{ "id": "38c9ea44-1416-4196-bc26-2a65927156d0", "created_at": "2026-04-06T00:11:40.126816Z", "updated_at": "2026-04-10T03:36:13.844195Z", "deleted_at": null, "sha1_hash": "236e792eb96320ac5fae62a1bd3d8da238d9b5a5", "title": "TinyTurla Next Generation - Turla APT spies on Polish NGOs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1220082, "plain_text": "TinyTurla Next Generation - Turla APT spies on Polish NGOs\r\nBy Asheer Malhotra\r\nPublished: 2024-02-15 · Archived: 2026-04-02 10:50:17 UTC\r\nThursday, February 15, 2024 08:00\r\nCisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber\r\nespionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s\r\npreviously disclosed implant, TinyTurla, in coding style and functionality implementation.\r\nTalos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance”\r\nbackdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have\r\nfailed or been detected on the infected systems.\r\nTinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization\r\n(NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion. \r\nWe’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are\r\nmeant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to\r\nsecure the password databases of popular password management software, indicating a concerted effort for\r\nTurla to steal login credentials.\r\nTalos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new\r\nbackdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish\r\nnon-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine.\r\nWhile NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering\r\nthrough the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track\r\nof ongoing and potentially new aid packages for their victims.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 1 of 12\n\nTurla has been widely known to target entities across the world using a huge set of offensive tools in geographies\r\nincluding the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as\r\nCAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded\r\nits arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of\r\ntargets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a\r\nset of targets to support Russia’s strategic and political goals.\r\nTalos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them.\r\nThis campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024.\r\nHowever, we assess that the campaign may have started as early as November 2023 based on malware\r\ncompilation dates. \r\nIn this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for\r\nthe TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions\r\nincluding 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code\r\nconsisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php\r\nTinyTurla-NG uses PowerShell and a command line to run arbitrary commands\r\nDuring the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and\r\narbitrary commands that could then be executed on the victim machine.\r\nLike TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is\r\ndifferent and new. Different malware features are distributed via different threads. The malware is using Windows\r\nevents for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.\r\nTinyTurla-NG DLL starting the main infection thread.\r\nThe InitCfgSetupCreateEvent function initializes the config variables and the event which is used for\r\nsynchronization later on. \r\nDe-facto main function of the DLL calling code to initiate threads.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 2 of 12\n\nThis thread then starts two more threads via the CheckOSVersion_StartWorkerThreads function.\r\nCheckOSVersion_Start_WorkerThreads function.\r\nAfter checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a\r\ncampaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is\r\ndone in the C2_client_ready function in the screenshot below.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 3 of 12\n\nThread No. 1: C2 beaconing thread.\r\nIf the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask_loop function).\r\nThe second thread, which was started by the CheckOSVersion_Start_WorkerThreads function, is responsible for\r\nexecuting the task command sent from the C2. It waits until the TTNG backdoor has received the response from\r\nthe C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The\r\nfirst thread triggers the event (in the thread1_function) once it has successfully received the task from the C2.\r\nThread No. 1 signals Thread No. 2 to handle the task/command received from the C2.\r\nThe tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on\r\nthe PowerShell version running on the victim machine.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 4 of 12\n\nThread No. 2: Windows command execution function.\r\nWhen executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the\r\noutput of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp\r\n437 \u003e NUL execute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by\r\nthe C2. \r\nHowever, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following\r\nPowerShell cmdlet to prevent the recording of command history:\r\nSet-PSReadLineOption -HistorySaveStyle SaveNothing\r\nIn addition to executing the content of the task received from the C2 directly e.g.,\r\nC:\\windows\\system32\\malware.exe , the backdoor will accept the following command codes from the C2. These\r\ncommand codes can be meant for administering the implant or for file management:\r\n“timeout”: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The\r\nnew timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2\r\nsends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third\r\nparameter, the fail counter is changed, too.\r\nTTNG setting a timeout value for C2 communication.