{ "id": "8b44f735-1bb2-40bc-889a-f6871f021b1d", "created_at": "2026-04-06T00:17:40.828007Z", "updated_at": "2026-04-10T13:13:09.290005Z", "deleted_at": null, "sha1_hash": "40578a9d842e6db4d344ae64c91e79782cc7fd8c", "title": "The Epic Turla Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4446870, "plain_text": "The Epic Turla Operation\r\nBy GReAT\r\nPublished: 2014-08-07 · Archived: 2026-04-05 15:06:46 UTC\r\n Technical Appendix with IOCs\r\nExecutive Summary\r\nOver the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we\r\ncall “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45\r\ncountries, including government institutions, embassies, military, education, research and pharmaceutical\r\ncompanies.\r\nThe attacks are known to have used at least two zero-day exploits:\r\nCVE-2013-5065 – Privilege escalation vulnerability in Windows XP and Windows 2003\r\nCVE-2013-3346 – Arbitrary code-execution vulnerability in Adobe Reader\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 1 of 27\n\nWe also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole\r\nstrategies in these attacks. The primary backdoor used in the Epic attacks is also known as “WorldCupSec”,\r\n“TadjMakhal”, “Wipbot” or “Tavdig”.\r\nWhen G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big\r\nunknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are\r\ninfected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain\r\nconfidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both\r\nbackdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the\r\nbackdoors.\r\nOnce the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other\r\nextreme persistence mechanisms.\r\nThe attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.\r\nNote: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact:\r\nintelreports@kaspersky.com\r\nThe Epic Turla attacks\r\nThe attacks in this campaign fall into several different categories depending on the vector used in the initial\r\ncompromise:\r\nSpearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)\r\nSocial engineering to trick the user into running malware installers with “.SCR” extension, sometimes\r\npacked with RAR\r\nWatering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer\r\n6,7,8 exploits (unknown)\r\nWatering hole attacks that rely on social engineering to trick the user into running fake “Flash Player”\r\nmalware installers\r\nThe attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes\r\n(waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to\r\nserve malicious code.\r\nSo far we haven’t been able to locate any e-mail used against the victims, only the attachments. The PDF\r\nattachments do not show any “lure” to the victim when opened, however, the SCR packages sometime show a\r\nclean PDF upon successful installation.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 2 of 27\n\nSome of known attachment names used in the spearphishing attacks are:\r\nتمر جنيف\r\nؤ\r\n.rar (translation from Arabic: “Geneva conference.rar”)\r\nNATO position on Syria.scr\r\nNote_№107-41D.pdf\r\nTalking Points.scr\r\nborder_security_protocol.rar\r\nSecurity protocol.scr\r\nProgram.scr\r\nIn some cases, these filenames can provide clues about the type of victims the attackers are targeting.\r\nThe watering hole attacks\r\nCurrently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision.\r\nSome of the injected websites include:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 3 of 27\n\nThe website of the City Hall of Pinor, Spain\r\nA site promoting entrepreneurship in the border area of Romania\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 4 of 27\n\nPalestinian Authority Ministry of Foreign Affairs\r\nIn total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in\r\nRomania.\r\nHere’s a statistic on the injected websites:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 5 of 27\n\nThe distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in\r\nRomania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to\r\nlocal governments (City Hall).\r\nMost of the infected sites use the TYPO3 CMS (see: https://typo3.org/), which could indicate the attackers are\r\nabusing a specific vulnerability in this publishing platform.