{ "id": "268a3144-5b83-4c04-ab30-d803a9c55035", "created_at": "2026-04-06T00:06:33.935284Z", "updated_at": "2026-04-10T03:33:36.081782Z", "deleted_at": null, "sha1_hash": "5d606e28dce67792b2960e4805b322b594e5111f", "title": "Analysis of Turla APT G20-Targeted Attack | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 763906, "plain_text": "Analysis of Turla APT G20-Targeted Attack | Proofpoint US\r\nBy August 17, 2017 Darien Huss\r\nPublished: 2017-08-18 · Archived: 2026-04-05 22:23:21 UTC\r\nOverview\r\nProofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using\r\na new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. The backdoor has been analyzed\r\npreviously [11] and is a robust tool associated with this group, likely being used as an early stage reconnaissance\r\ntool.\r\nIn this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to\r\na G20 task force meeting on the \"Digital Economy\". The Digital Economy event is actually scheduled for October\r\nof this year in Hamburg, Germany. The dropper first appeared in mid-July, suggesting that this APT activity is\r\npotentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including\r\nmember nations, journalists, and policymakers. This blog provides details on the dropper and known information\r\non the infection chain and current related Turla activity.\r\nActor Overview\r\nTurla is a well-documented, long operating APT group that is widely believed to be a Russian state-sponsored\r\norganization. Turla is perhaps most notoriously suspected as responsible for the breach of the United States\r\nCentral Command in 2008 [1]. More recently Turla was accused of breaching RUAG, a Swiss technology\r\ncompany, in a public report published by GovCERT.ch [2]. Various other Turla frameworks, implants, and\r\ncampaigns have been detailed extensively by our fellow security organizations and companies [3-10].\r\nDelivery\r\nThe delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by\r\nProofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in\r\nthe wild, there are a number of ways it may have been delivered including some of Turla’s previous attack\r\nmethods such as spear phishing or via a watering hole. Based on the theme of the decoy PDF, it is very possible\r\nthat the intended targets are individuals or organizations that are on or have an interest in G20’s Digital Economy\r\nTask Force. This could include diplomats, experts in the areas of interest related to the Digital Economy Task\r\nForce, or possibly even journalists.\r\nAnalysis\r\nThe earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers\r\nare currently aware begin with the MSIL dropper. The basic chain of events upon execution of the MSIL dropper\r\ninclude dropping and executing both a PDF decoy and a Javascript (JS) dropper. As explained in further detail\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 1 of 8\n\nbelow, the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and\r\nexecute the actual KopiLuwak backdoor in memory only (Fig. 1).\r\nFigure 1: Diagram showing execution beginning with the MSIL dropper\r\nAs Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that\r\nleads to the execution of the MSIL payload. This may include a malicious document, compressed package\r\nattached to an e-mail, or perhaps it could be delivered via a watering hole attack.\r\nThe KopiLuwak MSIL dropper is straightforward and contains absolutely no obfuscation or anti-analysis.\r\nInternally the MSIL dropper is called Runer.exe and also contains a PDB string:\r\n“c:\\LocalDisc_D\\MyProjects\\Runer\\Runer\\obj\\Release\\Runer.pdb”. The Stage1 JS and PDF decoy are both stored\r\nin plaintext in the dropper and are simply written to %APPDATA% then executed (Fig. 2).\r\nFigure 2: MSIL dropper writing both the Stage1 JS and decoy PDF then executing both\r\nBoth of the dropped files have hardcoded names: the JS is named Scr.js while the PDF is named Save the Date\r\nG20 Digital Economy Taskforce 23 24 October.pdf. The decoy in this case is an invitation to save the date for a\r\nmeeting of the G20’s Digital Economy Taskforce (Fig. 3) in Hamburg, Germany.\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 2 of 8\n\nFigure 3: PDF decoy with a “Save the Date” invitation for a G20 Digital Economy Taskforce meeting\r\nAs far as we are aware, this document is not publicly available and so may indicate that an entity with access to\r\nthe invitation was already compromised. Alternatively, the document may have been legitimately obtained from a\r\nrecipient.\r\nProofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One\r\npiece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the\r\ncreator tool is listed as “BE.D4.113.1” (Fig. 4) which matches another PDF document that appears to have been\r\nscanned and is hosted on the Bundesministerium für Wirtschaft und Energie website  (Fig. 5).\r\nFigure 4: Exif metadata from the decoy PDF\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 3 of 8\n\nFigure 5: Exif metadata from the PDF hosted on bmwi[.]de\r\nBMWi, which translates to Federal Ministry for Economic Affairs and Energy, is the organization from which the\r\ndecoy document supposedly originated. Both documents were also supposedly created on a KONICA MINOLTA\r\nbizhub C284e according to their exif metadata.