\r\n“changeshell”: This command will instruct the backdoor to switch the current shell being used to execute\r\ncommands, i.e., from cmd.exe to PowerShell.exe, or vice versa.\r\n“changepoint”: This command code is used by the C2 to retrieve the result of command(s) executed on\r\nthe infected endpoint. The endpoint will also return logging messages to the C2 server it has collected for\r\nadministrative commands executed since \"changepoint\" was last issued such as:\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 5 of 12\n\n[+] Short Timer changed. New Short Timeout is 1 minute\r\n“get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on\r\ndisk.\r\n“post”: Exfiltrate a file from the victim to the C2, e.g., post C:\\some_file.bin .\r\n“killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT\r\nfile to delete a file from the disk of the victim machine, e.g., killme \u003cfilename\u003e . The BAT file is\r\nexecuted via cmd.exe /c \u003cBAT-file-name\u003e.bat . \r\nThe killme command generates a batch file with the content below. It is interesting to note that the backdoor\r\nDLL is essentially a service, however, the batch script deletes a registry key in HKCU\\SW\\classes\\CLSID and\r\nrestarts explorer[.]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in\r\nthe past to establish persistence for their malware.\r\nRegistry key deleted:\r\nHKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C2796011-81BA-4148-8FCA-C6643245113F}\r\nBAT file contents template.\r\nThe BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last\r\none with the name of the BAT file itself to delete both artifacts from the disk.\r\nTurlaPower-NG and its exfiltration capabilities\r\nTalos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints\r\nvia the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the\r\nscript will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to\r\nexclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in\r\nkey material used to secure the password databases and popular password management software, adding related\r\nfiles to the archive:\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 6 of 12\n\nTurlaPower-NG’s file archiving function.\r\nThe archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as\r\nthe archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of\r\nthe activity performed being sent to the C2 as well. The log consists of:\r\nName of the archive file (or part) POSTed to the C2.\r\nNumber of files in the archive along with the archive size.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 7 of 12\n\nTurlaPower-NG’s archive filename generation and log generation for C2.\r\nC2 setup and operations\r\nAll of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised\r\nby Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to\r\noperate their C2 servers.\r\nDirectory and file structure\r\nThe C2’s directories and files setup consists of three key components:\r\nC2 scripts: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the\r\ncompromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors\r\nconsisting of two C2 URLs per sample.\r\nLogging: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track\r\nof infected systems and commands being issued to them. The logging mechanism of the C2 generates three\r\nlog files on the C2 server:\r\n_log[.]txt: A log of all infected endpoints beaconing into the C2.\r\nresult[.]txt: A log of all messages received from the TTNG backdoor.\r\ntasks[.]txt: A log of all commands issued to the infected hosts.\r\nData directories: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2\r\nserver stores stolen data in directories separate from the logging directories.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 8 of 12\n\nSample directory listing of the logs of the C2 server.\r\nC2 communication process\r\nThe TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it\r\ncommunicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor. \r\nNetwork capture displaying the Identifier value and “Client Ready” message.\r\nThis same identifier value is then used to create directories for log files on the C2 server indicating that the C2\r\nserver maintains different log files for different identifiers.\r\nAfter registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below.\r\nThe C2 can answer this with special commands or just the file that is supposed to be executed on the infected\r\nmachine. \r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 9 of 12\n\nTTNG’s C2 communication to fetch tasks to perform on the infected endpoint.\r\nDepending on the PowerShell version running on the victim machine, the C2 task commands are piped into a\r\nPowerShell or cmd[.]exe shell. \r\nTinyTurla-NG’s shell selection between PowerShell or cmd[.]exe.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 10 of 12\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found at our GitHub repository here.\r\nHashes\r\n267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b\r\nd6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40\r\nDomains\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 11 of 12\n\nhanagram[.]jp\r\nthefinetreats[.]com\r\ncaduff-sa[.]ch\r\njeepcarlease[.]com\r\nbuy-new-car[.]com\r\ncarleasingguru[.]com\r\nSource: https://blog.talosintelligence.com/tinyturla-next-generation/\r\nhttps://blog.talosintelligence.com/tinyturla-next-generation/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/tinyturla-next-generation/" ], "report_names": [ "tinyturla-next-generation" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434300, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/236e792eb96320ac5fae62a1bd3d8da238d9b5a5.pdf", "text": "https://archive.orkl.eu/236e792eb96320ac5fae62a1bd3d8da238d9b5a5.txt", "img": "https://archive.orkl.eu/236e792eb96320ac5fae62a1bd3d8da238d9b5a5.jpg" } }