{ "id": "48ffdd81-de12-4ee5-bdda-ca71042e92e9", "created_at": "2026-04-06T00:17:48.963755Z", "updated_at": "2026-04-10T03:33:35.520885Z", "deleted_at": null, "sha1_hash": "2e93385d25ecce95e28ec32ef58b27bda25ef0f4", "title": "A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 13944183, "plain_text": "A step-by-step analysis of the Russian APT Turla backdoor called\r\nTinyTurla – CYBER GEEKS\r\nPublished: 2022-03-28 · Archived: 2026-04-05 22:02:17 UTC\r\nSummary\r\nTurla is a Russian-based group that has impacted government, embassies, military, education, and research\r\ncompanies since 2004. Our analysis focuses on a backdoor called TinyTurla that was installed on an endpoint via a\r\nWindows Service. The list of C2 servers and a password used for authentication with the servers are stored in the\r\nWindows registry. The malware implements 12 different commands that include spawning and killing processes,\r\ncreating and exfiltrating files, creating pipes for process communication, and modifying registry values used\r\nduring the execution.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: 030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01\r\nThe file is a 64-bit DLL that was installed as a service called “Microsoft Windows Time”\r\n(https://blog.talosintelligence.com/2021/09/tinyturla.html). We’ve manually created a service called “W64Time”\r\nand the corresponding registry keys/values by simulating the execution of the batch script mentioned in the Talos\r\narticle:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 1 of 25\n\nFigure 1\r\nFigure 2\r\nBecause we’re analyzing a 64-bit file, the calling convention is different, and the function arguments are passed to\r\nthe  RCX, RDX, R8, and R9 registers.  Additional arguments are pushed onto the stack (right to left).\r\nRegisterServiceCtrlHandlerW is utilized to register a function to handle service control requests:\r\nFigure 3\r\nThe service status for the above service is set to 0x4 (SERVICE_RUNNING) via a function call to\r\nSetServiceStatus:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 2 of 25\n\nFigure 4\r\nAfter the main function finishes, the service status is set to 0x1 (SERVICE_STOPPED).\r\nThe RegOpenKeyExW API is used to open the “SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters”\r\nregistry key (0x80000002 = HKEY_LOCAL_MACHINE, 0x20119 = KEY_READ | KEY_WOW64_64KEY):\r\nFigure 5\r\nThe process extracts the following registry values using RegQueryValueExW:\r\nTimeLong – the number of milliseconds that the malware waits when the C2 servers are not responding\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 3 of 25\n\nTimeShort – the number of milliseconds between requesting different commands from the C2 server\r\nSecurity – password used to perform some sort of authentication\r\nHosts – list of C2 domains and port numbers\r\nFigure 6\r\nFigure 7\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 4 of 25\n\nFigure 8\r\nFigure 9\r\nThe malware passes the C2 IPs and port numbers to the CommandLineToArgvW routine and extracts an array of\r\npointers to them (the C2 server is randomly chosen for testing purposes):\r\nFigure 10\r\nWe’ve emulated network connections using FakeNet.\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 5 of 25\n\nThe malicious process opens the “SOFTWARE\\Microsoft\\Cryptography” registry key using RegOpenKeyExW\r\n(0x80000002 = HKEY_LOCAL_MACHINE, 0x20019 = KEY_READ):\r\nFigure 11\r\nThe “MachineGuid” value is extracted via a function call to RegQueryValueExW:\r\nFigure 12\r\nWinHttpOpen is utilized to initialize the use of WinHTTP functions:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 6 of 25\n\nFigure 13\r\nThe file initializes a connection to the C2 server by calling the WinHttpConnect API:\r\nFigure 14\r\nThe WinHttpOpenRequest function is used to create a GET request handle (0x800000 =\r\nWINHTTP_FLAG_SECURE):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 7 of 25\n\nFigure 15\r\nThe process adds an HTTP request header called “Title” containing the Machine GUID to the HTTP request\r\nhandle (0x20000000 = HTTP_ADDREQ_FLAG_ADD):\r\nFigure 16\r\nThe security flags for the handle are set using WinHttpSetOption (0x1F =\r\nWINHTTP_OPTION_SECURITY_FLAGS, 0x3300 = WinHttpRequestOption_SslErrorIgnoreFlags):\r\nFigure 17\r\nThe malicious file sends