{ "id": "b467ef7d-1be1-4db5-a4ab-f3aaa3c7dd55", "created_at": "2026-04-06T00:21:48.484282Z", "updated_at": "2026-04-10T03:37:37.154046Z", "deleted_at": null, "sha1_hash": "2fa4fbb9266c13d15cf5539cb7154f1cce2212a4", "title": "Examining the Activities of the Turla APT Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 411153, "plain_text": "Examining the Activities of the Turla APT Group\r\nBy Srivathsa Sharma ( words)\r\nPublished: 2023-09-22 · Archived: 2026-04-05 23:05:28 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on\r\nthe key MITRE techniques and the corresponding IDs associated with the threat actor group.\r\nBy: Srivathsa Sharma Sep 22, 2023 Read time: 8 min (2043 words)\r\nSave to Folio\r\nIn this blog entry, we examine the campaigns of the cyberespionage group known as Turlanews article over the\r\nyears, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat\r\nactor group.\r\nAn introduction to Turla\r\nRegarded as a highly sophisticated advanced persistent threat (APT) group, the Russian-based Turla has been\r\nsuspected to be operational since at least 2004.\r\nTurla’s group names are infamously titled after its top-class rootkits such as Snake, Venomous Bear, WhiteBear,\r\nUroburos, Group 88, and Waterbug, all known for targeting government entities, intelligence agencies, as well as\r\nthe military, educational, research, and pharmaceutical industries around the world. Like other APT groups, Turla\r\npossesses its own specifically-designed, complex tools. However, it is the threat actor’s satellite-based command-and-control (C\u0026C) mechanism that it uses in the latter stages of an attack, coupled with its ability to fly under the\r\nradar, that makes Turla stand out from its contemporaries.\r\nUnravelling Turla’s activities\r\nAlthough Turla has been known to be active in the wild for several years now, its infection vector had been a\r\nquestion mark. Research conducted in 2014 indicated a sophisticated multi-stage attack using Epic (a malware\r\nfamily used by Turla), with the campaign being dubbed as Epic Turla. The attacks, which exploited the\r\nvulnerabilities CVE-2013-5065 and CVE-2013-3346, employed spear-phishing emails that used Adobe PDF\r\nexploits and watering-hole techniques that used Java exploits (CVE-2012-1723)\r\nThe major highlight of this campaign was Turla’s use of more complex backdoors like Carbon/Cobra, with the\r\ngroup sometimes using both backdoors as a failover.\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 1 of 10\n\nopen on a\r\nnew tab\r\nFigure 1. The MITRE ATT\u0026CK techniques used in the August 2014 campaigns\r\nTactics and Techniques:\r\nTA0001 (Initial Access)\r\n    T1189 (Drive-by Compromise)\r\n    T1566 (Phishing)\r\nTA0002 (Execution)\r\n    T1204.002 (User Execution: Malicious File)\r\nWhile the previous Turla campaigns were designed to target Windows-based machines, the campaign in August\r\n2014  was the first instance where Turla targeted the Linux operating system. Dubbed as Penguin Turla, the group\r\nused a Linux Turla module with a C/C++ executable statically linked against multiple libraries, greatly increasing\r\nits file size for this campaign.\r\nA group of threat actors named Waterbug (alleged to be a state-sponsored group) used variants of Trojan.Turla and\r\nTrojan.Wipbot to exploit a zero-day vulnerability, specifically the Windows Kernel NDProxy.sys local privilege\r\nescalation vulnerability CVE-2013-5065. A research entry suggested that the attackers used specially crafted\r\nemails with malicious attachments and a set of compromised websites to deliver malicious payloads.\r\nIn 2017, ESET published a research entry on a sophisticated variant of the Turla malware, a second-stage\r\nbackdoor known as Carbon. A Carbon attack initially involves the victim either receiving a spear-phishing email\r\nor visiting a compromised website, also known as a watering hole.