{ "id": "229b33c4-6f96-45d0-aed8-a01e48792c64", "created_at": "2026-04-06T00:21:08.313428Z", "updated_at": "2026-04-10T13:11:26.806048Z", "deleted_at": null, "sha1_hash": "1b11e2647dba0f9ca526db57938194db8b488cb8", "title": "Regin: nation-state ownage of GSM networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1732012, "plain_text": "Regin: nation-state ownage of GSM networks\r\nBy GReAT\r\nPublished: 2014-11-24 · Archived: 2026-04-05 12:36:47 UTC\r\nMotto: “Beware of Regin, the master! His heart is poisoned. He would be thy bane…“\r\n“The Story of Siegfried” by James Baldwin\r\n \r\nIntroduction, history\r\nDownload our full Regin paper (PDF).\r\nIn the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu\r\nmalware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware\r\nincident. Although he couldn’t share a sample, the third-party researcher mentioned the “Regin” name, a malware\r\nattack that is now dreaded by many security administrators in governmental agencies around the world.\r\nFor the past two years, we’ve been tracking this most elusive malware across the world. From time to time,\r\nsamples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in\r\nfunctionality and lacking context.\r\nIt’s unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to\r\n2003.\r\nThe victims of Regin fall into the following categories:\r\nTelecom operators\r\nGovernment institutions\r\nMulti-national political bodies\r\nFinancial institutions\r\nResearch institutions\r\nIndividuals involved in advanced mathematical/cryptographical research\r\nSo far, we’ve observed two main objectives from the attackers:\r\nIntelligence gathering\r\nFacilitating other types of attacks\r\nWhile in most cases, the attackers were focused on extracting sensitive information, such as e-mails and\r\ndocuments, we have observed cases where the attackers compromised telecom operators to enable the launch of\r\nadditional sophisticated attacks. More about this in the GSM Targeting section below.\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 1 of 11\n\nPerhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater\r\n(https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014,\r\nQuisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain\r\nsamples from the Quisquater case and confirm they belong to the Regin platform.\r\nAnother interesting victim of Regin is a computer we are calling “The Magnet of Threats“. This computer\r\nbelongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm\r\nand some other advanced threats that do not have a public name, all co-existing happily on the same computer at\r\nsome point.\r\nInitial compromise and lateral movement\r\nThe exact method of the initial compromise remains a mystery, although several theories exist, which include\r\nman-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and\r\nmodules designed for lateral movement. So far, we have not encountered any exploits. The replication modules\r\nare copied to remote computers by using Windows administrative shares and then executed. Obviously, this\r\ntechnique requires administrative privileges inside the victim’s network. In several cases, the infected machines\r\nwere also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple\r\nway of achieving immediate administrative access to the entire network.\r\nThe Regin platform\r\nIn short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote\r\ncontrol at all possible levels.\r\nThe platform is extremely modular in nature and has multiple stages.\r\nRegin platform diagram\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 2 of 11\n\nThe first stage (“stage 1”) is generally the only executable file that will appear in victim’ systems. Further stages\r\nare stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries.\r\nWe’ve observed many different stage 1 modules, which sometimes have been merged with public sources to\r\nachieve a type of polymorphism, complicating the detection process.\r\nThe second stage has multiple purposes and can remove the Regin infection from the system if instructed so by\r\nthe 3rd stage.\r\nThe second stage also creates a marker file that can be used to identify the infected machine. Known filenames for\r\nthis marker are:\r\n%SYSTEMROOT%\\system32\\nsreg1.dat\r\n%SYSTEMROOT%\\system32\\bssec3.dat\r\n%SYSTEMROOT%\\system32\\msrdc64.dat\r\nStage 3 exists only on 32 bit systems – on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third\r\nstage.\r\nStage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the\r\nuser-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or\r\nextracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.\r\nThe dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access\r\nvirtual file systems, basic communications and storage functions as well as network transport sub-routines. In\r\nessence, the dispatcher is the brain that runs the entire platform.\r\nA thorough description of all malware stages can be found in our full technical paper.\r\nVirtual File Systems (32/64-bit)\r\nThe most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File\r\nSystems (VFSes).\r\nDuring our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these\r\nhave random names and can be located in several places in the infected system. For a full list, including format of\r\nthe Regin VFSes, see our technical paper.\r\nUnusual modules and artifacts\r\nWith high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen.