{ "id": "5ac6b041-0060-4ebf-a6b2-a6f79db78812", "created_at": "2026-04-06T00:08:39.454895Z", "updated_at": "2026-04-10T03:33:23.741271Z", "deleted_at": null, "sha1_hash": "5100106fc5d02c212edfc0b6977c3526d0d48dbc", "title": "How Tortoiseshell created a fake veteran hiring website to host malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2033163, "plain_text": "How Tortoiseshell created a fake veteran hiring website to host\r\nmalware\r\nBy Warren Mercer\r\nPublished: 2019-09-24 · Archived: 2026-04-05 20:47:43 UTC\r\nTuesday, September 24, 2019 10:24\r\nBy Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.\r\nThis is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on\r\nan IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has\r\nin the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 1 of 9\n\nThe website is only composed of three links to download a desktop app for free. The app is a fake installer.\r\nContrary to standard malware installers, this one does not need to be silent, as the user expects an installation.\r\nHere's a look at the user interface, and the error message is always displayed to suggest something has \"stopped\"\r\nthe app from accessing its database.\r\nThe progress bar almost fills up entirely, and then displays an error message:\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 2 of 9\n\nThe installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads\r\ntwo binaries from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:\r\nThe downloaded binaries are stored in base64. One of the binaries is a tool used to perform a reconnaissance stage\r\non the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer\r\ninstalls the service first (for the -install argument) and then stops/starts the service with the command and control\r\n(C2) server IP in argument:\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 3 of 9\n\nIf something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the\r\ninstaller. The email account is ericaclayton2020@gmail[.]com and the error email is sent to\r\nmarinaparks108@gmail[.]com.\r\nReconnaissance phase\r\nThe downloaded reconnaissance tool is named \"bird.exe\" on the system and the\r\ninternal name is Liderc. Liderc is a unique supernatural being of Hungarian\r\nfolklore. The original form of this creature is a chicken, that would explain the\r\nname of the dropped PE on the system, \"Bird.exe.\"\r\nThe purpose is to collect a lot of information on the victim machine:\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 4 of 9\n\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 5 of 9\n\nThe attacker retrieves information such as the date, time and drivers. The attacker can then see information on the\r\nsystem, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the\r\ndomain controller, the name of the admin, the list of the account, etc. This is a significant amount of information\r\nrelating to a machine and makes the attacker well-prepared to carry out additional attacks. The attacker even gets\r\nthe size of the screen by using WMI, which is potentially a trick to identify if the system is a sandbox.\r\nAll this information is sent by email by using the same emails:\r\nRemote access tool\r\nThis actor also deploys a RAT named \"IvizTech\" on the system. The code and\r\nfeatures are similar to the ones outlined by Symantec. The IP is put in argument to\r\nthe service. The attackers hoped that this would make it impossible to get to the\r\nC2, as the installer is needed — you can't just get there with the RAT itself. This\r\nallows an attacker to have a malware that they can add modules onto (no need to\r\nrecompile when you want to update the C2). Requiring the installer also could\r\nmake it more complicated for researchers to access the C2 and get hands-on\r\nanalysis of the malware.\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 6 of 9\n\nThe malware has four features:\r\nkill_me: It stops the service and removes the malware\r\nUpload: It downloads a file on the internet\r\nUnzip: It uses PowerShell to unzip and execute code on the system\r\nAnd finally, the malware can execute a command\r\nAt the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in\r\nthe wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the\r\nvictim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this\r\nmalware, as we can see certain levels of sophistication existing and various levels of victimology.\r\nCoverage\r\nIntrusion prevention systems such as SNORT® provide an effective tool to detect\r\nTortoiseshell activity due to specific signatures present at the end of each\r\ncommand. In addition to intrusion prevention systems, it is advisable to employ\r\nendpoint detection and response tools (EDR) such as Cisco AMP for Endpoints,\r\nwhich gives users the ability to track process invocation and inspect processes. Try\r\nAMP for free here.\r\nAdditional ways our customers can detect and block these threats are listed below.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 7 of 9\n\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nNetwork\r\nhxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=H7ddew3rfJid97fer374887sdnJDgsdte\r\nhxxp://66[.]42[.]78[.]193/response/\r\nhxxp://66[.]42[.]78[.]193/statement/\r\nhxxp://hiremilitaryheroes[.]com/\r\nSamples\r\nInstallers:\r\nc121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5\r\n2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10\r\n55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b\r\nReconnaissance PE:\r\nec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac\r\nRAT:\r\n51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424\r\n185[.]43[.]108[.]134\r\n162[.]220[.]55[.]249\r\nSpreadme[.]international\r\n\"You rock\" installer snippet:\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 8 of 9\n\nSource: https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nhttps://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" ], "report_names": [ "tortoiseshell-fake-veterans.html" ], "threat_actors": [ { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434119, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5100106fc5d02c212edfc0b6977c3526d0d48dbc.pdf", "text": "https://archive.orkl.eu/5100106fc5d02c212edfc0b6977c3526d0d48dbc.txt", "img": "https://archive.orkl.eu/5100106fc5d02c212edfc0b6977c3526d0d48dbc.jpg" } }