\r\nThis is then followed by the installation of a first-stage backdoor such as Tavdig or Skipper. The second-stage\r\nbackdoor Carbon is then installed on key systems after renaissance activities are completed. The Carbon\r\nframework consists of a dropper to install its configuration file, a component to communicate with the C\u0026C\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 2 of 10\n\nserver, an orchestrator to handle tasks and move them laterally over the network, and a loader to execute the\r\norchestrator.\r\nIn May 2017, a new backdoor trojan by the name Kazuar was linked to the Turla group. Written using the\r\nMicrosoft .NET Framework, Kazuar contains highly functional command sets that are capable of remotely loading\r\nadditional plug-ins.\r\nKazuar gathers system and malware file name information and creates a mutex to ensure that only one instance of\r\nthe malware executes on the system at a time. It then adds an LNK file to the Windows startup folder.\r\nMajority of the commands set in Kazuar share similar attributes with other backdoor Trojans. For example, the\r\ntasklist command uses a Windows Management Instrumentation (WMI) query to obtain running process from\r\nWindows while the info command is used to gather information about opened windows. Meanwhile, Kazuar’s\r\ncmd command will run commands using cmd.exe for Windows systems and /bin/bash for Unix systems. These\r\ncommands strongly suggests that Kazuar was built to be a cross-platform malware targeting both Windows and\r\nUnix systems.\r\nResearch conducted in early 2021 revealed several similarities between the Sunburst and Kazuar backdoors.\r\nTactics and Techniques:\r\nTA0002 (Execution)\r\n    T1047 (Windows Management Instrumentation)\r\nTA0003 (Persistence)\r\n    T1547.009 (Boot or Logon Autostart Execution: Shortcut Modification)\r\nTA0007 (Discovery)\r\n    T1010 (Application Window Discovery)\r\nIn August, Turla unveiled a new second-stage backdoor written in C++ known as Gazer, which relied on watering-hole attacks and spear-phishing campaigns for more precise targeting of victims.\r\nAside from being stealthier, Gazer was found to have plenty of similarities with the previously used second-stage\r\nbackdoors such as Carbon and Kazuar. The defining characteristic of this campaign was the insertion of “video-game-relate” sentences throughout the code. Turla encrypts Gazer’s C\u0026C server using its own library for 3DES\r\nand RSA.\r\nTactics and Techniques:\r\nTA0011 (Command and Control)\r\n    T1573 (Encrypted Channel)\r\nAn intelligence reportnews article from 2018 suggested that Turla used new malicious tools known as Neuron and\r\nNautilus in conjunction with the Snake rootkit to target Windows machines, focusing on mail and web servers in\r\nparticular. Turla made use of existing Snake victims to scan for ASPX shell, with the commands being passed\r\nusing encrypted HTTP cookie values. The entry also mentioned that Turla used ASPX shells to gain a foothold\r\ninto the target system to deploy additional tools.\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 3 of 10\n\nTurla targeted the foreign offices of European governments via a backdoor, with the intention of accessing highly\r\nsensitive information. The campaign targeted Microsoft Outlook and The Bat! (a popular mail client primarily\r\nused in Eastern Europe) by forwarding all outgoing emails to the attackers. The backdoor used email messages to\r\nexfiltrate data, employing specially crafted PDF documents. It also used email messages as a transport layer for its\r\nC\u0026C server.\r\nOilRig is an Iran-linked APT group that usually targets government agencies and organizations in the Middle East.\r\nPrevious research suggests that the Turla group compromised a target using OilRig’s infrastructure. The campaign\r\nsaw the use of a heavily modified, custom variant of the Mimikatz toolnews- cybercrime-and-digital-threats, plus\r\na  new set of tools involving several new backdoors. In the later stages of the campaign, Turla group used a\r\ndifferent remote procedure call (RPC) backdoor, which included code from the publicly available PowerShell\r\nRunner tool to execute PowerShell scripts (without using powershell.exe).