{ "id": "afc5310d-78c7-4875-9f37-42af63d7ded5", "created_at": "2026-04-06T03:37:02.689307Z", "updated_at": "2026-04-10T03:33:35.602072Z", "deleted_at": null, "sha1_hash": "3bb1e5dc1a0377952f52d2c444c0e735b0cbd6e7", "title": "TinyTurla-NG in-depth tooling and command and control analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1446517, "plain_text": "TinyTurla-NG in-depth tooling and command and control analysis\r\nBy Asheer Malhotra\r\nPublished: 2024-02-22 · Archived: 2026-04-06 03:14:18 UTC\r\nCisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla\r\nAPT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts\r\ndeployed on the compromised WordPress servers utilized in the compromise we previously disclosed.\r\nTalos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG\r\n(TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell\r\ncommands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.\r\nTalos has also discovered the use of another three malicious modules deployed via the initial implant,\r\nTinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.\r\nOne of these components is a modified agent/client from Chisel, an open-sourced attack framework, used\r\nto communicate with a separate C2 server to execute arbitrary commands on the infected systems.\r\nCertificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant\r\nhas likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s\r\nusage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other\r\nPowerShell-based scripts during this campaign.\r\nTalos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the\r\ncompromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings\r\nof the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to\r\nadminister the compromised C2 servers remotely.\r\nC2 server analysis\r\nThe command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the\r\nTinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised\r\nC2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG\r\nimplants and are meant to deliver executables and administrative commands to execute on infected systems.\r\nOn load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG\r\nbackdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create\r\none. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then\r\nthe C2 script will act as a web shell.\r\nIt will base64 decode the value of the $_COOKIE (not to be confused with the authentication COOKIE ID) entry\r\nand execute it on the C2 server as a command. These commands are either run using the exec(), passthru(),\r\nsystem(), or shell_exec() functions. It will also check if the variable specified is a resource and read its contents.\r\nOnce the actions are complete, the output or resource is sent to the requestor and the PHP script will stop\r\nexecuting.\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 1 of 11\n\nC2 script’s web shell capability.\r\nIf there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with\r\nan implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG\r\nand TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2\r\nserver, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following\r\nactions:\r\n\"task\": Write the content sent by the requestor to the “\u003cid\u003e/tasks.txt” file and record the requestor’s IP\r\naddress and timestamp in the “\u003cid\u003e/_log.txt”. The contents of this file are then sent to the requestor in\r\nresponse to the “gettask” request. Adversaries use this mechanism to add more tasks to the list of\r\ntasks/commands that each C2 must send to their backdoor installations to execute on the infected\r\nendpoints.\r\n\"gettask\": Send the contents of the “\u003cid\u003e/tasks.txt” file to the infected system requesting a new command\r\nto execute on the infected endpoint.\r\n\"result\": Get the content of the HTTP(S) form and record it into the “\u003cid\u003e/result.txt” file. The C2 uses this\r\nmechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG\r\nbackdoor into a file on disk.\r\n\"getresult\": Get the contents of the “\u003cid\u003e/result.txt” file from the C2 server. The adversaries use this to\r\nobtain the results of a command executed on the infected endpoint without having to access the C2 server.\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 2 of 11\n\n\"file\" + \"name\": Save the contents of the file sent to the C2 server either in full or part to a file specified on\r\nthe C2 server with the same “name” specified in the HTTP form.\r\n\"cat_file\": Read the contents of a file specified by the requestor on the C2 server and respond with the\r\ncontents.\r\n\"rm_file\": Remove/delete a file specified by the requestor from the C2 server.\r\nThe C2 script’s request handling logic.\r\nThe HTTP form values accepted by the C2 server task , cat_file , rm_file , get_result and their\r\ncorresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the\r\nthreat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server,\r\nfrom a remote location, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to\r\nthe threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor\r\ninstead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate\r\nover HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other\r\nmeans such as SSH thereby increasing their fingerprint on the compromised C2 servers.\r\nThis tactic can be visualized as:\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 3 of 11\n\nInstrumenting TinyTurla-NG to carry out post-compromise activity\r\nThe adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the\r\ninfected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands\r\nto TTNG:\r\nReconnaissance commands: Used to enumerate files in a directory specified by the operator. The\r\ndirectory listing is returned to the operator to select interesting files that can be exfiltrated.\r\nPowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.