\r\nSome of the VFSes we analyzed contain words which appear to be the respective codenames of the modules\r\ndeployed on the victim:\r\nlegspinv2.6 and LEGSPINv2.6\r\nWILLISCHECKv2.0\r\nHOPSCOTCH\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 3 of 11\n\nAnother module we found, which is a plugin type 55001.0 references another codename, which is\r\nU_STARBUCKS:\r\nGSM Targeting\r\nThe most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One\r\nVFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station\r\nController.\r\nFrom https://en.wikipedia.org/wiki/Base_station_subsystem\r\nAccording to the GSM documentation (http://www.telecomabc.com/b/bsc.html): “The Base Station Controller\r\n(BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the\r\nallocation of radio resources to a mobile call and for the handovers that are made between base stations under his\r\ncontrol. Other handovers are under control of the MSC.”\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 4 of 11\n\nHere’s a look at the decoded Regin GSM activity log:\r\nThis log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps\r\nwhich indicate exactly when the command was executed.\r\nThe entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T)\r\ncommands.\r\nHere’s a list of some commands issued on the Base Station Controller, together with some of their timestamps:\r\n2008-04-25 11:12:14: rxmop:moty=rxotrx;\r\n2008-04-25 11:58:16: rxmsp:moty=rxotrx;\r\n2008-04-25 14:37:05: rlcrp:cell=all;\r\n2008-04-26 04:48:54: rxble:mo=rxocf-170,subord;\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 5 of 11\n\n2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a;\r\n2008-04-26 10:06:03: IOSTP;\r\n2008-04-27 03:31:57: rlstc:cell=pty013c,state=active;\r\n2008-04-27 06:07:43: allip:acl=a2;\r\n2008-04-28 06:27:55: dtstp:DIP=264rbl2;\r\n2008-05-02 01:46:02: rlstp:cell=all,state=halted;\r\n2008-05-08 06:12:48:\r\nrlmfc:cell=NGR035W,mbcchno=83\u0026amp;512\u0026amp;93\u0026amp;90\u0026amp;514\u0026amp;522,listtype=active;\r\n2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x;\r\n2008-05-12 17:28:29: rrtpp:trapool=all;\r\nDescriptions for the commands:\r\nrxmop – check software version type;\r\nrxmsp – list current call forwarding settings of the Mobile Station;\r\nrlcrp – list off call forwarding settings for the Base Station Controller;\r\nrxble – enable (unblock) call forwarding;\r\nrxtcp – show the Transceiver Group of particular cell;\r\nallip – show external alarm;\r\ndtstp – show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the\r\nconnected PCM (Pulse Code Modulation) lines);\r\nrlstc – activate cell(s) in the GSM network;\r\nrlstp – stop cell(s) in the GSM network;\r\nrlmfc – add frequencies to the active broadcast control channel allocation list;\r\nrlnri – add cell neightbour;\r\nrrtpp – show radio transmission transcoder pool details;\r\nThe log seems to contain not only the executed commands but also usernames and passwords of some engineering\r\naccounts:\r\nsed[snip]:Alla[snip]\r\nhed[snip]:Bag[snip]\r\noss:New[snip]\r\nadministrator:Adm[snip]\r\nnss1:Eric[snip]\r\nIn total, the log indicates that commands were executed on 136 different cells. Some of the cell names include\r\n“prn021a, gzn010a, wdk004, kbl027a, etc…“. The command log we obtained covers a period of about one\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 6 of 11\n\nmonth, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008\r\nthough; perhaps the infection was removed or the attackers achieved their objective and moved on. Another\r\nexplanation is that the attackers improved or changed the malware to stop saving logs locally and that’s why only\r\nsome older logs were discovered.\r\nCommunication and C\u0026C\r\nThe C\u0026C mechanism implemented in Regin is extremely sophisticated and relies on communication drones\r\ndeployed by the attackers throughout the victim networks. Most victims communicate with another machine in\r\ntheir own internal network, through various protocols, as specified in the config file. These include HTTP and\r\nWindows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers\r\naccess deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the\r\nC\u0026C.\r\nHere’s a look at the decoded configurations:\r\n17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443\r\n17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443\r\n50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080\r\n51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322\r\n18.159.0.1 transport 50271 DC ; transport 50271 DC\r\nIn the above table, we see configurations extracted from several victims that bridge together infected machines in\r\nwhat appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out\r\nto the “external” C\u0026C server at 203.199.89.80.\r\nThe numbers right after the “transport” indicate the plugin that handles the communication. These are in our case:\r\n27 – ICMP network listener using raw sockets\r\n50035 – Winsock-based network transport\r\n50037 – Network transport over HTTP\r\n50051 – Network transport over HTTPS\r\n50271 – Network transport over SMB (named pipes)\r\nThe machines located on the border of the network act as routers, effectively connecting victims from inside the\r\nnetwork with C\u0026Cs on the internet.\r\nAfter decoding all the configurations we’ve collected, we were able to identify the following external C\u0026Cs.\r\nC\u0026C server IP Location Description\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 7 of 11\n\n61.67.114.73 Taiwan, Province Of China Taichung Chwbn\r\n202.71.144.113 India, Chetput Chennai Network Operations  (team-m.co)\r\n203.199.89.80 India, Thane Internet Service Provider\r\n194.183.237.145 Belgium, Brussels Perceval S.a.