{ "id": "4cc7746b-58a7-4d87-9518-ab98c3d1f37d", "created_at": "2026-04-06T00:13:12.183175Z", "updated_at": "2026-04-10T03:33:36.01136Z", "deleted_at": null, "sha1_hash": "414063ee995f01c01b6be279d2e6069fd331b4e3", "title": "New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1390372, "plain_text": "New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit\r\nThe Pentagon In 2008 Still Evolving; Part 2/2\r\nBy Omri Ben Bassat\r\nPublished: 2017-09-13 · Archived: 2026-04-05 14:12:52 UTC\r\nOur previous blog post was a short brief of new Agent.BTZ variants that we found. This second part in the series\r\nwill demonstrate in greater detail exactly how we discovered these new variants.\r\n1. Methodology\r\nTo begin, we used our hunting methodology, which consist of four main parts:\r\nCollection: Collect multiple samples from different versions.\r\nAnalysis: Mark functions that have stayed consistent across all versions that are likely to be a part of the\r\nnext version.\r\nCreating a signature: Create a robust yet flexible YARA rule for these functions.\r\nHunting: Search a large repository of files with that YARA rule (VirusTotal, for example).\r\n2.  Why focus on Agent.BTZ?\r\nWe chose to focus on Agent.BTZ for several reasons: First, This is one of the oldest state-sponsored threat,\r\ndeveloped and operated by the Turla group since (at least) 2007 for dozens of targeted attacks.\r\nSecond, there is also a lot of public knowledge regarding Agent.BTZ specifically and Turla group in general\r\navailable online, including intel reports, technical analyses and malware samples, which we used for our\r\nresearch.  \r\nThird is the fact that this specific malware has remained out of public view for the last two to three years;\r\nhowever, we recognized that it wasn’t likely to disappear–it has just continued to fly under the radar.\r\n3. Do the math\r\nWe based our research on an earlier publication from three years ago: “Evolution of sophisticated spyware: from\r\nAgent.BTZ to ComRAT” by Paul Rascagnères of GDATA (at the time). In this excellent blog post, Paul described\r\nthe evolution of Agent.BTZ to ComRAT between 2007-2014 by manually diffing (BinDiff) two different\r\ncandidates from each major internal hard-coded version (referred by the authors as “Ch” or “PVer”).\r\nThe following table shows the code’s similarity between each version to its direct neighbors. By summing up the\r\ndata in this table we can conclude that, in general, about ~30% of the original code has been used in every version\r\nup to the latest known version as of 2014 (marked in red).\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 1 of 9\n\n** https://www.gdatasoftware.com/blog/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat\r\nObviously this 30% isn’t comprised of totally unique code made by Agent.BTZ’s developers; rather, it is a mixture\r\nmade of mostly common code that can be found in many more software products (both legit and malware). For\r\nexample, these could include C Runtime Library or any other 3rd party library such as zlib. Using Intezer’s\r\n technology, we were able to do a ‘deep dive’ into this code, automatically mapping all of the common,\r\nlibrary and (most importantly) unique pieces of code created by the malware’s authors.\r\n4. Mysterious magic number\r\nAfter filtering out all of the common and library code, we were left with several unique functions that can be\r\nfound in every version of the malware since 2007. The most prominent is the following function:\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 2 of 9\n\nIn the picture you can see the two, almost identical functions from the first version (Ch 1.0) on the right and the\r\nlatest version (Ch 3.26) of Agent.BTZ on the left. This function is initially reading first four bytes of a given file,\r\nand then comparing them for the magic number 0xAAFF1290 (marked in red). If it matches, the function will\r\nreturn true; otherwise, it is false.