the request to the C2 server using the WinHttpSendRequest routine:\r\nFigure 18\r\nWinHttpReceiveResponse is used to receive the response to the GET request initiated above:\r\nFigure 19\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 8 of 25\n\nThe binary obtains header information associated with the request by calling the WinHttpQueryHeaders API\r\n(0x26 = WINHTTP_QUERY_TITLE):\r\nFigure 20\r\nWinHttpQueryDataAvailable is utilized to extract the amount of data, in bytes, available to be read with\r\nWinHttpReadData:\r\nFigure 21\r\nThe response from the server is copied to a buffer via a call to WinHttpReadData:\r\nFigure 22\r\nTinyTurla implements 12 different commands depending on the 1st byte received in the response. It uses a switch\r\nstatement to execute a particular function:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 9 of 25\n\nFigure 23\r\n1st byte = 0x00 – Authentication\r\nThe backdoor compares the “Security” value with a string starting from the 2nd byte in the response:\r\nFigure 24\r\nFigure 25\r\nWhether the two strings are equal, the malware sends “00 00” to the C2 server. Otherwise, it sends “00 03”,\r\nindicating an unsuccessful “authentication”.\r\n1st byte = 0x01 – create a process\r\nThe binary creates a process specified by the C2 server in the response (0x08000000 =\r\nCREATE_NO_WINDOW):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 10 of 25\n\nFigure 26\r\nThe WinHttpOpenRequest routine is used to create a POST request handle (0x800000\r\n= WINHTTP_FLAG_SECURE):\r\nFigure 27\r\nThe backdoor adds an HTTP request header called “Title” that contains the Machine GUID to the request handle\r\n(0x20000000 = HTTP_ADDREQ_FLAG_ADD):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 11 of 25\n\nFigure 28\r\nThe security flags for the handle are set using WinHttpSetOption (0x1F\r\n= WINHTTP_OPTION_SECURITY_FLAGS, 0x3300 = WinHttpRequestOption_SslErrorIgnoreFlags):\r\nFigure 29\r\nThe malicious process sends the POST request to the C2 server by calling the WinHttpSendRequest API:\r\nFigure 30\r\nA confirmation message “01 00” is sent to the C2 server using WinHttpWriteData:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 12 of 25\n\nFigure 31\r\nWinHttpReceiveResponse is utilized to halt the process until it receives the response to the HTTP request:\r\nFigure 32\r\nThe backdoor sleeps for “TimeShort” milliseconds and waits for further instructions:\r\nFigure 33\r\n1st byte = 0x02 – create a process and exfiltrate its output\r\nThe malicious file creates an anonymous pipe and returns handles to the read/write ends of the pipe:\r\nFigure 34\r\nThe write handle is set to be inherited by calling the SetHandleInformation routine (0x1 =\r\nHANDLE_FLAG_INHERIT):\r\nFigure 35\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 13 of 25\n\nA second anonymous pipe is created via a function call to CreatePipe:\r\nFigure 36\r\nThe read handle is set to be inherited by calling the SetHandleInformation routine (0x1 =\r\nHANDLE_FLAG_INHERIT):\r\nFigure 37\r\nThe malware creates a process mentioned by the C2 server in the response (0x08000000 =\r\nCREATE_NO_WINDOW):\r\nFigure 38\r\nWaitForSingleObject is used to wait until the above process is in the signaled state or 0xEA60 = 60000ms = 60\r\nseconds have elapsed:\r\nFigure 39\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 14 of 25\n\nThe output of the created process is copied from the anonymous pipe into a buffer by calling the\r\nPeekNamedPipe function:\r\nFigure 40\r\nThe process reads data from the pipe using ReadFile:\r\nFigure 41\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 15 of 25\n\nFigure 42\r\nThe backdoor kills the process created above using the TerminateProcess routine:\r\nFigure 43\r\nThe execution flow of creating a POST request (WinHttpOpenRequest -\u003e WinHttpAddRequestHeaders -\u003e\r\nWinHttpSetOption -\u003e WinHttpSendRequest) is repeated and will not be detailed again. The process output is\r\nexfiltrated to the CnC server:\r\nFigure 44\r\n1st byte = 0x03 – create and populate a file\r\nThe backdoor creates a file specified by the C2 server using CreateFileW (0x40000000 = GENERIC_WRITE,\r\n0x2 = CREATE_ALWAYS, 0x80 = FILE_ATTRIBUTE_NORMAL):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 16 of 25\n\nFigure 45\r\nThe WriteFile API is utilized to populate the file with data received from the server:\r\nFigure 46\r\nA confirmation message “03 00” is sent to the C2 server.