\r\nIn March 2020, security researchers observed Turla targeted multiple Armenian websites using watering-hole\r\nattacks. These websites were implanted with malicious JavaScript code, although the access methods used in\r\nattack are unknown.\r\nThe compromised webpage then delivered the second-stage malicious JavaScript code to fingerprint victim\r\nbrowser and trick them into installing a malicious flash installer. Turla then used NetFlash (a .NET downloader)\r\nand PyFlash for its second-stage malware.\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 4 of 10\n\nopen on a\r\nnew tab\r\nFigure 4. The MITRE ATT\u0026CK techniques used in the March 2020 campaigns\r\nTactics and Techniques:\r\nTA0001 (Initial Access)\r\n    T1189 (Drive-by Compromise)\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 5 of 10\n\nTA0002 (Execution)\r\n    T1204 (User Execution)\r\nT0003 (Persistence)\r\n    T1053 (Scheduled Task/Job)\r\nT0007 (Discovery)\r\n    T1016 (System Network Configuration Discovery)\r\n    T1057 (Process Discovery)\r\n    T1082 (System Information Discovery)\r\nTA0011 (Command and Control)\r\n    T1071 (Application Layer Protocol)\r\n    T1573 (Encrypted Channel)\r\n    T1571 (Non-Standard Port)\r\nTA0010 (Exfiltration)\r\n    T1041 (Exfiltration Over C2 Channel)\r\nComRAT v4, also known as Agent.BTZ, is a remote access trojan (RAT) used by Turla and developed using C++\r\nand employing a virtual FAT16 file system that is often used to exfiltrate sensitive documents. It is deployed using\r\nexisting access methods, such as the PowerStallion PowerShell backdoor. Furthermore, it uses HTTP and emails\r\nas C\u0026C channels. \r\nTactics and Techniques:\r\nTA0002 (Execution)\r\n    T1059 (Command and Scripting Interpreter)\r\nT0003 (Persistence)\r\n    T1053 (Scheduled Task/Job)\r\nTA0005 (Defense Evasion)\r\n    T1055 (Process Injection)\r\n    T1112 (Modify Registry)\r\n    T1027 (Obfuscated Files or Information)\r\nTA0007 (Discovery)\r\n    T1069 (Permission Groups Discovery)\r\n    T1033 (System Owner/User Discovery)\r\n    T1082 (System Information Discovery)\r\n    T1083 (File and Directory Discovery)\r\n    T1087 (Account Discovery)\r\n    T1120 (Peripheral Device Discovery)\r\n    T1135 (Network Share Discovery)\r\n    T1016 (System Network Configuration Discovery)\r\nTA0009 (Collection)\r\n    T1213 (Data from Information Repositories)\r\nTA0011 (Command and Control)\r\n    T1573 (Encrypted Channel)\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 6 of 10\n\nT1071 (Application Layer Protocol)\r\n    T1102 (Web Service)\r\nTA0010 (Exfiltration)\r\n    T1048 (Exfiltration Over Alternative Protocol)\r\nIn December 2020,  a previously undocumented backdoor and document stealer named Crutch was attributed to\r\nthe Turla group. Apparently, older versions of Crutch included a backdoor that communicated with a hard-coded\r\nDropbox account using the official HTTP API.\r\nIt had the ability to execute commands related to the reading and writing of files, executing additional processes,\r\nand setting persistence via DLL hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive. One major\r\nfeature of Crutch v4 is that it can automatically upload the files found on local and removable drives to Dropbox\r\nstorage by using the Windows version of the Wget utility (unlike the previous versions that relied on the backdoor\r\ncommands).