\r\nInjected websites load a remote JavaScript into the victim’s browser:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 6 of 27\n\nThe script “sitenavigatoin.js” is a Pinlady-style browser and plugin detection script, which in turn, redirects to a\r\nPHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the\r\nPHP handler on the server, using “JPG” files to run PHP scripts:\r\nProfiling script\r\nThe main exploitation script “wreq.php”, “main.php” or “main.jpg” performs a numbers of tasks. We have located\r\nseveral versions of this script which attempt various exploitation mechanisms.\r\nOne version of this script attempts to exploit Internet Explorer versions 6, 7 and 8:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 7 of 27\n\nInternet Explorer exploitation script\r\nUnfortunately, the Internet Explorer exploits have not yet been retrieved.\r\nAnother more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player:\r\nJava and Flash Player exploitation scripts\r\nAlthough the Flash Player exploits couldn’t be retrieved, we did manage to obtain the Java exploits:\r\nName MD5\r\nallj.html 536eca0defc14eff0a38b64c74e03c79\r\nallj.jar f41077c4734ef27dec41c89223136cf8\r\nallj64.html 15060a4b998d8e288589d31ccd230f86\r\nallj64.jar e481f5ea90d684e5986e70e6338539b4\r\nlstj.jar 21cbc17b28126b88b954b3b123958b46\r\nlstj.html acae4a875cd160c015adfdea57bd62c4\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 8 of 27\n\nThe Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations.\r\nThe payload dropped by these Java exploits is the following:\r\nMD5: d7ca9cf72753df7392bfeea834bcf992\r\nThe Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The\r\nbackdoor extracted from the Java exploits has the following C\u0026C hardcoded inside:\r\nwww.arshinmalalan[.]com/themes/v6/templates/css/in.php\r\nThis C\u0026C is still online at the moment although it redirects to a currently suspended page at\r\n“hxxp://busandcoachdirectory.com[.]au“. For a full list of C\u0026C servers, please see the Appendix.\r\nThe Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is\r\navailable at the moment. Most recently, we observed them using yet another technique coupled with watering hole\r\nattacks.  This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5:\r\n030f5fdb78bfc1ce7b459d3cc2cf1877):\r\nIn at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials\r\napp (MD5: 89b0f1a3a667e5cd43f5670e12dba411):\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 9 of 27\n\nThe fake application is signed by a valid digital certificate from Sysprint AG:\r\nSerial number: 00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95\r\nThumbprint: 24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46\r\nValid signature from Sysprint AG on Epic dropper\r\nThis file was distributed from the Ministry of Foreign Affairs of Tajikistan’s website, at\r\n“hxxp://mfa[.]tj/upload/security.php“.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 10 of 27\n\nThe file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5\r\n7731d42b043865559258464fe1c98513.\r\nThis is an Epic backdoor which connects to the following C\u0026Cs, with a generic internal ID of 1156fd22-3443-\r\n4344-c4ffff:\r\nhxxp://homaxcompany[.]com/components/com_sitemap/\r\nhxxp://www.hadilotfi[.]com/wp-content/themes/profile/\r\nA full list with all the C\u0026C server URLs that we recovered from the samples can be found in the technical\r\nAppendix.\r\nThe Epic command-and-control infrastructure\r\nThe Epic backdoors are commanded by a huge network of hacked servers that deliver   command and control\r\nfunctionality.\r\nThe huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships\r\nfunction as both exploitation sites and command and control panels for the malware.\r\nHere’s how the big picture looks like:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 11 of 27\n\nEpic Turla lifecycle\r\nThe first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to\r\nthe “mothership” server. The mothership server is generally a VPS, which runs the Control panel software used to\r\ninteract with the victims. The attackers operate the mothership using a network of proxies and VPN servers for\r\nanonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks,\r\ndelivering Java, IE or fake applications to the victim.\r\nWe were able to get a copy of one of the motherships, which provided some insight into the operation.