{ "id": "93f8d0de-58e4-4157-a742-d79fb76b3697", "created_at": "2026-04-06T00:17:46.441311Z", "updated_at": "2026-04-10T03:33:35.528435Z", "deleted_at": null, "sha1_hash": "55f2cacb5d2fdf9b4a08050e20e8ba1074efca68", "title": "Moonlight Maze: Lessons from history", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 512892, "plain_text": "Moonlight Maze: Lessons from history\r\nBy Nikolay Pankov\r\nPublished: 2017-04-03 · Archived: 2026-04-02 12:44:48 UTC\r\n SAS\r\nA possible connection between Moonlight Maze, an APT that targeted the Pentagon and NASA in the late 1990s,\r\nand Turla, a modern day threat actor.\r\nApril 3, 2017\r\nFrom the outside, it may seem that the investigation of APT attacks is limited to understanding how the attackers\r\nmanaged to execute their plan and preventing its replication. However, that is not enough. True cybersecurity\r\nexperts need answers to a wider range of questions. What was the purpose of the attack? Did attackers succeed?\r\nWhat tools were involved in the attack? Where else were similar methods and programs used?\r\nAnswers to these questions help with forecasting the further development of trends, and most important, help with\r\nprompt response to future attacks of the same authorship or campaigns that employ the same code. That is why it\r\nis important not only to study the mode of action of modern cybercriminals, but also to understand the methods of\r\nall earlier attacks. As a company that’s been engaged in information security for 20 years, we understand this as\r\nfew others can.\r\nhttps://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/\r\nPage 1 of 3\n\nThat is why our experts, aided by researchers from King’s College London, have carefully studied Moonlight\r\nMaze — one of the first widely known cyberespionage campaigns, active since at least 1996. It is of particular\r\ninterest because several independent experts from countries have voiced the proposition that it is associated with a\r\nmuch more modern — and still active — group, the authors of the Turla APT attack.\r\nEven the story of how our experts got the information about Moonlight Maze deserves special mention. Initially,\r\nin the late nineties, all of the investigation materials were classified by US law enforcement agencies, and so\r\ninaccessible to researchers. However, in an attempt to cover their tracks, the attackers used an extensive network\r\nof proxy servers working in various universities and libraries in the United States, as well as at least one server in\r\nEngland. On the English server, the local system administrator, who worked on the case with London police and\r\nthe FBI, activated the logging of all activities. And those logs survived to our times. As a result, our experts got a\r\nunique time capsule containing a detailed record of all the attacker’s actions.\r\nPerhaps the most interesting finding of their research is the backdoor that was used in Moonlight Maze. It was\r\nbased on the Unix program LOKI2, which was released in 1996 and allowed transmission of data via covert\r\nchannels. Linux backdoors were also employed in Turla, which Kaspersky Lab first detected in 2014. And those\r\nbackdoors were built on the basis of LOKI2 as well. Code created more than 20 years ago is still used by modern\r\nactors, albeit in a slightly updated form.\r\nYou can find a full study on Securelist, along with a brief excursion into the history of this APT (which reads like\r\na good detective story).\r\nThe takeaway here is nothing new: You have to know the past to understand the present. Therefore, while\r\nconducting investigations of new cyberincidents, our experts call on knowledge accumulated for more than 20\r\nyears.\r\nhttps://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/\r\nPage 2 of 3\n\nIn addition, this story is a good reminder to those who still believe that Linux platforms are inherently safe. They\r\nare wrong. And their mistake is already at least 21 years old.\r\nTips\r\nSource: https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/\r\nhttps://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/" ], "report_names": [ "6713" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55f2cacb5d2fdf9b4a08050e20e8ba1074efca68.pdf", "text": "https://archive.orkl.eu/55f2cacb5d2fdf9b4a08050e20e8ba1074efca68.txt", "img": "https://archive.orkl.eu/55f2cacb5d2fdf9b4a08050e20e8ba1074efca68.jpg" } }