{ "id": "43a9faee-a360-4c07-ac90-cead3c0ddd0e", "created_at": "2026-04-06T02:12:37.726494Z", "updated_at": "2026-04-10T03:33:35.584564Z", "deleted_at": null, "sha1_hash": "1b512ed9c4563d9e6b8d6f1e0b7310876ded7668", "title": "Swallowing the Snake’s Tail: Tracking Turla Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69478, "plain_text": "Swallowing the Snake’s Tail: Tracking Turla Infrastructure\r\nBy Insikt Group®\r\nArchived: 2026-04-06 01:48:31 UTC\r\nRecorded Future’s Insikt Group® has developed new detection methods for Turla malware and infrastructure as\r\npart of an in-depth investigation into recent Turla activities. Data sources included the Recorded Future®\r\nPlatform, ReversingLabs, VirusTotal, Shodan, BinaryEdge, and various OSINT tools. The target audience for this\r\nresearch includes security practitioners, network defenders, and threat intelligence professionals who are\r\ninterested in Russian nation-state computer network operations activity.\r\nExecutive Summary\r\nTurla, also known as Snake, Waterbug, and Venomous Bear, is a well-established, sophisticated, and strategically\r\nfocused cyberespionage group that has for over a decade been linked to operations against research, diplomatic,\r\nand military organizations worldwide, with an ongoing focus against entities within North Atlantic Treaty\r\nOrganization (NATO) and Commonwealth of Independent States (CIS) nations in particular.\r\nWhile many nation-state threat actor groups are becoming more reliant on open source and commodity software\r\nfor operations, Turla continues to develop its own unique, advanced malware and tools and adopts new methods of\r\nattack and obfuscation. It uses these TTPs alongside older techniques and generic, open source tools. For these\r\nreasons, Insikt Group assesses that Turla Group will remain an active, advanced threat for years to come that will\r\ncontinue to surprise with unique operational concepts.\r\nHowever, the group’s consistent patterns and use of stable and periodically updated versions of unique malware\r\nfor lengthy campaigns may allow defenders to proactively track and identify Turla’s infrastructure and activities.\r\nThis research examines the history of Turla’s operations and provides our methodology for identifying\r\ninfrastructure currently being used by Turla, focusing on several Turla-associated malware types. Details on two\r\nof them — the composite Mosquito backdoor and the hijacked Iranian TwoFace ASPX web shell — are provided\r\nin this report.\r\nRecorded Future has provided a detailed report to our clients with further research and detections for additional\r\nTurla-related malware families, which is available in the Recorded Future platform.\r\nKey Judgments\r\nTurla Group can be tracked based on unique features of their malware and C2 communication.\r\nAdditionally, Turla’s use of open source tools when avoiding detection and confusing attribution attempts\r\nalso allows researchers to quickly analyze and build detections, as the source code is readily available for\r\nanalysis and testing.\r\nIn June 2019, Turla Group was found to have infiltrated the computer network operations infrastructure of\r\nAPT34, an Iranian threat group. This amounted to the effective takeover of the computer network\r\nhttps://www.recordedfuture.com/research/turla-apt-infrastructure\r\nPage 1 of 5\n\noperations of a nation-state group by state actors from another country — an unprecedented action. Insikt\r\nGroup assesses that Turla Group’s use of APT34 infrastructure was primarily opportunistic in nature and\r\nwas not coordinated between Iranian and Russian organizations.\r\nRecorded Future assesses with high confidence that TwoFace is the Iranian APT34 ASPX shell Turla was\r\nscanning for to pivot to additional hosts, as documented in the NSA/NCSC report. We assess that any live\r\nTwoFace shells as of late January 2020 could also be potential operational assets of the Turla Group.\r\nIn 2019, Turla began relying heavily on PowerShell scripts for malware installation. Previously, it had also\r\nheavily targeted Microsoft vulnerabilities as well as email servers. Turla also often uses compromised\r\nWordPress websites as the foundation of its C2 infrastructure.\r\nAmong the malware that we researched, Turla mainly uses HTTP/S for their command and control (C2)\r\ncommunication.\r\nBackground\r\nTurla has been attributed to operations targeting the Pentagon as early as 2008 and has continued targeting NATO\r\nnations to the present day. Primary targets of Turla include publishing and media companies,\r\nuniversities/academia, and government organizations, often specifically targeting scientific and energy research,\r\nremote and local diplomatic affairs, and military data. Turla actively targets European and CIS countries,\r\nhistorically focusing on ministries of foreign affairs or defense, as well as similar government organizations and\r\naffiliated research institutions.