\r\nCopy file commands: Base64-encoded commands/scripts issued to the infected systems to copy over files\r\nof interest from their original location to a temporary directory, usually: C:\\windows\\temp\\\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 4 of 11\n\nPowerShell script copies files to an intermediate location.\r\nExfiltration commands/scripts aka TurlaPower-NG: These scripts were used to finally exfiltrate the\r\nselected files to the C2 servers.\r\nThe scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders\r\nof interest to Turla. These locations consisted of files and documents that were used and maintained by Polish\r\nNGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data,\r\nreinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.\r\nWhile Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a\r\ncombination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious\r\noperations:\r\nChisel: Modified copy of the Chisel client/agent.\r\nCredential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s\r\nsaved login data.\r\nTool for executing commands with elevated privileges: A binary that is meant to impersonate privilege\r\nlevels of a specified process while executing arbitrary commands specified by the parent process.\r\nThe overall infection activity once TTNG has been deployed looks like this:\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 5 of 11\n\nUsing Chisel as another means of persistent access\r\nTalos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the\r\nadversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker[.]exe\r\nThe modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port\r\nand communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts,\r\nit continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks\r\nIn the proxy:\r\n“R”: Stands for remote port forwarding.\r\n“5000”: This is the port on the attacker machine that receives the connection from the infected system.\r\n“socks”: Specifies the usage of the SOCKS protocol. \r\n(The default local host and port for a socks remote in Chisel is 127[.]0[.]0[.]1:1080.)\r\nThe C2 server that the chisel sample contacts is: 91[.]193[.]18[.]120:443.\r\nThe TLS configuration consists of a client TLS certificate and key pair. The certificate is valid between Dec. 7,\r\n2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December\r\n2023. The issuer of the certificate is named “dropher[.]com” and the subject name is “blum[.]com”.\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 6 of 11\n\nTLS Certificate for the chisel malware used by Turla. \r\nDuring our data analysis, we found another certificate which we assessed with high confidence was also generated\r\nby Turla operators, but it's unclear if this was a mistake or if they intended for the certificate to be used on another\r\nmodified chisel implant. \r\nCertificate issuer DN.\r\nThe new certificate has the same issuer but in this case, the common name is blum[.]com and the serial number is\r\n0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.\r\nAdditional tools for elevated process execution and credential harvesting\r\nTurla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run\r\narbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.\r\nThe first tool is a small and simple Windows executable to create a new command line process on the system by\r\nimpersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID)\r\nrepresenting the process whose privilege level is to be impersonated and the command line that needs to be\r\nexecuted. Then, a new cmd[.]exe is spawned and used to execute arbitrary commands on the infected endpoint.\r\nThe binary was compiled in early 2022 and was likely used in previous campaigns by Turla.\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 7 of 11\n\nThe tool contains the embedded cmd[.]exe command line.\r\nThe second tool discovered by Talos is a PowerShell script residing at the location:\r\nC:\\windows\\system32\\edgeparser.ps1\r\nThis script is used to find  login data from Microsoft Edge located at:\r\n%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data\r\nThis data file and the corresponding decryption key for the login data extracted from the endpoint is archived into\r\na ZIP file and stored in the directory: C:\\windows\\temp\\\u003cfilename\u003e.zip\r\nThe script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data\r\nfrom:\r\n%userprofile%\\AppData\\Local\\Microsoft\\Edge\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 8 of 11\n\nPowerShell script obtaining key and login data to add to the archive for exfiltration.\r\nTTNG uses the privilege elevation tool to run the PowerShell script using the command:\r\n\"C:\\Windows\\System32\\i.exe\" _PID_ \"powershell -f C:\\Windows\\System32\\edgeparser.ps1\"\r\nThis results in the tool spawning a new process with the command line:\r\nC:\\Windows\\System32\\cmd.exe /c \"powershell -f C:\\Windows\\System32\\edgeparser.ps1\"\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 9 of 11\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found in our GitHub repository here.\r\nHashes\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 10 of 11\n\n267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b\r\nd6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40\r\nad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc\r\n13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346\r\nb376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044\r\nDomains\r\nhanagram[.]jp\r\nthefinetreats[.]com\r\ncaduff-sa[.]ch\r\njeepcarlease[.]com\r\nbuy-new-car[.]com\r\ncarleasingguru[.]com\r\nIP Addresses\r\n91[.]193[.]18[.]120\r\nSource: https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nhttps://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/" ], "report_names": [ "tinyturla-ng-tooling-and-c2" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446622, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3bb1e5dc1a0377952f52d2c444c0e735b0cbd6e7.pdf", "text": "https://archive.orkl.eu/3bb1e5dc1a0377952f52d2c444c0e735b0cbd6e7.txt", "img": "https://archive.orkl.eu/3bb1e5dc1a0377952f52d2c444c0e735b0cbd6e7.jpg" } }