\r\nIt runs a control panel which is password protected:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 12 of 27\n\nEpic mothership control panel login\r\nOnce logged into the Control panel, the attackers can see a general overview of the system including the number\r\nof interesting potential targets:\r\nEpic control panel status overview\r\nA very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To\r\nchange the file, they are using the “Task editor” from the menu. Depending on the “tasks”, they will decide\r\nwhether to infect the visitors or not. In this case, we found they targeted two ranges belonging to:\r\n“Country A” – Federal Government Network\r\n“Country B” – Government Telecommunications and Informatics Services Network\r\nIt should be noted though, the fact that the attackers were targeting these ranges doesn’t necessarily mean they\r\nalso got infected. Some other unknown IPs were also observed in the targeting schedules.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 13 of 27\n\nThere is also an “except.css” file where attackers log the reasons they didn’t try to exploit certain visitors. There\r\nare three possible values:\r\nTRY\r\nDON’T TRY -\u003e Version of the browser and OS does not meet the conditions\r\nDON’T TRY -\u003e (2012-09-19 10:02:04) – checktime \u003c 60\r\nThese are the “don’t meet the conditions” reasons observed in the logs:\r\nWindows 7 or 2008 R2\r\nMSIE 8.0\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR\r\n2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)\r\nAdobe Shockwave 11.5.1.601\r\nAdobe Flash 10.3.181.14\r\nAdobe Reader 10.1.0.0\r\nWin Media Player 12.0.7601.17514\r\nQuick Time null\r\nMS Word null\r\nJava null\r\nThe Epic / Tavdig / Wipbot backdoor\r\nFor this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged\r\ntogether with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult.\r\nThe CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run\r\nunrestricted. This exploit only works on unpatched Microsoft Windows XP systems.\r\nOther known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig.\r\nThe main backdoor is about 60KB in size and implements a C\u0026C protocol on top of normal HTTP requests. The\r\ncommunication protocol uses requests in the C\u0026C replies, which the malware decrypts and\r\nprocesses. The replies are sent back to the C\u0026C through the same channel.\r\nThe malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C\u0026C URLs. He have also seen one case where the configuration block contains just one URL. The\r\nconfiguration can also be updated on the fly by the attackers, via the C\u0026C.\r\nThe backdoor attempts to identify the following processes and, if found, it will terminate itself:\r\ntcpdump.exe\r\nwindump.exe\r\nethereal.exe\r\nwireshark.exe\r\nettercap.exe\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 14 of 27\n\nsnoop.exe\r\ndsniff.exe\r\nIt contains an internal unique ID, which is used to identify the victim to the C\u0026C. Most samples, especially old\r\nones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as “interesting”, the attackers upload\r\nanother Epic backdoor which has a unique ID used to control this specific victim.\r\nDuring the first C\u0026C call, the backdoor sends a pack with the victim’s system information. All further information\r\nsent to the C\u0026C is encrypted with a public key framework, making decryption impossible. The commands from\r\nthe C\u0026C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is\r\nhardcoded in the malware.\r\nThrough monitoring, we were able to capture a large amount of commands sent to the victims by the attackers,\r\nproviding an unique view into this operation. Here’s a look at one of the encrypted server replies:\r\nOnce a victim is infected and “checks in” with the server, the attackers send a template of commands:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 15 of 27\n\nNext, the attackers try to move through the victim’s network using pre-defined or collected passwords:\r\nListing all .doc files recursively is also a common “theme”:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 16 of 27\n\nIn total, we have decoded several hundreds of these command packages delivered to the victims, providing an\r\nunique insight into the inner workings of the attackers.\r\nIn addition to generic searches, some very specific lookups have been observed as well.  These include searches\r\nfor:\r\n*NATO*.msg\r\neu energy dialogue*.*\r\nEU*.msg\r\nBudapest*.msg\r\nIn this case, the attackers were interested to find e-mails related to “NATO”, “Energy Dialogue within European\r\nUnion” and so on.\r\nFor some of the C\u0026C servers, the attackers implemented RSA encryption for the C\u0026C logs, which makes it\r\nimpossible to decrypt them. This scheme was implemented in April 2014.