{ "id": "bab98386-a423-4734-b87b-67d041255860", "created_at": "2026-04-06T00:21:29.019566Z", "updated_at": "2026-04-10T13:11:42.237484Z", "deleted_at": null, "sha1_hash": "2e2565557232e2a51fbc6523fea96ce5129b2218", "title": "Advisory: Turla group exploits Iranian APT to expand coverage of victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 505938, "plain_text": "Advisory: Turla group exploits Iranian APT to expand coverage of\r\nvictims\r\nPublished: 2019-10-21 · Archived: 2026-04-05 17:22:40 UTC\r\nThis report draws on reported information and NCSC investigations into Turla activity in the UK alongside\r\ninformation shared by partners and industry sources. It has been produced in collaboration and with the support of\r\nthe United States’ National Security Agency (NSA).\r\nIntroduction\r\nThe Turla group, also known as Waterbug or VENOMOUS BEAR, is suspected to be Russia-based. Turla uses a\r\nrange of tools and techniques to target government, military, technology, energy and commercial organisations for\r\nthe purposes of intelligence collection.\r\nPrevious advisories from the NCSC detailed Turla’s use of Neuron and Nautilus implants and an ASPX-based\r\nbackdoor alongside the Snake rootkit. This document provides an update on the reported activity, with a particular\r\nfocus on how those tools were used in the period leading up to, and following, the publication of those advisories.\r\nSince those advisories were published, the NCSC, NSA and partner-shared analysis of additional victims and\r\ninfrastructure determined the Neuron and Nautilus tools were very likely Iranian in origin. Those behind Neuron\r\nor Nautilus were almost certainly not aware of, or complicit with, Turla’s use of their implants.\r\nAfter acquiring the tools – and the data needed to use them operationally – Turla first tested them against victims\r\nthey had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional\r\nvictims. Turla sought to further their access into victims of interest by scanning for the presence of Iranian\r\nbackdoors and attempting to use them to gain a foothold. The focus of this activity from Turla was largely in the\r\nMiddle East, where the targeting interests of both Advanced Persistent Threats (APTs) overlap.\r\nThe timeline of incidents, and the behaviour of Turla in actively scanning for Iranian backdoors, indicates that\r\nwhilst Neuron and Nautilus tools were Iranian in origin, Turla were using these tools and accesses independently\r\nto further their own intelligence requirements. The behaviour of Turla in scanning for backdoor shells indicates\r\nthat whilst they had a significant amount of insight into the Iranian tools, they did not have full knowledge of\r\nwhere they were deployed.\r\nhttps://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims\r\nPage 1 of 4\n\nWhile attribution of attacks and proving authorship of tools can be very difficult – particularly in the space of\r\nincident response on a victim network – the weight of evidence demonstrates that Turla had access to Iranian tools\r\nand the ability to identify and exploit them to further Turla’s own aims.\r\nBackground: Neuron and Nautilus usage by Turla\r\nThe NCSC published two advisories on the use of Neuron and Nautilus tools by Turla in late 2017 and early 2018.\r\nThese tools were observed in use alongside Snake on a number of victims.\r\nSince publication of those advisories, further analysis by the NCSC, the NSA and the wider cyber security\r\ncommunity determined that Neuron and Nautilus tools were present on a range of victims, with a large cluster in\r\nthe Middle East. Victims in this region included military establishments, government departments, scientific\r\norganisations and universities. Some of these victims, but not all, also had a Snake implant present.\r\nVictim Overlap\r\nInvestigation into these victims identified that while some implants had been deployed and administered from\r\ninfrastructure associated with the Turla group, others had previously been connected to by Virtual Private Server\r\n(VPS) IP addresses associated in the open source cyber security community with Iranian APT groups.\r\nInterestingly, in some instances, it appeared an Iranian APT-associated IP address first deployed the implant, and\r\nlater, Turla-associated infrastructure accessed the same implant.