{
	"id": "3d1665e3-591b-4d8b-ab4a-8cc543e1c050",
	"created_at": "2026-04-06T00:10:01.509649Z",
	"updated_at": "2026-04-10T03:32:26.485424Z",
	"deleted_at": null,
	"sha1_hash": "422160aaf691aef8161c0a2874a1e7eb6a6e7b4c",
	"title": "Threat-Hunting Tactics - Tracking the Sea Turtle Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2473299,
	"plain_text": "Threat-Hunting Tactics - Tracking the Sea Turtle Group\r\nArchived: 2026-04-05 20:02:36 UTC\r\nSea Turtle is a threat group that tends to swim under the radar, but recently the Ministry of Justice in Greece, PWC, and\r\nothers before them, published reports containing infrastructure currently in use. It was once believed that when an IP or\r\ndomain was outed publicly, that an actor, especially a well-resourced one, would burn it down. In this blog we’ll pull on\r\nthreads to show that isn’t always the case.\r\nSea Turtle, like most threat groups, leverages traditional malware for access, but also has used complex DNS hijacking\r\ntechniques that were covered well in the above blogs. Many of the spoofed domains below would be of interest to those\r\nfocused on domestic Turkish issues.\r\nThis analysis will focus on four major concepts in infrastructure pivoting.\r\nPassive or Active DNS pivoting\r\nThere is no perfect answer to the question “what domains are sitting on an IP?”. Data vendors try to answer\r\nthis question for analysts in a variety of ways, the most common being passive or active DNS, where the\r\nvendor collects responses for DNS requests, either by sniffing resolver traffic, by reading resolver logs, or by\r\nactively doing forward record lookups of domains\r\nSSL certificate tracking\r\nObserving SSL certificates can often broaden a set of suspect infra, either by direct movement (seeing a cert\r\nfrom server A move to server B), or by tracking specific attributes of certs over time.\r\nAdditionally, it would not be uncommon to see domains in certs for which you don’t have a passive/active\r\nDNS record. An actor may prep their server and add a cert before making their campaign live.\r\nMatching server response content to find similar infra\r\nFor instance, a particular HTTP response header, the fuzzy hash of body content, or the way a server responds\r\nwhen you throw particular data at it. Many folks scan the internet with a 5 byte ASCII string “Gh0st”, in order\r\nto see if the server they’re talking to will respond like a Gh0st RAT server.\r\nDiscovering malware samples that are related to your original set, by looking for domain/ip overlaps, or by looking\r\nfor static content with YARA that you don’t expect to be in many unrelated samples\r\nWhen tracking a threat actor, an analyst develops a confidence for whether a particular indicator belongs in her dataset or\r\nnot. This confidence is based on examining artifacts over time, and with an eye towards which technical links are of what\r\nquality. Servers often change ownership, ‘A’ records can be forged when a c2 isn’t operational, and supposed “uniqueness”\r\nmay not be so unique upon further review. Sea Turtle leverages a multitude of these techniques which aggravate an\r\ninvestigation\r\nPerhaps in an effort to provide a veil of legitimacy, or to improve a general “risk score” of their domain, this actor frequently\r\npoints (or parks) their domain at large cloud providers, such as amazon/akamai/google. However, when the domain is used\r\noperationally, they typically leverage dedicated providers such as BLNWX, MVPS, Choopa, or the like.