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 17 of 27\n\nLateral movement and upgrade to more sophisticated backdoors\r\nOnce a victim is compromised, the attackers upload several tools that are used for lateral movement.\r\nOne such tool observed in the attacks and saved as “C:Documents and SettingsAll usersStart\r\nMenuProgramsStartupwinsvclg.exe” is:\r\nName: winsvclg.exe\r\nMD5: a3cbf6179d437909eb532b7319b3dafe\r\nCompiled: Tue Oct 02 13:51:50 2012\r\nThis is a keylogger tool that creates %temp%~DFD3O8.tmp. Note: the filename can change across victims. On\r\none Central Asian government’s Ministry of Foreign Affairs victim system, the filename used was\r\n“adobe32updt.exe“.\r\nIn addition to these custom tools, we observed the usage of standard administration utilities. For instance, another\r\ntool often uploaded by the attackers to the victim’s machine is “winrs.exe”:\r\nName: winrs.exe\r\nMD5: 1369fee289fe7798a02cde100a5e91d8\r\nThis is an UPX packed binary, which contains the genuine “dnsquery.exe” tool from Microsoft, unpacked MD5: \r\nc0c03b71684eb0545ef9182f5f9928ca.\r\nIn several cases, an interesting update has been observed —  a malware from a different, yet related family.\r\nSize: 275,968 bytes\r\nMD5: e9580b6b13822090db018c320e80865f\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 18 of 27\n\nCompiled: Thu Nov 08 11:05:35 2012\r\nanother example:\r\nSize: 218,112 bytes\r\nMD5: 071d3b60ebec2095165b6879e41211f2\r\nCompiled: Thu Nov 08 11:04:39 2012\r\nThis backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the “Carbon\r\nsystem” or Cobra by the Turla attackers. Several plugins for the “Carbon system” are known to exist.\r\nDecoded configuration for e9580b6b13822090db018c320e80865f\r\nNote: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been\r\nsinkholed by Kaspersky Lab.\r\nOther packages delivered to the victims include:\r\nMD5: c7617251d523f3bc4189d53df1985ca9\r\nMD5: 0f76ef2e6572befdc2ca1ca2ab15e5a1\r\nThese top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed\r\nvictims, effectively linking the Epic and Turla Carbon operations together.\r\nThe Turla Carbon dropper from these packages has the following properties:\r\nMD5: cb1b68d9971c2353c2d6a8119c49b51f\r\nThis is called internally by the authors “Carbon System”, part of the “Cobra” project, as it can be seen from the\r\ndebug path inside:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 19 of 27\n\nThis acts as a dropper for the following modules, both 32 and 64 bit:\r\nMD5 Resource number\r\n4c1017de62ea4788c7c8058a8f825a2d 101\r\n43e896ede6fe025ee90f7f27c6d376a4 102\r\ne6d1dcc6c2601e592f2b03f35b06fa8f 104\r\n554450c1ecb925693fedbb9e56702646 105\r\ndf230db9bddf200b24d8744ad84d80e8 161\r\n91a5594343b47462ebd6266a9c40abbe 162\r\n244505129d96be57134cb00f27d4359c 164\r\n4ae7e6011b550372d2a73ab3b4d67096 165\r\nThe Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded\r\nplatform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always\r\nfeature at least two exports named:\r\nModuleStart\r\nModuleStop\r\nCarbon system plugin with characteristic exports\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 20 of 27\n\nSeveral Epic backdoors appear to have been designed to work as Carbon system plugins as well – they require a\r\nspecialized loader to start in victim systems that do not have the Carbon system deployed.\r\nSome modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact\r\nCarbon system version is very rarely seen in samples:\r\nThe author of the Carbon module above can be also seen in the code, as “gilg”, which also authored several other\r\nTurla modules.\r\nWe are planning to cover the Turla Carbon system with more details in a future report.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 21 of 27\n\nLanguage artifacts\r\nThe payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55\r\n2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named “Zagruzchik.dll”:\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 22 of 27\n\nThe word “Zagruzchik” means “boot loader” in Russian.\r\nThe Control panel for the Epic motherships also sets the language to codepage “1251”:\r\nCodepage 1251 is commonly used to render Cyrillic characters.\r\nThere are other indications that the attackers are not native English language speakers:\r\nPassword it´s wrong!\r\nCount successful more MAX\r\nFile is not exists\r\nFile is exists for edit\r\nThe sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded\r\nbackdoor, has the compilation code page language set to “LANG_RUSSIAN”.