{ "id": "1df4f280-6afd-4f7d-99e9-6d838f6624f1", "created_at": "2026-04-06T00:15:23.785847Z", "updated_at": "2026-04-10T13:12:04.034426Z", "deleted_at": null, "sha1_hash": "496e1a81f7e9383637ac8e81892dec60fbd208ad", "title": "KopiLuwak: A New JavaScript Payload from Turla", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2057969, "plain_text": "KopiLuwak: A New JavaScript Payload from Turla\r\nBy Brian Bartholomew\r\nPublished: 2017-02-02 · Archived: 2026-04-05 15:47:05 UTC\r\nOn 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a malicious document that\r\ndropped a “very interesting .JS backdoor“. Since the end of November 2016, Kaspersky Lab has observed Turla\r\nusing this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with\r\nTurla’s ICEDCOFFEE payloads, detailed in a private report from June 2016 (available to customers of Kaspersky\r\nAPT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript\r\ndiffers greatly and appears to have been created mainly to avoid detection.\r\nTargeting for this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign\r\nministries and other governmental organizations throughout Europe. Popularity of the malware, however, is much\r\nlower than ICEDCOFFEE, with victim organizations numbering in the single digits as of January 2017. We assess\r\nwith high confidence this new JavaScript will be used more heavily in the future as a stage 1 delivery mechanism\r\nand victim profiler.\r\nThe malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands\r\non the victim and also allowing the actors to run arbitrary commands via Wscript.\r\nActor Profile\r\nTurla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that\r\nhas been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008\r\nattack against the US Central Command, (see Buckshot Yankee incident) or more recently, the attack against\r\nRUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative\r\nAPT, leveraging many different families of malware, satellite-based command and control servers and malware\r\nfor non-Windows OSes.\r\nTargeting Ukraine, EU-related institutions, governments of EU countries, Ministries of Foreign Affairs globally,\r\nmedia companies and possibly corruption related targets in Russia, the group intensified their activity in 2014,\r\nwhich we described in our paper Epic Turla. During 2015 and 2016 the group diversified their activities, switching\r\nfrom the Epic Turla waterhole framework to the Gloog Turla framework, which is still active. They also expanded\r\ntheir spear phishing activities with the Skipper / WhiteAtlas attacks, which leveraged new malware. Recently, the\r\ngroup has intensified their satellite-based C\u0026C registrations ten-fold compared to their 2015 average.\r\nTechnical Details\r\nSample MD5: 6e7991f93c53a58ba63a602b277e07f7\r\nName: National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc\r\nAuthor: user\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 1 of 9\n\nLastModifiedBy: John\r\nCreateDate: 2016:11:16 21:58:00\r\nModifyDate: 2016:11:24 17:42:00\r\nDecoy document used in the attack\r\nThe lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign\r\nAffairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio\r\nAmbassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the\r\nMoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.\r\nThe document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver\r\nWipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR\r\nroutine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the\r\ndocument.\r\nNew XOR Routine\r\nBelow is a snippet of the new XOR routine used to decode the initial JavaScript payload. Turla has consistently\r\nchanged the values used in this routine over the last year, presumably to avoid easy detection:\r\nFunction Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As\r\nLong) As Boolean\r\n  Dim THQNfU76nlSbtJ5nX8LY6 As Byte\r\n  THQNfU76nlSbtJ5nX8LY6 = 45\r\n  For i = 0 To M5wI32R3VF2g5B21EK4d - 1\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 2 of 9\n\nEjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6\r\nTHQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))\r\nNext i\r\n  Q7JOhn5pIl648L6V43V = True\r\nEnd Function\r\nHere is a function written in Python to assist in decoding of the initial payload:\r\ndef decode(payload, length):\r\n   varbyte = 45\r\n   i = 0\r\n   for byte in payload:\r\n      payload[i] = byte ^ varbyte\r\n      varbyte = ((varbyte ^ 99) ^ (i % 254))\r\n      i += 1\r\nPayload Offset\r\nAnother change in the macro is