\r\nThroughout their campaigns, they acquire domains (or leverage ddns) that look legitimate, such as systemctl.network,\r\n*.sslname.com, netssh.net, and serverssl.net. “serverssl” and “netssh” have nothing in common from a top level\r\ninfrastructure perspective, but if you notice similar looking domains on a low density server, and see them move to IPs with\r\nthe same provider, you can start to piece together lower quality sources of data.\r\nIn the first pivot, we can do simple network or yara based pivot to find samples that are similar to the PWC or Greek DOJ\r\nreport. The high-fidelity IoCs are collated in a github link at the end of the post, but we provide our reasoning in each table.\r\nhash extracted indicator for pivot filename from VT\r\n01b8a91f3d4446f2bdd22c85b225dfd2f619951e8f33178c3185dbf7543845df xss[.]codes Skype.exe\r\n01d1b63eace6383428e42c48f3d1e13e643e8a8f70d4af5d4ee6f47a0522e300 xss[.]codes Skype.exe\r\n0dda7e987104867695be561a8008d3282252e05c611c247eae62c7b798be0e24 139.162.137[.]240/man.php 3_Members_of_the_Committee_on\r\n13171d3b1acf5ffbae47777cae03d5d6cb96d2d9b76fe4491bf547b2e309fb52 xss[.]codes Skype.exe\r\n1de46a62f53dbf3b4668bfa7fe63c022c541d8651f776fa5fd8060f21036e63a\r\n213.252.246[.]79/Chrome.exe\r\n213.252.246[.]79/main.php?\r\ns=\r\nSkypeApp.exe\r\n487bb8f6c0b6691d3575eee3faa8bfc73ddebe0d1052c02b636cc0a394ed384d update.qnetau[.]net/syw.php?\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 1 of 7\n\nhash extracted indicator for pivot filename from VT\r\n213.252.247[.]10\r\n528fd0b183dd1ca2d109af1714d1ee89d3244c37451203b7b14e951742e16741 cn.sslname[.]com System.exe\r\n702108f50f953aff3c2b345c2604e9fa614cb86d8299c209065b41878fd4f66b xss[.]codes Skype.exe\r\n71bbcd06a4a28f1f33a998928bfe6d78aa7a56fe068c61556f41e2586809a470 xss[.]codes (potential test xlsm)\r\n85ee62d57a17221e52325020b4d6f587f68fb321723be7ed794503b40bd989f7 ns2[.]me/1p.php Skype.exe\r\n86b13a1058dd7f41742dfb192252ac9449724c5c0a675c031602bd9f36dd49b5 X-Auth-43245-S-20 [kauditd]\r\n94e7fff8d4abccca0080004a497153ce04f74f7507b52ca092462e22d84f0f8a\r\nns2[.]me/ip.php?s=\r\n213.252.247[.]10\r\nSkypeApp.exe\r\naebc8acd17e247c8892e6a8226be4dbf2af3848bdcc1cc1536d1f8487bed55a4\r\nnet3[.]me/man.php\r\n“hello martin”\r\nSkype.exe\r\nb0307e523e5893f2a865b0abea91cb4fb2e9d86fc71e33adaf63c8878fac2748 cn.sslname[.]com SkypeApp.exe\r\nbe4590c31e8385a67394f7d49147a0b97cff07da6ff771614d3d3ed9ad2cd49f ns2[.]me/1p.php?s= Skype.exe\r\nd7d699f04463e86abc85ec029953ea7d558fd385a5e73ce0cc0d9cd0dbebd41e cMd.eXE, “hello hgroup”\r\nd7f53836227dde351def7c1a5e9dd03c3a49bdc4eec6342136795038aa6d415d\r\nope[.]ftp[.]sh\r\nxss[.]codes\r\nxlsm\r\nef1af0acb25dc88b223c7b6a6be48d35a64665bb372cf8b7674cacd5818f7ff3 ns2[.]me/ip.php?s= Update.exe\r\nf5e0edca8a63eb45054039104f509ef0e66fc2e67637614a0f386803506cbac1\r\nupdate.qnetau[.]net/syw.php?\r\ns=\r\nmpam-fe.exe\r\nf8cb77919f411db6eaeea8f0c8394239ad38222fe15abc024362771f611c360f\r\nnet3[.]me/b/kdd\r\nnet3[.]me/b/socat\r\nupxa.sh\r\nFigure 1: Publicly available ST samples\r\nStandalone string matches, after unpacking, remains an easy pivot to expand a dataset. Although these are not definitive\r\npivot points, Sea Turtle does leverage a number of strange capitalizations and “shout-outs” to unknown persons, that can be\r\ncombined to cast a net.