\r\nIn order to initiate connections with the implants, Turla must have had access to relevant cryptographic key\r\nmaterial, and likely had access to controller software in order to produce legitimate tasking.\r\nIn other instances, Turla deployed Neuron to victims in which they already had access to via their Snake toolkit,\r\nwith all observed connections from Turla-associated infrastructure.\r\nScanning for backdoors\r\nTurla also made use of existing Snake victim networks to scan for the ASPX shell described in the initial advisory\r\n- attempting to identify the presence of, and access, the ASPX webshell on IP addresses in at least 35 countries.\r\nCommands were passed to the ASPX shell in encrypted HTTP Cookie values, requiring knowledge of the\r\ncryptographic keys to produce valid tasking and successfully interact with it.\r\nFrom one Snake victim, a log file was recovered which recorded the output of Turla’s scanning for these ASPX\r\nshells with the strings “!!!MAY BE SHELL!!! (check version)” and “!!!MAY BE SHELL!!! (100%)”; over 3500\r\nunique IP addresses were scanned.\r\nOnce identified, Turla appeared to use these ASPX shells to gain an initial foothold into victims of interest, and\r\nthen deploy further tools.\r\nhttps://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims\r\nPage 2 of 4\n\nTurla compromise of Iranian C2 infrastructure\r\nTurla accessed and used the Command and Control (C2) infrastructure of Iranian APTs to deploy their own tools\r\nto victims of interest. Turla directly accessed ‘Poison Frog’ C2 panels from their own infrastructure and used this\r\naccess to task victims to download additional tools.\r\nReporting from Symantec details a specific victim in the Middle East where Turla was observed delivering their\r\nown malware via a Poison Frog panel, which Symantec and others in the cyber security community attribute to\r\nAPT34 (also known as OilRig/Crambus).\r\nTurla compromise of Iranian Operational Infrastructure\r\nThe Turla group deployed their own implants against the operational infrastructure used by an Iranian APT actor\r\nand used this to further their own accesses into the Iranian APT’s global infrastructure.\r\nExfiltration of data from Iranian APT infrastructure to Turla infrastructure took place.\r\nData exfiltration from the Iranian infrastructure by Turla included directory listings and files, along with\r\nkeylogger output containing operational activity from the Iranian actors, including connections to Iranian C2\r\ndomains. This access gave Turla unprecedented insight into the tactics, techniques and procedures (TTPs) of the\r\nIranian APT, including lists of active victims and credentials for accessing their infrastructure, along with the code\r\nneeded to build versions of tools such as Neuron for use entirely independently of Iranian C2 infrastructure.\r\nIndicators of Compromise (IOCs)\r\nAs this advisory provides additional context around historical activity from the Turla group, these IOCs are\r\nprovided for completeness. They may be useful to any investigator with historic data from a previous Turla (or\r\nIranian APT) investigation. The most effective way to mitigate the risk of actors exploiting these vulnerabilities is\r\nto ensure that the affected products are patched with the latest security updates.\r\nIndicators for Forensic Analysis\r\nThe following indicators can be used to search for the presence of Turla activity described in this document within\r\nforensic analysis tools.\r\n!!!MAY BE SHELL!!! (check version)\r\n!!!MAY BE SHELL!!! (100%)\r\nReporting to the NCSC\r\nAny current activity related to these threats should be reported via the NCSC website here where the NCSC can\r\noffer help and guidance.\r\nhttps://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims\r\nPage 3 of 4\n\nThe NCSC is also interested in receiving indicators of compromise and threat intelligence, even if the activity has\r\nalready been remediated.\r\nDownloads\r\nSource: https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims\r\nhttps://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" ], "report_names": [ "turla-group-exploits-iran-apt-to-expand-coverage-of-victims" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434889, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e2565557232e2a51fbc6523fea96ce5129b2218.pdf", "text": "https://archive.orkl.eu/2e2565557232e2a51fbc6523fea96ce5129b2218.txt", "img": "https://archive.orkl.eu/2e2565557232e2a51fbc6523fea96ce5129b2218.jpg" } }