{ "id": "0756ed09-2126-495b-a1ca-b60423abaa53", "created_at": "2026-04-06T00:06:51.535688Z", "updated_at": "2026-04-10T03:37:36.860866Z", "deleted_at": null, "sha1_hash": "29972444deaaa356ed134613075a12ec0599eb90", "title": "Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50402, "plain_text": "Tortoiseshell Group Targets IT Providers in Saudi Arabia in\r\nProbable Supply Chain Attacks\r\nBy About the Author\r\nArchived: 2026-04-05 20:02:22 UTC\r\nA previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in\r\nSaudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’\r\ncustomers.\r\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a\r\ntotal of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two\r\norganizations, evidence suggests that the attackers gained domain admin-level access.\r\nAnother notable element of this attack is that, on two of the compromised networks, several hundred computers\r\nwere infected with malware. This is an unusually large number of computers to be compromised in a targeted\r\nattack. It is possible that the attackers were forced to infect many machines before finding those that were of most\r\ninterest to them.\r\nWe have seen Tortoiseshell activity as recently as July 2019.\r\nCustom tools \r\nThe unique component used by Tortoiseshell is a malware called Backdoor.Syskit. This is a basic backdoor that\r\ncan download and execute additional tools and commands. The actors behind it have developed it in both Delphi\r\nand .NET.\r\nBackdoor.Syskit is run with the “-install” parameter to install itself. There are a number of minor variations of the\r\nbackdoor, but the primary functionality is the following:\r\nreads config file: %Windir%\\temp\\rconfig.xml\r\nwrites Base64 encoding of AES encrypted (with key \"fromhere\") version of the data in the \"url\" element of\r\nthe XML to:\r\nHKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Enablevmd\r\nThis contains the command and control (C\u0026C) information.\r\nwrites Base64 encoding of AES encrypted (with key \"fromhere\") version of the \"result\" element of the\r\nXML to:\r\nHKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Sendvmd\r\nThis holds the later portion of the URL to append to the C\u0026C for sending information to it.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\r\nPage 1 of 4\n\ndeletes the config file\r\nThe malware collects and sends the machine’s IP address, operating system name and version, and Mac address to\r\nthe C\u0026C server using the URL in the Sendvmd registry key mentioned above. Data sent to the C\u0026C server is\r\nBase64 encoded.\r\nThe backdoor can receive various commands:\r\n\"kill_me\":\r\nstops the dllhost service and deletes %Windir%\\temp\\bak.exe\r\n\"upload \"\r\ndownloads from the URL provided by the C\u0026C server\r\n\"unzip\"\r\nuses PowerShell to unzip a specified file to a specified destination, or to run cmd.exe /c \u003creceived\r\ncommand\u003e\r\nTools, techniques, and procedures\r\nThe other tools used by the group are public tools, and include:\r\nInfostealer/Sha.exe/Sha432.exe\r\nInfostealer/stereoversioncontrol.exe\r\nget-logon-history.ps1\r\nInfostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs\r\nseveral commands on the infected machine to gather information about it and also the Firefox data of all users of\r\nthe machine. It then compresses this information before transferring it to a remote directory.\r\nInfostealer/Sha.exe/Sha432.exe operates in a similar manner, gathering information about the infected machine.\r\nWe also saw Tortoiseshell using other dumping tools and PowerShell backdoors.\r\nThe initial infection vector used by Tortoiseshell to get onto infected machines has not been confirmed, but it is\r\npossible that, in one instance, a web server was compromised to gain access by the attacker. For at least one\r\nvictim, the first indication of malware on their network was a web shell\r\n(d9ac9c950e5495c9005b04843a40f01fa49d5fd49226cb5b03a055232ffc36f3). This indicates that the attackers\r\nlikely compromised a web server, and then used this to deploy malware onto the network.\r\nThis activity indicates the attackers had achieved domain admin level access on these networks,\r\nmeaning they had access to all machines on the network.\r\nOnce on a victim computer, Tortoiseshell deploys several information gathering tools, like those mentioned above,\r\nand retrieves a range of information about the machine, such as IP configuration, running applications, system\r\ninformation, network connectivity etc.\r\nOn at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a\r\ndomain controller. This results in the information gathering tools being executed automatically when a client\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\r\nPage 2 of 4\n\ncomputer logs into the domain. This activity indicates the attackers had achieved domain admin level access on\r\nthese networks, meaning they had access to all machines on the network.\r\nPresence of OilRig tools\r\nIn one victim organization, we also saw a tool called Poison Frog deployed one month prior to the Tortoiseshell\r\ntools. Poison Frog is a backdoor and a variant of a tool called BondUpdater, which was previously seen used in\r\nattacks on organizations in the Middle East. The tools were leaked on Telegram in April this year and are\r\nassociated with the group known as APT34, aka Oilrig.\r\nIt is unclear if the same actor deployed both the Poison Frog tool and the Tortoiseshell tools, however, given the\r\ngap in time between the two sets of tools being used, and without further evidence, the current assumption is that\r\nthe activity is unrelated. If that is the case, this activity demonstrates the interest from multiple attack groups in\r\nindustries in this region. The Poison Frog tool also appears to have been leaked prior to deployment to this victim,\r\nso could be used by a group unrelated to APT34/Oilrig.\r\nAttacker motives\r\nThe targeting of IT providers points strongly to these attacks being supply chain attacks, with the likely end goal\r\nbeing to gain access to the networks of some of the IT providers’ customers. Supply chain attacks have been\r\nincreasing in recent years, with a 78 percent increase in 2018, as we covered in ISTR 24. Supply chain attacks,\r\nwhich exploit third-party services and software to compromise a final target, take many forms, including hijacking\r\nsoftware updates and injecting malicious code into legitimate software.\r\nIT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access\r\nmay give them the ability to send malicious software updates to target machines, and may even provide them with\r\nremote access to customer machines. This provides access to the victims’ networks without having to compromise\r\nthe networks themselves, which might not be possible if the intended victims have strong security infrastructure,\r\nand also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes\r\nit harder to pinpoint who the attackers’ true intended targets were.\r\nThe customer profiles of the targeted IT companies are unknown, but Tortoiseshell is not the first group to target\r\norganizations in the Middle East, as we have covered in previous blogs. However, we currently have no evidence\r\nthat would allow us to attribute Tortoiseshell’s activity to any existing known group or nation state.\r\nProtection/Mitigation\r\nThe following protections are also in place to protect customers against Tortoiseshell activity:\r\nBackdoor.Syskit\r\nIndicators of Compromise\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\r\nPage 3 of 4\n\nSHA256 Name\r\nf71732f997c53fa45eef5c988697eb4aa62c8655d8f0be3268636fc23addd193 Backdoor.Syskit\r\n02a3296238a3d127a2e517f4949d31914c15d96726fb4902322c065153b364b2 Backdoor.Syskit\r\n07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4 Backdoor.Syskit\r\nBackdoor.Syskit C\u0026C servers\r\n64.235.60.123\r\n64.235.39.45\r\nTortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks\r\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" ], "report_names": [ "tortoiseshell-apt-supply-chain" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29972444deaaa356ed134613075a12ec0599eb90.pdf", "text": "https://archive.orkl.eu/29972444deaaa356ed134613075a12ec0599eb90.txt", "img": "https://archive.orkl.eu/29972444deaaa356ed134613075a12ec0599eb90.jpg" } }