\r\nFigure 2: obligatory IDA of d7d699f04463e86abc85ec029953ea7d558fd385a5e73ce0cc0d9cd0dbebd41e\r\nFigure 3: b0307e523e5893f2a865b0abea91cb4fb2e9d86fc71e33adaf63c8878fac2748\r\nIn our next pivot, we’ll examine Passive/Active DNS datasets, to try to find infrastructure “one hop” away.\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 2 of 7\n\nFigure 4: PADNS coming to CARA in Q1 '24\r\nold artifact pivot point new notes\r\nai-connector.splendor[.]org 161.35.32[.]185\r\nai-connector.splendos[.]org\r\nnote “splendor-\u003esplendos”\r\nquerryfiles[.]com 93.115.22[.]212 netssh[.]net\r\nai-connector.goldchekin[.]com\r\n168.100.10[.]187 ono.technewsir[.]gq\r\npossibly a “technews iran” spoof.\r\nhowever, like most pivoting these\r\ndays, this is one hop away from a\r\ncrypto cluster\r\nFigure 5: PADNS pivots leads to more artifacts\r\nSea Turtle has been known to spoof news-related websites, and PWC highlighted three: alhurra[.]online, al-marsad[.]co,\r\nanfturkce[.]news. Examining their infra, some of the IPs or domains throw a 426 response seen below. A 426 error is\r\n“caused when a client is attempting to upgrade a connection to a newer version of a protocol, but the server is refusing to do\r\nso.” Despite this being a valid and common response code, when scanning the internet for that header/string, only ~25\r\nresults are returned with that exact context, and many appear to be interesting.\r\nHTTP/1.1 426 Upgrade RequiredDate: Sat, 23 Dec 2023 22:09:37 GMTContent-Type: application/jsonContent-Length: 29Connectio\r\n \r\n {\"detail\":\"Upgrade Required\"}\r\nFigure 6: Specific “426” server output from suspicious servers\r\nCombining multiple artifacts such as the below can rule-in, or rule-out, indicators.\r\nLow global prevalence\r\nTimestamp overlaps, such as domain creation time or server ownership changes\r\nHistorical scan non-overlaps (when was the first time this string appeared anywhere)\r\nInfrastructure similarly (registrars, hosting providers)\r\nLegitimate content or lack thereof, especially on domains with highly legitimate keywords where you would expect a\r\ndomain to be actually used\r\nIn the case of our specific “Upgrade Required” string with the same headers, SilentPush reports the first time they saw it was\r\n2023-09-21, and Censys reports a similarly narrow set of IPs.\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 3 of 7\n\nFigure 7: SSDEEP infrastructure scanning coming to CARA Q1 '24\r\nold artifact pivot point new artifact notes\r\n“ Upgrade\r\nRequired \"\r\n192.153.57[.]31\r\nnuceciwan[.]news\r\nsolhaber[.]news\r\nloading-website[.]net\r\n“Nûçe Ciwan” is an oft-targeted Turkish news\r\nsource\r\n“Sol” is a Turkish newspaper. “haber” is Turkish\r\nfor “news”\r\n“ Upgrade\r\nRequired \"\r\n193.149.129[.]182 solhaber[.]info “sol” is a Turkish newspaper\r\n“ Upgrade\r\nRequired \"\r\n87.120.254[.]120 caglayandergisi[.]net “Çağlayan Dergisi” is a Turkish blogger\r\n“ Upgrade\r\nRequired \"\r\n93.123.12[.]151 infohaber[.]net “haber” is Turkish for “news”\r\n“ Upgrade\r\nRequired \"\r\nserverssl[.]net 206.71.149[.]112 146.70.157[.]28\r\n“ Upgrade\r\nRequired \"\r\n168.100.9[.]203\r\nexp-al-marsad[.]co\r\n(PTR)\r\nnot registered, although “Sl Marsad” is a human\r\nrights organization in the region\r\nserverssl.net 95.179.130[.]232\r\nmat-46.mehreganmobile[].ga\r\niran-azad[.]cyou\r\nThese domains were seen pointing to .232 only\r\nbefore the “upgrade behavior” started. Additional\r\noverlaps