\r\nTurla is known for its use of watering hole attacks (compromising websites to target visitors) and spearphishing\r\ncampaigns to precisely attack specific entities of interest. Turla has also used inventive, out-of-the box techniques,\r\nincluding using satellites to exfiltrate data from remote areas in North Africa and the Middle East. The group is\r\nknown for the use of both unaltered and customized versions of open source software such as Meterpreter and\r\nMimikatz, as well as bespoke malware such as Gazer, IcedCoffee, Carbon, and Mosquito.\r\nTurla operators have also commandeered third-party infrastructure or used false flags in order to further their\r\npurposes. In many cases, this group has used compromised websites (typically WordPress sites) as both an\r\ninfection vector and as operational infrastructure for C2 communications.\r\nIn June 2019, Turla was identified by researchers at Symantec as having infiltrated the computer network\r\noperations infrastructure of APT34, an Iranian threat group, collecting and exfiltrating Iranian operational\r\ninformation, and simultaneously gaining access to active victims of the Iranians.\r\nTurla’s hijacking of Iranian APT34 operations in part consisted of scanning for and discovering their web shells\r\nusing existing APT34 victim networks to scan for a specific web shell on IP addresses across at least 35 different\r\ncountries. Once identified, Turla used these shells to gain an initial foothold into victims of interest and then\r\ndeployed further tools.\r\nTwoFace, first observed in 2015, is the primary APT34 web shell, and Recorded Future assesses with high\r\nconfidence that TwoFace is the shell Turla was scanning for to pivot to additional hosts. We assess that any live\r\nTwoFace shells as of late January 2020 could also be potential operational assets of the Turla Group.\r\nhttps://www.recordedfuture.com/research/turla-apt-infrastructure\r\nPage 2 of 5\n\nTurla also directly accessed C2 panels of the APT34 Poison Frog tool from their own infrastructure and used this\r\naccess to task victims with downloading Turla tools.\r\nThreat Analysis\r\nTo date, Turla Group’s hijacking of Iranian computer network operations resources has been unique among known\r\nthreat actors; this action amounted to the effective takeover of the computer network operations of a nation-state\r\ngroup by state actors from another country.\r\nAlthough it is possible that the Iranian and Russian organizations were cooperating in some manner, the evidence\r\navailable to Insikt Group does not support this theory. For example, while Turla had significant insight into APT34\r\ntools and operations, they were required to scan for Iranian web shells in order to find where these tools were\r\ndeployed. We assess that Turla’s interposition into Iranian operations was likely an uncoordinated, and thus\r\nhostile, act.\r\nWhile Insikt Group assesses that Turla Group’s use of APT34 infrastructure was primarily opportunistic in nature,\r\nan added benefit for the operators was likely the deception of incident responders who would potentially identify\r\nthe tools as Iranian in origin. Turla has reused malware from other threat actors prior to their use of Iranian tools,\r\nincluding the use of Chinese-attributed Quarian malware in 2012. In that instance, Kaspersky researchers assessed\r\nthat Turla actors downloaded, then uninstalled, the Quarian malware in an attempt to divert and deceive incident\r\nresponders post-discovery.\r\nOutside of their bold Iranian venture, Turla has concurrently conducted other operational and development\r\nactivities. In 2019, Turla started heavily using PowerShell scripts, likely in an effort to avoid discovery of\r\nmalicious files on disk. Over the course of the year, they have increased their use of PowerShell scripts, using\r\nPowerSploit and PowerShell Empire, as well as developing their own Powershell backdoor, PowerStallion.\r\nWhile Turla most often targets Microsoft Windows operating systems, they have also purposely exploited email\r\nservers. The LightNeuron backdoor is specifically designed to function on Microsoft Exchange mail servers, and\r\nthe Outlook backdoor is designed to operate on Exchange and The Bat! (popular in Eastern Europe) email servers.\r\nCompromising mail servers provides Turla control of email traffic on a target network, including the ability to not\r\nonly monitor email, but create, send, and even block email.