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 23 of 27\n\nThe threat actor behind the “Epic” operation uses mainly hacked servers to host their proxies. The hacked servers\r\nare controlled through the use of a PHP webshell. This shell is password protected; the password is checked\r\nagainst an MD5 hash:\r\nThe MD5 “af3e8be26c63c4dd066935629cf9bac8” has been solved by Kaspersky Lab as the password\r\n“kenpachi”. In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked\r\nservers, although using a much stronger password.\r\nOnce again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render\r\nCyrillic characters.\r\nThere appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost.\r\nVictim statistics\r\nOn some of the C\u0026C servers used in the Epic attacks, we were able to identify detailed victim statistics, which\r\nwere saved for debugging purposes by the attackers.\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 24 of 27\n\nThis is the country distribution for the top 20 affected countries by victim’s IP:\r\nAccording to the public information available for the victims’ IPs, targets of “Epic” belong to the following\r\ncategories:\r\nGovernment\r\n Ministry of interior (EU country)\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 25 of 27\n\nMinistry of trade and commerce (EU country)\r\n Ministry of foreign/external affairs (Asian country, EU country)\r\n Intelligence (Middle East, EU Country)\r\nEmbassies\r\nMilitary (EU country)\r\nEducation\r\nResearch (Middle East)\r\nPharmaceutical companies\r\nUnknown (impossible to determine based on IP/existing data)\r\nSummary\r\nWhen G-Data published their Turla paper, there were few details publicly available on how victims get infected\r\nwith this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with\r\nEpic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get\r\nupgraded to the Turla Carbon system.\r\nMost recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation\r\nremains fresh and ongoing.\r\nNote: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact:\r\nintelreports@kaspersky.com\r\nWe would like to add the following at the end of the blogpost, right before the detection names:\r\nFurther reading\r\nIf you’d like to read more about Turla/Uroburos, here’s a few recommendations:\r\nG-Data’s paper “Uroburos Highly complex espionage software with Russian roots”\r\nBAE Systems analysis of “The Snake campaign”\r\n“Uroburos: the snake rootkit”, technical analysis by deresz and tecamac\r\n“TR-25 Analysis – Turla / Pfinet / Snake/ Uroburos” by CIRCL.LU\r\nKaspersky products’ detection names for all the malware samples described in this post:\r\nBackdoor.Win32.Turla.an\r\nBackdoor.Win32.Turla.ao\r\nExploit.JS.CVE-2013-2729.a\r\nExploit.JS.Pdfka.gkx\r\nExploit.Java.CVE-2012-1723.eh\r\nExploit.Java.CVE-2012-1723.ou\r\nExploit.Java.CVE-2012-1723.ov\r\nExploit.Java.CVE-2012-1723.ow\r\nExploit.Java.CVE-2012-4681.at\r\nExploit.Java.CVE-2012-4681.au\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 26 of 27\n\nExploit.MSExcel.CVE-2009-3129.u\r\nHEUR:Exploit.Java.CVE-2012-1723.gen\r\nHEUR:Exploit.Java.CVE-2012-4681.gen\r\nHEUR:Exploit.Java.Generic\r\nHEUR:Exploit.Script.Generic\r\nHEUR:Trojan.Script.Generic\r\nHEUR:Trojan.Win32.Epiccosplay.gen\r\nHEUR:Trojan.Win32.Generic\r\nHackTool.Win32.Agent.vhs\r\nHackTool.Win64.Agent.b\r\nRootkit.Win32.Turla.d\r\nTrojan-Dropper.Win32.Dapato.dwua\r\nTrojan-Dropper.Win32.Demp.rib\r\nTrojan-Dropper.Win32.Injector.jtxs\r\nTrojan-Dropper.Win32.Injector.jtxt\r\nTrojan-Dropper.Win32.Injector.jznj\r\nTrojan-Dropper.Win32.Injector.jznk\r\nTrojan-Dropper.Win32.Injector.khqw\r\nTrojan-Dropper.Win32.Injector.kkkc\r\nTrojan-Dropper.Win32.Turla.b\r\nTrojan-Dropper.Win32.Turla.d\r\nTrojan.HTML.Epiccosplay.a\r\nTrojan.Win32.Agent.iber\r\nTrojan.Win32.Agent.ibgm\r\nTrojan.Win32.Agentb.adzu\r\nTrojan.Win32.Inject.iujx\r\nTrojan.Win32.Nus.g\r\nTrojan.Win32.Nus.h\r\n Technical Appendix with IOCs\r\nSource: https://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nhttps://securelist.com/analysis/publications/65545/the-epic-turla-operation/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ], "report_names": [ "the-epic-turla-operation" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434660, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40578a9d842e6db4d344ae64c91e79782cc7fd8c.pdf", "text": "https://archive.orkl.eu/40578a9d842e6db4d344ae64c91e79782cc7fd8c.txt", "img": "https://archive.orkl.eu/40578a9d842e6db4d344ae64c91e79782cc7fd8c.jpg" } }