\r\nSo, what is this magic number? Which file is it? We were actually unable to find the function that creates this file\r\nwithin the same binary (ver 3.26). The function shown above is the only reference to that magic number. Luckily,\r\nwhile re-reading old ThreatExpert’s Agent.BTZ analysis from 2008 we happened to notice the following\r\nparagraph:\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 3 of 9\n\nhttp://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\nSo now we know that this function is used to verify thumb.dd files, which are log/config files leaked over newly-connected USB drives (to overcome air-gapped networks, like those of the Pentagon). But wait… why didn’t we\r\nfound the function which creates these files? Because the USB-infection vector was removed few years earlier!\r\nAnd yet the adversary is still looking for these valuable thumb.dd files…\r\n5. Hunting for new variants\r\nSo far, we know that this function exists, and it has stayed consistent across all versions of the malware; we know\r\nwhat it does (verify certain magic number) and why (detect thumb.dd files leaked from internal network by older\r\nversions of the malware). By that information, we can tell that it’s likely to be used in future versions as well.\r\nThe next step involves writing a dedicated YARA rule(see appendix) for that specific function and searching for\r\nnew samples. The rule has to be tolerant to minor changes between versions (mainly due to different compilation\r\nflags). Using the VirusTotal Intelligence service, we were able to scan about 2-3 months’ worth of file uploads. As\r\nsoon as the scan finished, we dug into the results and discovered this first new variant of Agent.BTZ that\r\nwasn’t yet mentioned in any public report:\r\n**A screenshot from the Intezer Analyze™ product displaying partial code connections between new sample to\r\nold samples of Agent.BTZ(Turla group).\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 4 of 9\n\nThis specific file was supposedly compiled at 2016-07-13 (the timestamp was modified in some of the earlier\r\nsamples) and uploaded to VT 2017-05-11, which means that this sample is at least two years newer than any\r\nprevious sample.\r\n6. Main differences between old(3.26) \u0026 new samples\r\nFilename\r\nNew file names\r\nactiveds.dll – proxy dll\r\nstdole2.tlb – main payload\r\nExports\r\nAddAtomS removed\r\nLegacy stub function\r\nAddAtomT removed\r\nLegacy installation function\r\nUnInstallW added\r\nForce delete file. Used by new dropper for self delete.\r\nPVer(internal version tracking)\r\nrandom version id(see following picture) instead of incremental,\r\nmight be due to GDATA’s 2014 publications.\r\nFor example:\r\n0.8.1529506101\r\n0.9.1528434231\r\n…\r\nPersistence(COM Hijacking)\r\nNew CLSID\r\n{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\r\nC2 Infrastructure\r\nBoth using “Satellite Turla” infrastructure\r\nConfig \u0026 Log Files\r\nSame 512 bytes encryption key as 3.26\r\nDifferent file paths:\r\nconfig: %appdata%MicrosoftWindowsPrivacIEHighdesktop.ini\r\nlog: %appdata%MicrosoftWindowsPrivacIEHighindex.dat\r\n7. Indicators of Compromise\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 5 of 9\n\nype indicator notes\r\nsha256 69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548 dropper\r\nsha256 6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4 dropper\r\nsha256 73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88 activeds.dll\r\nsha256 50067ebcc2d2069b3613a20b81f9d61f2cd5be9c85533c4ea34edbefaeb8a15f activeds.dll\r\nsha256 380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac activeds.dll\r\nsha256 9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426 activeds.dll\r\nsha256 628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24 activeds.dll\r\nsha256 f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2 activeds.dll\r\nsha256 