\r\nOne particular case includes a country in the Middle East. This case was mind-blowing so we thought it’s\r\nimportant to present it. In this specific country, all the victims we identified communicate with each other, forming\r\na peer-to-peer network. The P2P network includes the president’s office, a research center, educational\r\ninstitution network and a bank.\r\nThese victims spread across the country are all interconnected to each other. One of the victims contains a\r\ntranslation drone which has the ability to forward the packets outside of the country, to the C\u0026C in India.\r\nThis represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little\r\nsuspicions. For instance, if all commands to the president’s office are sent through the bank’s network, then all the\r\nmalicious traffic visible for the president’s office sysadmins will be only with the bank, in the same country.\r\nVictim Statistics\r\nOver the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the\r\nfact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 8 of 11\n\n(but cleaned) system. For instance, we’ve seen several cases where the systems were cleaned but the\r\n“msrdc64.dat” infection marker was left behind.\r\nSo far, victims of Regin were identified in 14 countries:\r\nAlgeria\r\nAfghanistan\r\nBelgium\r\nBrazil\r\nFiji\r\nGermany\r\nIran\r\nIndia\r\nIndonesia\r\nKiribati\r\nMalaysia\r\nPakistan\r\nRussia\r\nSyria\r\nIn total, we counted 27 different victims, although it should be pointed out that the definition of a victim here\r\nrefers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course\r\nmuch, much higher.\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 9 of 11\n\nFrom the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote,\r\nsmall countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small\r\nisland in the Pacific, with a population around 100,000.\r\nMore information about the Regin victims is available through Kaspersky Intelligent Services. Contact:\r\nintelreports@kaspersky.com\r\nAttribution\r\nConsidering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those\r\nbehind Regin, certain metadata extracted from the samples might still be relevant.\r\nAs this information could be easily altered by the developers, it’s up to the reader to attempt to interpret this: as an\r\nintentional false flag or a non-critical indicator left by the developers.\r\nMore information about Regin is available to Kaspersky Intelligent Services’ clients. Contact:\r\nintelreports@kaspersky.com\r\nConclusions\r\nFor more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world\r\nwith an advanced malware platform. As far as we can tell, the operation is still active, although the malware may\r\nhave been upgraded to more sophisticated versions. The most recent sample we’ve seen was from a 64-bit\r\ninfection. This infection was still active in the spring of 2014.\r\nThe name Regin is apparently a reversed “In Reg”, short for “In Registry”, as the malware can store its modules in\r\nthe registry. This name and detections first appeared in anti-malware products around March 2011.\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 10 of 11\n\nFrom some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities\r\ninclude the use of virtual file systems and the deployment of communication drones to bridge networks together.\r\nYet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses\r\nTurla as one of the most sophisticated attack platforms we have ever analysed.\r\nThe ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting\r\naspect of these operations. In today’s world, we have become too dependent on mobile phone networks which rely\r\non ancient communication protocols with little or no security available for the end user. Although all GSM\r\nnetworks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are\r\nother parties which can gain this ability and further abuse them to launch other types of attacks against mobile\r\nusers.\r\nFull technical paper with IOCs.\r\nKaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and\r\nRootkit.Win32.Regin.\r\nIf you detect a Regin infection in your network, contact us at: intelservices@kaspersky.com\r\nSource: https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nhttps://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/\r\nPage 11 of 11\n\n2008-04-25 2008-04-25 11:58:16: 14:37:05: rxmsp:moty=rxotrx; rlcrp:cell=all; \n2008-04-26 04:48:54: rxble:mo=rxocf-170,subord; \n Page 5 of 11\n\nnss1:Eric[snip] In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include\n“prn021a, gzn010a, wdk004, kbl027a, etc…“. The command log we obtained covers a period of about one\n Page 6 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/" ], "report_names": [ "67741" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "e09a7338-fb16-4e39-b579-c3bfc3140c47", "created_at": "2022-10-25T16:07:24.207294Z", "updated_at": "2026-04-10T02:00:04.899166Z", "deleted_at": null, "main_name": "Snowglobe", "aliases": [ "ATK 8", "Animal Farm", "SIG20", "Snowglobe" ], "source_name": "ETDA:Snowglobe", "tools": [ "Babar", "Casper", "Chocopop", "Dino", "EvilBunny", "Nbot", "TFC", "Tafacalou" ], "source_id": "ETDA", "reports": null }, { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f", "created_at": "2023-01-06T13:46:38.443779Z", "updated_at": "2026-04-10T02:00:02.977564Z", "deleted_at": null, "main_name": "SNOWGLOBE", "aliases": [ "Animal Farm", "Snowglobe", "ATK8" ], "source_name": "MISPGALAXY:SNOWGLOBE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434868, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b11e2647dba0f9ca526db57938194db8b488cb8.pdf", "text": "https://archive.orkl.eu/1b11e2647dba0f9ca526db57938194db8b488cb8.txt", "img": "https://archive.orkl.eu/1b11e2647dba0f9ca526db57938194db8b488cb8.jpg" } }