show lure domains with Iranian dissidents,\r\nsuch as Mahsa Aminiw, but will not be included in\r\nthe high confidence indicator list\r\nloading-website.net\r\n45.11.183[.]85\r\nFigure 8: Additional discovered Turkish-themed domains\r\nAnother common pivot is to look at what SSL certs have lived on an IP address – in a specific timeframe – to understand\r\nwhat domains may have pointed there that your PADNS collection missed, or to find a campaign that is not fully live yet. An\r\n“indicator of (potential) future attack”. An example of this is alarabiyaa[.]online, where there is no record of a forward\r\nresolution, but we can see a cert with that domain on one of our “426” IPs, 206.166.251[.]163. The below table explores that\r\ntechnique.\r\nFigure 9: SSL cert scanning coming to CARA Q1 '24\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 4 of 7\n\nold artifact\r\npivot\r\npoint\r\nnew artifact notes\r\n206.166.251[.]163\r\n426 +\r\ncert\r\nwww.alarabiyaa[.]online\r\nA spoof of Al Arabiya, an Arabic language news\r\norganization\r\n206.71.149[.]112\r\n426 +\r\ncert\r\nwww.pictture[.]online\r\n426 is the only link, provided for posterity. However, it\r\nwas created a week apart from the above domain, both\r\nleveraging the ‘online’ tld\r\n45.61.139[.]232\r\n426 +\r\ncert\r\nyoutu[.]vc\r\n426 is the only firm link, so provided for posterity.\r\nHowever both this and the ’tiktok’ leverage the obscure tld\r\n‘.vc’.\r\n64.190.113[.]216\r\n426 +\r\ncert\r\ntiktok[.]vc 426 is the only link, provided for posterity\r\n206.188.196[.]228\r\n426 +\r\ncert\r\ntechdateweb[.]com 426 is the only link, provided for posterity\r\n206.71.149[.]218\r\n426 +\r\ncert\r\nlibia[.]cc 426 is the only link, provided for posterity\r\n192.153.57[.]78\r\n426 +\r\ncert\r\namezon[.]pro 426 is the only link, provided for posterity\r\nFigure 10: Additional potential infrastructure\r\nIt’s common for a domain to expire and point to an unrelated infra, but a well-formed certificate is an artifact that is\r\ngenerally intentionally created. For this reason, validity date ranges, along with domain creation timestamps, are useful data\r\npoints when trying to timeline.\r\ndomain domain creation time not_before not_after\r\nnuceciwan[.]news 2022-11-26T11:23:56 2023-11-16 13:55:34 2024-02-14 13:55:33\r\nsolhaber[.]news 2023-11-24T07:00:00 2023-11-24 07:57:35 2024-02-22 07:57:34\r\nloading-website[.]net 2023-01-19T07:00:00 2023-01-19 13:33:27 2023-04-19 13:33:26\r\nsolhaber[.]info 2023-11-10T07:00:00 2023-11-14 07:47:07 2024-02-12 07:47:06\r\ncaglayandergisi[.]net 2022-11-17T07:00:00 2023-08-24 12:52:02 2024-02-11 09:38:19\r\ninfohaber[.]net 2023-03-24T07:35:38 2023-08-04 18:08:37 2023-11-02 18:08:36\r\nalarabiyaa[.]online 2023-11-13T21:52:21 2023-11-13 00:00:00 2024-02-11 23:59:59\r\nFigure 11: Certificates for lookalike/spoof domains\r\nAt one point, the ‘426’ artifact was a curiosity, but we observed other commonalities. Many of the ‘426’ servers also\r\ncontained a certificate for xtechsupport[.]org, and lived on infrastructure from a very small number of providers. Unlike the\r\nother domains discovered, ‘xtechsupport’ was registered through IHS, a Turkish domain registrar. There is no content\r\npublicly available about this domain.