\r\n1st byte = 0x04 – exfiltrate a file to the C2 server\r\nThe process opens a file nominated by the server using CreateFileW (0x80000000 = GENERIC_READ, 0x3 =\r\nOPEN_EXISTING, 0x80 = FILE_ATTRIBUTE_NORMAL):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 17 of 25\n\nFigure 47\r\nThe size of the file is retrieved by calling the GetFileSize routine:\r\nFigure 48\r\nThe file content is copied to a buffer via a function call to ReadFile:\r\nFigure 49\r\nThe content extracted above is transmitted to the CnC server:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 18 of 25\n\nFigure 50\r\n1st byte = 0x05 – spawn a new process\r\nThe malicious process creates an anonymous pipe using the CreatePipe API:\r\nFigure 51\r\nThe write handle is set to be inherited by calling the SetHandleInformation routine (0x1\r\n= HANDLE_FLAG_INHERIT):\r\nFigure 52\r\nA second anonymous pipe is created by the malware:\r\nFigure 53\r\nThe read handle is set to be inherited by calling the SetHandleInformation routine (0x1\r\n= HANDLE_FLAG_INHERIT):\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 19 of 25\n\nFigure 54\r\nCreateProcessW is used to create a process specified by the C2 server (0x08000000\r\n= CREATE_NO_WINDOW):\r\nFigure 55\r\nA confirmation message “05 00” is sent to the C2 server.\r\n1st byte = 0x06 – kill a process\r\nThe binary kills the process spawned in the above command by calling TerminateProcess:\r\nFigure 56\r\nA confirmation message “06 00” is sent to the C2 server.\r\n1st byte = 0x07 – read/write to a pipe\r\nThe WriteFile API is utilized to write data transmitted by the CnC server to a pipe created earlier:\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 20 of 25\n\nFigure 57\r\nThe process reads data that is available through the pipe using the PeekNamedPipe and ReadFile APIs:\r\nFigure 58\r\nFigure 59\r\nThe pipe content extracted above is exfiltrated to the C2 server.\r\n1st byte = 0x08 – modify the “TimeLong” registry value\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 21 of 25\n\nThe malware opens the “SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters” registry key by calling the\r\nRegOpenKeyExW routine (0x80000002 = HKEY_LOCAL_MACHINE, 0x20006 = KEY_WRITE):\r\nFigure 60\r\nThe “TimeLong” value is modified to a number sent by the C2 server:\r\nFigure 61\r\nA confirmation message “08 00” is sent to the C2 server.\r\n1st byte = 0x09 – modify the “TimeShort” registry value\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 22 of 25\n\nThis command is similar to the one from above. The “TimeShort” value is modified accordingly:\r\nFigure 62\r\nA confirmation message “09 00” is sent to the C2 server.\r\n1st byte = 0x0A – modify the “Security” registry value\r\nThis command is similar to the one from above. The “Security” value used in the authentication process is\r\nchanged by the backdoor:\r\nFigure 63\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 23 of 25\n\nA confirmation message “0A 00” is sent to the C2 server.\r\n1st byte = 0x0B – modify the “Hosts” registry value\r\nThis command is similar to the one from above. The “Hosts” value that contains the list of C2 servers is changed\r\nby the malware:\r\nFigure 64\r\nCommandLineToArgvW is utilized to retrieve an array of pointers to the C2 server(s):\r\nFigure 65\r\nA confirmation message “0B 00” is sent to the C2 server.\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/\r\nFakenet: https://github.com/fireeye/flare-fakenet-ng\r\nVirusTotal:\r\nhttps://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01\r\nMalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/\r\nTalos article: https://blog.talosintelligence.com/2021/09/tinyturla.html\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 24 of 25\n\nSource: https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nhttps://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/" ], "report_names": [ "a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434668, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e93385d25ecce95e28ec32ef58b27bda25ef0f4.pdf", "text": "https://archive.orkl.eu/2e93385d25ecce95e28ec32ef58b27bda25ef0f4.txt", "img": "https://archive.orkl.eu/2e93385d25ecce95e28ec32ef58b27bda25ef0f4.jpg" } }