{ "id": "a1284f18-19e4-400b-9253-b8c49cba680f", "created_at": "2026-04-06T00:08:57.723071Z", "updated_at": "2026-04-10T03:33:35.587013Z", "deleted_at": null, "sha1_hash": "1e9e086f1b01c3b32e9debfc6d28bc6ed8cd7b94", "title": "Turla Mosquito: A shift towards more generic tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 239606, "plain_text": "Turla Mosquito: A shift towards more generic tools\r\nBy ESET Research\r\nArchived: 2026-04-05 16:56:13 UTC\r\nTurla is a notorious espionage group, and has been active for at least ten years. It came to light in 2008, when Turla breached\r\nthe US Department of Defense [1]. Since then, there have been numerous security incidents involving Turla targeting several\r\ngovernments and sensitive businesses such as the defense industry [2].\r\nOur January 2018 white paper [3] was the first public analysis of a Turla campaign called Mosquito. We have also published\r\nindicators of compromise [4]. Since then, the campaign has remained very active and attackers have been busy changing\r\ntheir tactics to remain as stealthy as possible.\r\nStarting in March 2018, we observed a significant change in the campaign: it now leverages the open source exploitation\r\nframework Metasploit before dropping the custom Mosquito backdoor. It is not the first time Turla has used generic tools. In\r\nthe past, we have seen the group using open-source password dumpers such as Mimikatz. However, to our knowledge, this\r\nis the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper\r\n[5].\r\nDistribution\r\nAs described in our earlier analysis [3], the typical vector of compromise of the Mosquito campaign is still a fake Flash\r\ninstaller, in reality installing both the Turla backdoor and the legitimate Adobe Flash Player. The typical targets are still\r\nembassies and consulates in Eastern Europe.\r\nWe showed that the compromise happens when the user downloads a Flash installer from get.adobe.com through HTTP.\r\nTraffic was intercepted on a node between the end machine and the Adobe servers, allowing Turla’s operators to replace the\r\nlegitimate Flash executable with a trojanized version. The following image shows the different points where the traffic\r\ncould, in theory, be intercepted. Please note that we believe the fifth possibility to be excluded, as, to the best of our\r\nknowledge, Adobe/Akamai was not compromised.\r\nEven though we were not able to spot traffic interception subsequently, we found a new executable that is still impersonating\r\nthe Flash installer and is named flashplayer28_xa_install.exe. Thus, we believe the same method of initial compromise is\r\nstill being used.\r\nAnalysis\r\nAt the beginning of March 2018, as part of our regular tracking of Turla’s activities, we observed some changes in the\r\nMosquito campaign. Even though they did not make use of groundbreaking techniques, this is a significant shift in Turla’s\r\nTactics, Techniques and Procedures (TTPs).\r\nPreviously, the chain of compromise was a fake Flash installer dropping a loader and the main backdoor. The following\r\nfigure summarizes the process.\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nPage 1 of 4\n\nRecently, we observed a change in the way in which the final backdoor is dropped. Turla’s campaign still relies on a fake\r\nFlash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or\r\ndownloads from Google Drive, a legitimate Flash installer. Then, the shellcode downloads a Meterpreter, which is a typical\r\nMetasploit payload [6], allowing the attacker to control the compromised machine. Finally, the machine may receive the\r\ntypical Mosquito backdoor. The figure below summarizes the new process.\r\nBecause Metasploit is being used, we might also guess that an operator controls the exploitation process manually. The time\r\nframe of the attack was relatively short as the final backdoor was dropped within thirty minutes of the start of the\r\ncompromise attempt.\r\nThe shellcode is a typical Metasploit shellcode, protected using the shikata_ga_nai encoder [7] with seven iterations. The\r\nfollowing screenshots show the encoded and the decoded payload.