the use of a “marker” string to find the payload offset in the document. Instead of\r\nusing hard coded offsets at the end of the document as in ICEDCOFFEE, the macro uses the below snippet to\r\nidentify the start of the payload:\r\nSet VUy5oj112fLw51h6S = CreateObject(\"vbscript.regexp\")\r\nVUy5oj112fLw51h6S.Pattern =\r\n\"MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh\"\r\nSet I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)\r\nSecond Layer JavaScript\r\nOnce the marker is found, the macro will carve out “15387 + 1” bytes (hard coded) from the end of the marker\r\nand pass that byte array to the aforementioned decoding routine. The end result is a JavaScript file (mailform.js –\r\nMD5: 05d07279ed123b3a9170fa2c540d2919) written to “%APPDATA%MicrosoftWindows”.\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 3 of 9\n\nmailform.js – malicious obfuscated JavaScript payload\r\nThis file is then executed using Wscript.Shell.Run() with a parameter of “NPEfpRZ4aqnh1YuGwQd0”. This\r\nparameter is an RC4 key used in the next iteration of decoding detailed below.\r\nThe only function of mailform.js is to decode the third layer payload stored in the JavaScript file as a Base64\r\nstring. This string is Base64 decoded, then decrypted using RC4 with the key supplied above as a parameter\r\n(“NPEfpRZ4aqnh1YuGwQd0”). The end result is yet another JavaScript which is passed to the eval() function and\r\nexecuted.\r\nThird Layer JavaScript\r\nThe third layer payload is where the C2 beaconing and system information collection is performed. This JS will\r\nbegin by copying itself to the appropriate folder location based on the version of Windows running:\r\n1. 1\r\nc:Users\u003cUSERNAME\u003eAppDataLocalMicrosoftWindowsmailform.js\r\n2. 2\r\nc:Users\u003cUSERNAME\u003eAppDataLocalTempmailform.js\r\n3. 3\r\nc:Documents and Settings\u003cUSERNAME\u003eApplication DataMicrosoftWindowsmailform.js\r\nPersistence\r\nNext, it will establish persistence on the victim by writing to the following registry key:\r\nKey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrunmailform\r\nValue: wscript.exe /b “\u003cPATH_TO_JS\u003e NPEfpRZ4aqnh1YuGwQd0”\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 4 of 9\n\nProfiling\r\nAfter establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe\r\n/c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located:\r\nsysteminfo\r\nnet view\r\nnet view /domain\r\ntasklist /v\r\ngpresult /z\r\nnetstat -nao\r\nipconfig /all\r\narp -a\r\nnet share\r\nnet use\r\nnet user\r\nnet user administrator\r\nnet user /domain\r\nnet user administrator /domain\r\nset\r\ndir %systemdrive%Users*.*\r\ndir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.*\r\ndir %userprofile%Desktop*.*\r\ntasklist /fi “modules eq wow64.dll”\r\ntasklist /fi “modules ne wow64.dll”\r\ndir “%programfiles(x86)%”\r\ndir “%programfiles%”\r\ndir %appdata%\r\nOnce the information is collected into the temporary “~dat.tmp” file, the JavaScript reads its contents into\r\nmemory, RC4 encrypts it with the key “2f532d6baec3d0ec7b1f98aed4774843”, and deletes the file after a 1\r\nsecond sleep, virtually eliminating storage of victim information on disk and only having an encrypted version in\r\nmemory.\r\nNetwork Communications\r\nWith the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary\r\ncallback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as\r\nfollows:\r\nhttp://soligro[.]com/wp-includes/pomo/db.php\r\nhttp://belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table.php\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 5 of 9\n\nIt should be noted that the above domains appear to have been compromised by the actor based on the locations of\r\nthe PHP scripts.\r\nBelcollegium[.]org – a legitimate website compromised and used for C2\r\nVictim data is sent to the C2 servers in the form of a POST request. The headers of the POST request contain a\r\nunique User-Agent string that will remain the same per victim system. The User-Agent string is created by\r\nperforming the following steps:\r\n1. 1\r\nConcatenate the string “KRMLT0G3PHdYjnEm” + \u003cSYSTEM_NAME\u003e + \u003cUSER NAME\u003e\r\n2. 