\r\nTactics and Techniques:\r\nTA0001 (Initial Access)\r\n    T1078.003 (Valid Accounts: Local Accounts)\r\nTA0003 (Persistence)\r\n    T1053.005 (Scheduled Task/Job: Scheduled Task)\r\n    T1574.001 (Hijack Execution Flow: DLL Search Order Hijacking)\r\nTA0005 (Defense Evasion)\r\n    T1036.004 (Masquerading: Masquerade Task or Service)\r\nTA0007 (Discovery)\r\n    T1120 (Peripheral Device Discovery)\r\nTA0009 (Collection)\r\n    T1025 (Data from Removable Media)\r\n    T1074.001 (Data Staged: Local Data Staging)\r\n    T1119 (Automated Collection)\r\n    1560.001 (Archive Collected Data: Archive via Utility)\r\nTA0011 (Command and Control)\r\n    T1008 (Fallback Channels)\r\n    T1071.001 (Application Layer Protocol: Web Protocols)\r\n    T1102.002 (Web Service: Bidirectional Communication)\r\nTA0010 (Exfiltration)\r\n    T1020 (Automated Exfiltration)\r\n    T1041 (Exfiltration Over C2 Channel)\r\n    T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)\r\nThe new Turla backdoor known as TinyTurla was likely used as a failover option to maintain access to the system\r\neven when the primary malware is removed. The backdoor is installed using a batch file and comes in the form of\r\na service DLL called w64time.dll that tries to impersonate the legitimate w32time.dll file on Windows systems.\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 7 of 10\n\nTurla’s May 2022 campaign was used for the sole purpose of reconnaissance and did not involve any use of\r\nmalicious code. Security researchers discovered a document that performed requests via HTTP to its own\r\ncontrolled server, with the purpose of capturing the version and type of Microsoft Word application used by the\r\nvictim. The information can later be used to craft a specific exploit based on the Microsoft Word version.\r\n open on a\r\nnew tab\r\nFigure 7. The MITRE ATT\u0026CK techniques used in the May 2022 reconnaissance campaign\r\nTactics and Techniques:\r\nTA0043 (Reconaissance)\r\n    T1592.002 (Gather Victim Host Information: Software)\r\n    T1590.005 (Gather Victim Network Information: IP Addresses)\r\n    T1598.003 (Phishing for Information: Spearphishing Link)\r\nA July 2023 announcement from the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that\r\nTurla was using the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets. In\r\nthis campaign, Capibar was used for intelligence gathering while Kazuar performed credential theft. This attack\r\ntargeted diplomatic and military organizations by leveraging phishing attacks. \r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 8 of 10\n\nopen on a\r\nnew tab\r\nFigure 8. The MITRE ATT\u0026CK techniques used in the July 2023 Capibar/Kazuar attacks\r\nTactics and Techniques:\r\nTA0005 (Defense Evasion)\r\n    T1027 (Obfuscated Files or Information)\r\nTA0002 (Execution)\r\n    T1059 (Command and Scripting Interpreter)\r\nTA0011 (Command and Control)\r\n    T1053 (Scheduled Task/Job)\r\n    T1105 (Ingress Tool Transfer)\r\nTA0010 (Exfiltration)\r\n    T1567 (Exfiltration Over Web Service)\r\nTA0003 (Persistence)\r\n    T1546 (Event Triggered Execution)\r\n \r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 9 of 10\n\nThe Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all\r\nindicate a well-funded operation with highly skilled operatives. Turla has continuously developed its tools and\r\ntechniques over years and will likely keep on refining them.\r\nThe threat posed by groups such as Turla underscores the importance for organizations and governments to remain\r\nvigilant by staying informed, sharing intelligence, and implementing security measures that can allow both groups\r\nand individuals to better protect themselves against these kinds of threat actors.\r\nIndicators of Compromise\r\nThe indicators of compromise for the various Turla campaigns can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nhttps://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html" ], "report_names": [ "examining-the-activities-of-the-turla-group.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434908, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fa4fbb9266c13d15cf5539cb7154f1cce2212a4.pdf", "text": "https://archive.orkl.eu/2fa4fbb9266c13d15cf5539cb7154f1cce2212a4.txt", "img": "https://archive.orkl.eu/2fa4fbb9266c13d15cf5539cb7154f1cce2212a4.jpg" } }