef to decode and decompress.\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 12 of 15\n\nDecoded \u0026 Decompressed PE\r\nIf we click the file save icon, we can download this binary. Now we can check the IOC on it, and see if anything\r\npops up in VirusTotal.\r\n➜ file payload.bin\r\npayload.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\n➜ openssl sha1 payload.dll\r\nSHA1(payload.dll)= d117643019d665a29ce8a7b812268fb8d3e5aadb\r\nLooks like we are dealing with a dynamic link library file, which we will not be able to reverse engineer for this\r\npaper (but we’ll still want to see this payload through eventually).\r\nPress enter or click to view image in full size\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 13 of 15\n\nVirusTotal Hit\r\nLooks like we hit the jackpot, and I’m sure the DLL will show all the inner workings of how ComRAT works.\r\nPress enter or click to view image in full size\r\nDisassembly of DLL\r\nTaking a small peak under the hood of this DLL, we can see a lot of the imported API calls have to do with\r\ncryptography and process injections, which could mean there are other stages to this malware, but as you can see\r\nto the right of the picture above, there is a function I reverse engineered already that is responsible for decrypting\r\nand resolving 100’s of APIs from Kernel32.\r\nIOCs\r\nMain PowerShell Script\r\n134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef\r\nPE Dropper PowerShell Script\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 14 of 15\n\n187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c\r\nDropped DLL Backdoor\r\nb93484683014aca8e909c9b5648d8f0ac21a45d0c193f6ca40f0b01d2464c1c4\r\nConclusion\r\nThis PowerShell script that we went through installs a secondary PowerShell script, to which we analyzed and\r\nfigured that it decodes and loads either a 32-bit DLL or a 64-bit DLL that will most likely be used as its\r\ncommunication module. It was stated by CISA that the FBI has had high confidence that this malware is a Russian\r\nstate sponsored APT (Advanced Persistent Threat) group that uses this malicious virus to exploit victim’s\r\nnetworks. With that being said, here are all the PowerShell scripts I deobfuscated for this research paper. Dropper\r\nPart I \u0026 Dropper Part II.\r\nThank you for following along! I hope you enjoyed it as much as I did. If you have any questions on this article or\r\nwhere to find the challenge, please DM me at my Instagram: @hackersclub or Twitter: @ringoware\r\nHappy Hunting :)\r\nReferences\r\nMalpedia: Turla Group\r\nZDNet: Hacking group steals antivirus logs to see if its malware was detected\r\nCISA: Malware Analysis Report (AR20–303A)\r\nSource: https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nhttps://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d" ], "report_names": [ "deobfuscating-powershell-malware-droppers-b6c34499e41d" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1444993e836f6e7037e3e4d0c906f8ee59bdd24e.pdf", "text": "https://archive.orkl.eu/1444993e836f6e7037e3e4d0c906f8ee59bdd24e.txt", "img": "https://archive.orkl.eu/1444993e836f6e7037e3e4d0c906f8ee59bdd24e.jpg" } }