2\r\nUse the above string as input to the following function (System Name and User Name have been filled in\r\nwith example data ‘Test’ and ‘Admin’):\r\nfunction EncodeUserAgent() {\r\n  var out = \"\";\r\n  var UserAgent = 'KRMLT0G3PHdYjnEm' + 'Test' + 'Admin';\r\n  for (var i = 0; i \u003c 16; i++) {\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 6 of 9\n\nvar x = 0\r\nfor (var j = i; j \u003c UserAgent.length - 1; j++) {\r\n   x = x ^ UserAgent.charCodeAt(j);\r\n}\r\nx = (x % 10);\r\nout = out + x.toString(10);\r\n  }\r\n  out = out + 'KRMLT0G3PHdYjnEM';\r\n  return out;\r\n}\r\nThe function above will produce a unique “UID” consisting of a 16-digit number with the string\r\n“KRMLT0G3PHdYjnEm” appended to the end. In the example above using the System Name “Test” and\r\nUser Name “Admin”, the end result would be “2356406508689132KRMLT0G3PHdYjnEm”\r\n3. 3\r\nPrepend the string “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64); ” to the result from the last\r\nstep. This will now be the unique User-Agent value for the victim callbacks. In this example, the final\r\nresult will be “user-agent:”, “Mozilla/5.0 (Windows NT 6.1; Win64; x64);\r\n2356406508689132KRMLT0G3PHdYjnEm”.\r\nThe POST request will contain the unique User-Agent string above as one of the headers and also the Base64\r\nencoded version of the RC4 encrypted victim data collected earlier.\r\nThe C2 will respond in one of four ways after the POST request:\r\n1. 1\r\n“good”\r\n2. 2\r\n“exit”\r\n3. 3\r\n“work”\r\n4. 4\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 7 of 9\n\n“fail”\r\nIn the case of an answer of “good”, the JavaScript will then sleep for a random amount of time, ranging from\r\n3600-3900 seconds.\r\nThe “exit” command will cause script to exit gracefully, thus shutting down the communications to the C2 server\r\nuntil next startup / login from the user.\r\nThe “fail” command is for uninstalling the JavaScript and its persistence. Both the “mailform.js” file and registry\r\nkey created for persistence will be deleted upon receipt of this command.\r\nThe “work” command is used to task the victim’s system to run arbitrary commands via Wscript.shell.run(). It\r\nbegins by checking to see if a file “mailform.pif” exists in the same directory as the JavaScript, and if so, it will\r\ndelete it. The victim will then send a POST request to the C2 much in the same way as before with the beacon\r\ntraffic, but with some slight differences. The User-Agent header will remain the same as in the beacon traffic, but\r\nthe data sent to the C2 will consist of the 4-byte string “work”. If the response from the server after this\r\nacknowledgement is “200 OK”, then the system will proceed to read the response data into memory, RC4 encrypt\r\nit using the same key “2f532d6baec3d0ec7b1f98aed4774843”, then write it out to the “mailform.pif” file\r\nreferenced above. The command file is run, the JavaScript will sleep for 30 seconds, and then the file is\r\nsubsequently deleted.\r\nVictims and Sinkholing\r\nOne of the domains involved in this new malware (soligro[.]com) expired in July 2016 and was was available for\r\npurchase and sinkhole at the time of the analysis. Sinkhole data shows several potential victims, with one high\r\nprofile victim (195.251.32.62) located within the Greek Parliament:\r\nThe majority of connections to the sinkhole server have been observed from IP ranges residing within Greece.\r\nThis leads us to believe the main target for the specific document above was Greece, although we also have\r\nindications of targeting in Romania and Qatar based on other data.\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 8 of 9\n\nConclusions\r\nIn recent months, the Turla actors have increased their activity significantly. The addition of KopiLuwak to their\r\nalready existing ICEDCOFFEE JavaScript payload indicates the group continues to evolve and deliver new tools\r\nto avoid detection by known malware signatures.\r\nCurrently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents. While this\r\nmay appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in\r\ncompromising high value targets with this method. It is advised that users disable macros in their enterprise and\r\nnot allow the user to enable said content unless absolutely necessary. Furthermore, using the polymorphic\r\nobfuscation technique for the macros has caused difficulties in writing signatures for detection.\r\nSource: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nhttps://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" ], "report_names": [ "kopiluwak-a-new-javascript-payload-from-turla" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434523, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/496e1a81f7e9383637ac8e81892dec60fbd208ad.pdf", "text": "https://archive.orkl.eu/496e1a81f7e9383637ac8e81892dec60fbd208ad.txt", "img": "https://archive.orkl.eu/496e1a81f7e9383637ac8e81892dec60fbd208ad.jpg" } }