{
	"id": "471499e3-4c8f-4da2-87f6-66be33080ba3",
	"created_at": "2026-04-06T00:16:05.226034Z",
	"updated_at": "2026-04-10T03:33:01.709738Z",
	"deleted_at": null,
	"sha1_hash": "5976ebef58b7fac4a47bd22a5b4bbbae40135dfd",
	"title": "SysInTURLA — The Lost Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 942008,
	"plain_text": "SysInTURLA — The Lost Reports\r\nBy May 27 Written By J A G-S\r\nPublished: 2001-05-27 · Archived: 2026-04-05 19:00:26 UTC\r\nCassowary – ‘The World’s Most Dangerous Bird’\r\nPE Version Info for 2019 Kazuar\r\n(1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c)\r\nPE Version Info for Legitimate SysInternals DebugView (Left) and Kazuar 2019 (Right)\r\nAs you can see, the brand abuse is quite crude and inconsistent and lends itself to easy sigging. As of writing, I’ve\r\nstumbled upon four samples. Hashes, partial IOCs, and YARA rules available in the technical appendix below.\r\nA Special Note: As I was wrapping up this writeup, I found partial overlaps with an excellent private report\r\nreleased this month by PwC’s threat intel researchers. For a detailed breakdown of the new Kazuar variants, refer\r\nhttps://www.epicturla.com/blog/sysinturla\r\nPage 1 of 2\n\nto PwC’s ‘Blue Python – Kazuars cryptic strings’ report (May 2020). That includes a better handling of their new\r\nobfuscator.\r\nTechnical Indicators\r\nKazuar DebugView (2019-2020) Samples\r\n1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c\r\n44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac\r\n1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa\r\n2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f\r\nIn-the-Wild Filenames\r\ndbgsview.exe\r\nDebugView.exe\r\nadflctlmon.exe\r\nPSExtendPrivacy.exe\r\nAgent.exe\r\nCommand-and-Control Servers\r\nNote: Expect some false positives as it appears these are compromised wordpress sites.\r\nechange-afrique-insa[.]fr\r\nafci-newsoft[.]fr\r\nantoniosalieri[.]es \u003c— (Update 05.28.2020: Thank you, Christiaan Beek )\r\nRemediated: aviatnetworks[.]com \u003c— (Update 06.11.2020: Confirmed remediated by the diligent folks at Aviat\r\nNetworks)\r\n.NET Module Version IDs\r\n7c1a417d-961e-4fbd-9df7-7b99994eaec7\r\n2cde886e-ee24-496a-bb31-1ced6b766ced\r\n76b7b11a-4124-448b-9903-15524e321f3f\r\nd3429016-d029-45b8-b260-85221265838e\r\nYARA Rules available here\r\nSource: https://www.epicturla.com/blog/sysinturla\r\nhttps://www.epicturla.com/blog/sysinturla\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.epicturla.com/blog/sysinturla"
	],
	"report_names": [
		"sysinturla"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775791981,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5976ebef58b7fac4a47bd22a5b4bbbae40135dfd.pdf",
		"text": "https://archive.orkl.eu/5976ebef58b7fac4a47bd22a5b4bbbae40135dfd.txt",
		"img": "https://archive.orkl.eu/5976ebef58b7fac4a47bd22a5b4bbbae40135dfd.jpg"
	}
}