\r\nTurla relies on compromised WordPress sites as C2s. They also have regularly used WordPress-focused URL\r\nnames for payload delivery since 2014 and possibly earlier. This tendency enables the profiling of their C2s and\r\npayload URLs to discover new Turla infrastructure.\r\nTurla operations have been associated with a variety of custom malware. Insikt Group performed deeper analysis\r\non several of these malware types in an effort to create scanning rules to detect live Turla-associated infrastructure\r\nactive from December 2019 to January 2020.\r\nTurla Advanced Detection Analysis\r\nThe focus of our analysis was the development of identification methods for Turla, focusing on several Turla-associated malware types. Details of our analysis of both the composite Mosquito backdoor and the hijacked\r\nIranian TwoFace web shell are provided in this report.\r\nhttps://www.recordedfuture.com/research/turla-apt-infrastructure\r\nPage 3 of 5\n\nMosquito Controller Detection\r\nIn January 2018, ESET reported on a newer backdoor named Mosquito that they observed Turla using during\r\nintrusion analysis. There were multiple components to the Mosquito delivery and installation, such as:\r\nUse of a trojanized Adobe installer\r\nUse of Metasploit shellcode to download a legitimate copy of the Adobe Flash installer and a copy of\r\nMeterpreter in order to enable the download and installation of the Mosquito installer\r\nInstaller with encrypted payload\r\nLauncher which executes the primary backdoor, “Commander”\r\nMosquito is a Win32 remote access trojan (RAT). The malware includes three primary components: an installer,\r\nlauncher, and the backdoor component sometimes called CommanderDLL. The Mosquito malware has been\r\ndropped after the initial use of Metasploit shellcode and installation of Meterpreter to gain control of the victim. It\r\nhas the following capabilities:\r\nDownload file\r\nCreate process\r\nDelete file\r\nUpload file\r\nExecute shell commands\r\nExecute PowerShell commands\r\nAdd C2 server\r\nDelete C2 server\r\nCommander is the main component of the Mosquito backdoor. In this research, we focused our analysis primarily\r\non the C2 communication of Commander. For details on the other aspects of the Mosquito package, a thorough\r\nanalysis was conducted by researchers at ESET.\r\nESET’s analysis of the communication from Commander to its C2 shows that communication to and from the\r\ncontroller is sent via HTTP or HTTPS. On the client side, data can be sent as a parameter in the GET request, as a\r\ncookie, or as the parameter and payload of a POST (as shown in the image below). On the controller side,\r\nresponses and commands are sent as an HTTP payload.\r\nBeacon from the Mosquito “Commander” backdoor with encrypted data sent in the POST parameter and payload.\r\nAs shown above, the data sent to the controller is not in clear text. It is first protected with an encryption routine\r\nthat uses a Blum Blum Shub pseudo-random number generator to create a stream of bytes that are used to XOR\r\nencode the cleartext data. The resulting data is then Base64 encoded.\r\nTo encrypt or decrypt, a key and modulus are required by the encryption process. As ESET reported, and as Insikt\r\nGroup observed during its analysis, the modulus of “0x7DFDC101” is hardcoded. The key is not hardcoded and is\r\nrandomly generated at each exchange between the client and controller so the key is different for each\r\ntransmission. This randomized key is sent as a part of the C2 communication and can be easily extracted. Insikt\r\nGroup analysts have reversed this pseudo-random number generator implementation and have created a decoder\r\nscript in Python that can be found in our GitHub repository.\r\nhttps://www.recordedfuture.com/research/turla-apt-infrastructure\r\nPage 4 of 5\n\nMirroring analysis from ESET, Insikt Group found there is header information prepended to the data being sent.\r\nThe header, when decrypted, consists of the following fields:\r\nSource: https://www.recordedfuture.com/research/turla-apt-infrastructure\r\nhttps://www.recordedfuture.com/research/turla-apt-infrastructure\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/research/turla-apt-infrastructure" ], "report_names": [ "turla-apt-infrastructure" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441557, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b512ed9c4563d9e6b8d6f1e0b7310876ded7668.pdf", "text": "https://archive.orkl.eu/1b512ed9c4563d9e6b8d6f1e0b7310876ded7668.txt", "img": "https://archive.orkl.eu/1b512ed9c4563d9e6b8d6f1e0b7310876ded7668.jpg" } }