a093fa22d7bc4ee99049a29b66a13d4bf4d1899ed4c7a8423fbb8c54f4230f3c activeds.dll\r\nsha256 6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96 stdole2.tlb\r\nsha256 49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e stdole2.tlb\r\nsha256 e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49 stdole2.tlb\r\nsha256 89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea stdole2.tlb\r\nip 81.199.34[.]150\r\ndns elephant.zzux[.]com\r\ndns angrybear.ignorelist[.]com\r\ndns bigalert.mefound[.]com\r\ndns bughouse.yourtrap[.]com\r\ndns getfreetools.strangled[.]net\r\ndns news100top.diskstation[.]org\r\ndns pro100sport.mein-vigor[.]de\r\ndns redneck.yourtrap[.]com\r\ndns savage.2waky[.]com\r\ndns tehnologtrade.4irc[.]com\r\nip 81.199.160[.]11\r\ndns forums.chatnook[.]com\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 6 of 9\n\ndns goodengine.darktech[.]org\r\ndns locker.strangled[.]net\r\ndns simple-house.zzux[.]com\r\ndns specialcar.mooo[.]com\r\ndns sunseed.strangled[.]net\r\ndns whitelibrary.4irc[.]com\r\ndns bloodpearl.strangled[.]net\r\ndns getlucky.ignorelist[.]com\r\ndns proriot.zzux[.]com\r\ndns fourapi.mooo[.]com\r\ndns nopasaran.strangled[.]net\r\nip 78.138.25[.]29\r\ndns showme.twilightparadox[.]com\r\ndns mouses.strangled[.]net\r\nip 82.146.175[.]69\r\ndns mouses.strangled[.]net\r\nip 178.219.68[.]242\r\ndns ftp.fueldust.compress[.]to\r\ndns ftp.linear.wikaba[.]com\r\ndns ftp.mysterysoft.epac[.]to\r\ndns ftp.scroller.longmusic[.]com\r\ndns ftp.spartano.mefound[.]com\r\ndns fueldust.compress[.]to\r\ndns linear.wikaba[.]com\r\ndns mysterysoft.epac.to\r\ndns safety.deaftone[.]com\r\ndns salary.flnet[.]org\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 7 of 9\n\ndns scroller.longmusic[.]com\r\ndns spartano.mefound[.]com\r\nip 88.83.25[.]122\r\ndns robot.wikaba[.]com\r\nip 41.223.91[.]217\r\ndns smileman.compress[.]to\r\ndns decent.ignorelist[.]com\r\ndns dekka.biz[.]tm\r\ndns disol.strangled[.]net\r\ndns eraser.2waky[.]com\r\ndns filelord.epac[.]to\r\ndns justsoft.epac[.]to\r\ndns smuggler.zzux[.]com\r\ndns sport-journal.twilightparadox[.]com\r\ndns sportinfo.yourtrap[.]com\r\ndns stager.ignorelist[.]com\r\ndns tankos.wikaba[.]com\r\ndns grandfathers.mooo[.]com\r\ndns homeric.mooo[.]com\r\ndns jamming.mooo[.]com\r\ndns pneumo.mooo[.]com\r\ndns razory.mooo[.]com\r\ndns anger.scieron[.]com\r\ndns gantama.mefound[.]com\r\ndns letgetbad.epac[.]to\r\ndns rowstate.epac[.]to\r\ndns memento.info[.]tm\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 8 of 9\n\nip 196.43.240[.]177\r\ndns bughouse.yourtrap[.]com\r\ndns news100top.diskstation[.]org\r\nip 169.255.102[.]240\r\ndns harm17.zzux[.]com\r\ndns mountain8.wikaba[.]com\r\nsha256 0e0045d2c4bfff4345d460957a543e2e7f1638de745644f6bf58555c1d287286 other\r\nsha256 bdcc7e900f10986cdb6dc7762de35b4f07f2ee153a341bef843b866e999d73a3 other\r\nsha256 fac13f08afe2745fc441ada37120cebce0e0aa16d03a03e9cda3ec9384dd40f2 backdoor\r\nsha256 bae62f7f96c4cc300ec685f42eb451388cf50a13aa624b3f2a019d071fddaeb1 other\r\nRelated articles:\r\n1. https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\n2. https://www.gdatasoftware.com/blog/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat\r\n3. http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\n4. https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/\r\n5. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf\r\n6. https://securelist.com/the-epic-turla-operation/65545/\r\n7. http://artemonsecurity.com/snake_whitepaper.pdf\r\n8. https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nSource: http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" ], "report_names": [ "new-variants-of-agent-btz-comrat-found-part-2" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/414063ee995f01c01b6be279d2e6069fd331b4e3.pdf", "text": "https://archive.orkl.eu/414063ee995f01c01b6be279d2e6069fd331b4e3.txt", "img": "https://archive.orkl.eu/414063ee995f01c01b6be279d2e6069fd331b4e3.jpg" } }