\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nPage 2 of 4\n\nOnce the shellcode is decoded, it contacts its C\u0026C at https://209.239.115[.]91/6OHEJ, which directs the download of an\r\nadditional shellcode. Based on our telemetry, we identified the next stage to be a Meterpreter. That IP address is already\r\nknown as a previously-seen Mosquito C\u0026C domain, psychology-blog.ezua[.]com, was resolving to it in October 2017.\r\nFinally, the fake Flash installer downloads a legitimate Adobe installer, from a Google Drive URL, and executes it to lull the\r\nuser into thinking all went correctly.\r\nIn addition to the new fake Flash installer and Meterpreter, we observed the use of several other tools.\r\nA custom executable that only contains the Metasploit shellcode. This is used to maintain access to a Meterpreter\r\nsession. It is saved to C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence.\r\nAnother custom executable used to execute PowerShell scripts.\r\nThe Mosquito JScript backdoor that uses Google Apps Script as its C\u0026C server.\r\nPrivilege escalation using the Metasploit module ext_server_priv.x86.dll [8].\r\nConclusion\r\nIn this post, we have presented the evolutions of the Turla Mosquito campaign over the last few months. The major change\r\nwe observed was the use of Metasploit, an open-source penetration testing project, as a first stage for the custom Mosquito\r\nbackdoor. This might be useful information for defenders performing incident response on attacks involving Turla.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nC\u0026C\r\nhttps://209.239.115[.]91/6OHEJ\r\nhttps://70.32.39[.]219/n2DE3\r\nLink to the legitimate Flash installer\r\nhttps://drive.google[.]com/uc?authuser=0\u0026id=1s4kyrwa7gCH8I5Z1EU1IZ_JaR48A7UeP\u0026export=download\r\nIoCs\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nPage 3 of 4\n\nFilename SHA1 SHA256\r\nflashplayer28_xa_install.exe 33d3b0ec31bfc16dcb1b1ff82550aa17fa4c07c5 f9b83eff6d705c214993be9575f8990aa8150128a815e849c6faee90d\r\nmsupdateconf.exe 114c1585f1ca2878a187f1ce7079154cc60db7f5 1193033d6526416e07a5f20022cd3c5c79b73e8a33e80f29f9b06cdc\r\nmsupdatesmal.exe 994c8920180d0395c4b4eb6e7737961be6108f64 6868cdac0f06232608178b101ca3a8afda7f31538a165a045b439edf9\r\nReferences\r\n[1] B. KNOWLTON, \"Military Computer Attack Confirmed,\" New York Times, 25 08 2010. [Online]. Available:\r\nhttps://www.nytimes.com/2010/08/26/technology/26cyber.html?_r=1\u0026ref=technology. [Accessed 09 04 2018].\r\n[2] MELANI, \" Technical Report about the Malware used in the Cyberespionage against RUAG,\" 23 05 2016. [Online].\r\nAvailable: https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html.\r\n[3] ESET, \"Diplomats in Eastern Europe bitten by a Turla mosquito,\" ESET, 01 2018. [Online]. Available: https://web-assets.esetstatic.com/wls/2018/01/ESET_Turla_Mosquito.pdf.\r\n[4] ESET, \"Mosquito Indicators of Compromise,\" ESET, 09 01 2018. [Online]. Available: https://github.com/eset/malware-ioc/tree/master/turla#mosquito-indicators-of-compromise.\r\n[5] M. Tivadar, C. Istrate, I. Muntean and A. Ardelean, \"Pacifier APT,\" 01 07 2016. [Online]. Available:\r\nhttps://labs.bitdefender.comhttps://web-assets.esetstatic.com/wls/downloads/pacifier-apt/.\r\n[6] \"About the Metasploit Meterpreter,\" [Online]. Available: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/.\r\n[7] \"Unpacking shikata-ga-nai by scripting radare2,\" 08 12 2015. [Online]. Available: http://radare.today/posts/unpacking-shikata-ga-nai-by-scripting-radare2/.\r\n[8] \"meterpreter/source/extensions/priv/server/elevate/,\" Rapid7, 26 11 2013. [Online]. Available:\r\nhttps://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate.\r\nSource: https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY", "MITRE" ], "references": [ "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" ], "report_names": [ "turla-mosquito-shift-towards-generic-tools" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "392aed78-4ef6-46ac-afba-c3920ea05d28", "created_at": "2022-10-25T16:07:23.323349Z", "updated_at": "2026-04-10T02:00:04.541652Z", "deleted_at": null, "main_name": "APT 6", "aliases": [ "1.php Group" ], "source_name": "ETDA:APT 6", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434137, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e9e086f1b01c3b32e9debfc6d28bc6ed8cd7b94.pdf", "text": "https://archive.orkl.eu/1e9e086f1b01c3b32e9debfc6d28bc6ed8cd7b94.txt", "img": "https://archive.orkl.eu/1e9e086f1b01c3b32e9debfc6d28bc6ed8cd7b94.jpg" } }