\r\nIP Provider First matching scan for 426 response 426 code xtechsupport cert\r\n168.100.10[.]119 BLNWX, US 2023-12-15 yes yes\r\n168.100.10[.]204 BLNWX, US no yes\r\n168.100.10[.]80 BLNWX, US 2023-09-24 yes yes\r\n168.100.11[.]127 BLNWX, US 2023-11-02 yes yes\r\n168.100.8[.]103 BLNWX, US no yes\r\n168.100.8[.]24 BLNWX, US 2023-10-11 yes no\r\n168.100.8[.]245 BLNWX, US 2023-12-01 yes no\r\n168.100.9[.]203 BLNWX, US 2023-10-26 yes no\r\n192.153.57[.]204 BLNWX, US no yes\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 5 of 7\n\nIP Provider First matching scan for 426 response 426 code xtechsupport cert\r\n192.153.57[.]31 BLNWX, US 2023-11-05 yes yes\r\n192.153.57[.]78 BLNWX, US 2023-11-19 yes no\r\n193.149.129[.]128 BLNWX, US no yes\r\n193.149.129[.]182 BLNWX, US 2023-11-19 yes no\r\n193.149.189[.]94 BLNWX, US 2023-12-20 yes no\r\n195.85.114[.]106 BLNWX, US 2023-11-03 yes no\r\n206.166.251[.]161 BLNWX, US yes no\r\n206.166.251[.]163 BLNWX, US 2023-12-03 yes no\r\n206.188.196[.]132 BLNWX, US 2023-12-19 yes yes\r\n206.188.196[.]228 BLNWX, US 2023-10-17 yes no\r\n206.188.196[.]90 BLNWX, US no yes\r\n206.71.149[.]112 BLNWX, US 2023-12-03 yes no\r\n206.71.149[.]218 BLNWX, US 2023-12-23 yes no\r\n31.13.195[.]52 NETERRA-AS, BG 2023-11-10 yes no\r\n45.61.139[.]232 BLNWX, US 2023-10-05 yes no\r\n64.190.113[.]216 BLNWX, US 2023-12-06 yes no\r\n87.120.254[.]120 NETERRA-AS, BG 2023-12-07 yes no\r\n93.123.12[.]151 NETERRA-AS, BG 2023-09-21 yes no\r\n95.179.130[.]232 AS-CHOOPA, US 2023-10-27 yes no\r\nFigure 12: Servers currently responding with the specific ‘426’ error\r\nAt the end of an analysis exercise, it’s useful to do one last sweep through the collated indicator list, to look for\r\ncommonalities that may have been missed. In the below table, armed with a higher confidence of “xtechsupport”, we’ll\r\npivot once more.\r\ninitial artifact pivot new artifact notes\r\nxtechsupport[.]org\r\nwhere else have we seen this\r\ncert, that was not on a previous\r\nindicator list?\r\n168.100.10[.]204\r\n168.100.8[.]103\r\n192.153.57[.]204\r\n206.188.196[.]90\r\n193.149.129[.]128\r\nPotentially interesting domains an\r\nadditional hop away, but many at the\r\nsame provider. Without stronger links,\r\nthese artifacts have a lower confidence\r\n168.100.8[.]103\r\ninfoviewdr[.]click, accepteddr[.]click\r\n168.100.10[.]204\r\ntest.allsocial[.]site\r\n168.100.8[.]24\r\nappmetadata[.]co\r\nxtechsupport[.]org 23be.xtechsupport[.]org 45.61.137[.]131\r\n426 on 23be, but the domain only\r\npointed to the IP on 12/14/23\r\nFigure 13: Subsequent pivot from xtechsupport\r\nFor an easier to parse list of indicators, please visit our GitHub page.\r\nAcknowledgements\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 6 of 7\n\nThe authors would like to thank the internal reviewers, as well as peer vendors, for their comments and corrections. Please\r\nget in touch if you have further corrections, or would like to collaborate on research in the future.\r\nAdditionally, we would like to thank Censys, Silent Push, and VirusTotal.\r\nSource: https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nhttps://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/"
	],
	"report_names": [
		"pivoting-through-a-sea-of-indicators-to-spot-turtles"
	],
	"threat_actors": [
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434201,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/422160aaf691aef8161c0a2874a1e7eb6a6e7b4c.pdf",
		"text": "https://archive.orkl.eu/422160aaf691aef8161c0a2874a1e7eb6a6e7b4c.txt",
		"img": "https://archive.orkl.eu/422160aaf691aef8161c0a2874a1e7eb6a6e7b4c.jpg"
	}
}