{ "id": "fb3a2759-1d9c-4c11-8823-c064b9622f0d", "created_at": "2026-04-06T00:16:12.738716Z", "updated_at": "2026-04-10T13:13:00.211867Z", "deleted_at": null, "sha1_hash": "2bdd9415068aa483830153d0db7a33e8b9773066", "title": "Turla Compromises, Infiltrates Iranian APT Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59984, "plain_text": "Turla Compromises, Infiltrates Iranian APT Infrastructure\r\nBy Tara Seals\r\nPublished: 2019-10-21 · Archived: 2026-04-05 19:23:20 UTC\r\nThe Russian-speaking APT stole the Neuron and Nautilus implants and accessed the Iranian APT’s C2\r\ninfrastructure.\r\nThe Turla APT group has been spotted co-opting two cyberweapons from an Iranian APT (APT 34, according to\r\none set of researchers), known as the Nautilus and Neuron implants, and deploying them against targets in the\r\nMiddle East. The group also infiltrated the global operational infrastructure used by the Iranian APT.\r\nTurla, also known as Venomous Bear, Waterbug and Uroboros, is a Russian-speaking threat actor known since\r\n2014, but with roots that go back to 2004 and earlier, according to previous research from Kaspersky. “It is a\r\ncomplex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly\r\nin the Middle East, Central and Far East Asia, Europe, North and South America, and former Soviet bloc nations,”\r\naccording to the firm.\r\nAccording to the U.S. National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC),\r\nTurla had been seen using Neuron and Nautilus alongside its own Snake rootkit in 2017 and 2018. However, new\r\nintelligence shows that this was merely a testing stage. It turns out that the tools are Iranian in origin and\r\n“borrowed” from another APT – and Turla was merely trying them out on victims they had already infiltrated with\r\nSnake.\r\nMost recently, the agencies observed Turla scanning for victims that are already compromised with the two\r\nimplants, by looking for the presence of a specific ASPX webshell on IP addresses in at least 35 countries (more\r\nthan 3,500 different IP addresses were scanned). If found, the group then attempted to use the backdoors to gain a\r\nfoothold into those organizations and deploy more tools.\r\n“Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their\r\nimplants,” according to a notice on Monday from the NCSC. “Turla were using these tools and accesses\r\nindependently to further their own intelligence requirements. The behavior of Turla in scanning for backdoor\r\nshells indicates that whilst they had a significant amount of insight into the Iranian tools, they did not have full\r\nknowledge of where they were deployed.”\r\nThe analysis also shows that Neuron and Nautilus tools are now present on a range of victims, with a large cluster\r\nin the Middle East. Some of the infections are the work of the Iranian APT (identified because the implants\r\nconnect via Virtual Private Server IP addresses known to be associated with the group); and some appear to be\r\nTurla’s efforts, (identified by their being administered from known Turla infrastructure).\r\nhttps://threatpost.com/turla-compromises-iranian-apt/149375/\r\nPage 1 of 2\n\n“Victims in this region included military establishments, government departments, scientific organizations and\r\nuniversities,” according to the NCSC.\r\nStealing Tools\r\nThe NSA and NCSC said that in order to make use of the existing Nautilus and Neuron infections that it scanned\r\nfor, Turla’s commands were passed to the ASPX shell in encrypted HTTP Cookie values. This means that Turla\r\nmust have had access to the Iranian APT’s relevant cryptographic keys, and “likely had access to controller\r\nsoftware in order to produce legitimate tasking.”\r\nAs for how Turla got ahold of the keys, the agencies also discovered that the APT directly accessed and used the\r\ncommand-and-control (C2) infrastructure the Iranian APT (known as “Poison Frog” C2 panels). A separate\r\nanalysis by Symantec on one of these efforts determined the Iranian APT target was APT34 (also known as\r\nOilRig/Crambus/Helix Kitten).\r\nFrom there, Turla exfiltrated a range of data, including the Iranian APT’s directory listings and files, along with\r\nkeylogger output containing operational activity from the Iranian actors.\r\n“This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the Iranian\r\nAPT, including lists of active victims and credentials for accessing their infrastructure, along with the code needed\r\nto build versions of tools such as Neuron for use entirely independently of Iranian C2 infrastructure,” according to\r\nthe NCSC.\r\n“NCSC released an assessment in January 2018 pertaining to the Nautilus implant, tying it to Venomous Bear,”\r\nsaid Adam Meyers, vice president of intelligence at CrowdStrike, via email. “They have issued a new assessment\r\nthat the implant is actually from Helix Kitten, who’s operation was penetrated by Venomous Bear. This is\r\ngenerally significant because we have one nation-state threat actor hijacking a second nation-state threat actors\r\ninfrastructure and tools to target a third nation-state. This is like the cuckoo egg — where the cuckoo can get\r\nanother species to hatch its egg.”\r\nPaul Chichester, the NCSC’s director of operations, said that the agencies have a high degree of confidence that\r\nTurla is the actor behind the campaign.\r\n“Identifying those responsible for attacks can be very difficult, but the weight of evidence points towards the Turla\r\ngroup being behind this campaign,” he said in a media statement. “We want to send a clear message that even\r\nwhen cyber-actors seek to mask their identity, our capabilities will ultimately identify them. Turla acquired access\r\nto Iranian tools and the ability to identify and exploit them to further their own aims.”\r\nWhat are the top cybersecurity issues associated with privileged account access and credential governance?\r\nExperts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and\r\nSecurity Pros: Where They Agree \u0026 Disagree When It Comes to Your Privileged Access Security.” Click here to\r\nregister.\r\nSource: https://threatpost.com/turla-compromises-iranian-apt/149375/\r\nhttps://threatpost.com/turla-compromises-iranian-apt/149375/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/turla-compromises-iranian-apt/149375/" ], "report_names": [ "149375" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434572, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2bdd9415068aa483830153d0db7a33e8b9773066.pdf", "text": "https://archive.orkl.eu/2bdd9415068aa483830153d0db7a33e8b9773066.txt", "img": "https://archive.orkl.eu/2bdd9415068aa483830153d0db7a33e8b9773066.jpg" } }