\r\nScr.js Analysis\r\nScr.js is essentially a dropper for the actual backdoor in addition to running all the necessary commands to\r\nfingerprint the infected system and set up persistence. Scr.js first creates a scheduled task named PolicyConverter\r\nfor persistence. This scheduled task should execute shortly after being created and is then scheduled to run every\r\n10 minutes. The scheduled task is executed with the following parameters: “appidpolicyconverter.js FileTypeXML\r\ngwVAj83JsiqTz5fG”. Similar to the older KopiLuwak variant, the second parameter is used as an RC4 key to\r\ndecrypt the encrypted JS backdoor code contained in appidpolicyconverter.js.\r\nNext, Scr.js decodes a large base64 blob containing the JS backdoor decryptor and saves it to the following\r\nlocation: “C:\\Users\\[executing user]\\AppData\\Roaming\\Microsoft\\Protect\\appidpolicyconverter.js”\r\nLastly, Scr.js executes various commands to fingerprint details about the infected system. In the older variant of\r\nKopiLuwak, these commands were executed directly from the backdoor JS.  Now, however, they have been\r\nmoved to the dropper. Despite moving the machine fingerprinting code to the dropper, all of the commands are the\r\nsame as in the older sample (and executed in the same order) except for the following three additions:\r\ndir “%programfiles%\\Kaspersky Lab”\r\ndir “%programfiles(x86)%\\Kaspersky Lab”\r\ntracert www.google.com\r\nInterestingly the only anti-virus company that is specifically fingerprinted is Kaspersky, which was possibly added\r\nas a result of their public analysis of this backdoor. The output from the commands are saved to the following\r\nlocation: “%appdata%\\Microsoft\\Protect\\~~.tmp”\r\nappidpolicyconverter.js Analysis\r\nThe appidpolicyconverter.js script contains a large string that is first base64-decoded then RC4-decrypted using\r\nthe supplied parameter as a key (“gwVAj83JsiqTz5fG”) from the executed task. Once the KopiLuwak backdoor\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 4 of 8\n\ncode is successfully decrypted, it is then executed with eval().\r\nThe decrypted code functions similarly to the original KopiLuwak discussed by Kaspersky with some slight\r\nchanges. The backdoor still communicates with what appear to be two compromised, legitimate websites using\r\nHTTP POST requests (Fig. 6).\r\nFigure 6: Hardcoded legitimate, compromised command and control servers\r\nDiffering from the older sample, the HTTP User-Agent is now hardcoded and no longer contains a component\r\nunique to each infected machine.\r\nEach HTTP POST request sent to the command and control (C\u0026C) will contain information in its client body. The\r\nplaintext content is first preceded with a hardcoded key “Prc1MHxF_VB0ht7S”. Next, the key is followed by a\r\nseparator string “ridid”. Next, the hardcoded key “Prc1MHxF_VB0ht7S” is used to encode the infected system’s\r\nOS installation date (Fig. 7).\r\nFigure 7: Retrieving the OS installation date\r\nIf any additional information is being sent to the C\u0026C it will then be appended after the encoded installation date.\r\nFinally, the data is encrypted with RC4 using a hardcoded key: “01a8cbd328df18fd49965d68e2879433” and then\r\nquoted (Fig. 8).\r\nFigure 8: HTTP POST to KopiLuwak C2\r\nResponses from the command and control are also encrypted using RC4 and the same key. After responses from\r\nthe C\u0026C are decrypted, they are compared to a list of supported commands. This newer variant of KopiLuwak has\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 5 of 8\n\nseveral different supported command keywords, including one additional command, giving a total of five\r\ncommands versus the old variant’s four (Table 1).\r\nCommand Description\r\nexit Send the content infected system’s fingerprint info stored in ~~.tmp and exit\r\nupld\r\nExfiltrate content from provided filename (from C2) to C2. Max exfiltrated file size is \u003c=\r\n1048576 bytes (1MB)\r\ninst\r\nTwo options for this command:\r\n-execute provided JS using eval, send contents of ~~.tmp to C2, delete ~~.tmp\r\n-save provided content to a file in %Appdata%\\Microsoft\\Protect\\a3q4d.[ext], execute the file,\r\nsleep for a random amount of time, delete the file, send the contents of ~~.tmp to C2, and\r\ndelete ~~.tmp\r\nwait Exit the script. The scheduled task would execute the backdoor again in ~10 minutes\r\ndwld\r\nSaves the provided content with provided extension to %Appdata%\\Microsoft\\Protect\\D8chd.\r\n[ext]. If successful sends success message to C2.\r\nTable 1: KopiLuwak supported commands and descriptions\r\nThe newer variant of KopiLuwak is now capable of exfiltrating files to the C\u0026C as well as downloading files and\r\nsaving them to the infected machine. Although these capabilities could have been accomplished in the previous\r\nvariant by executing arbitrary commands, they are now implemented with their own dedicated commands. Despite\r\nthe added capabilities, we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance\r\ntool and would probably be used as a staging point to deploy one of Turla’s more fully featured implants. We also\r\nbelieve this backdoor will continue to be used in the future as suggested by the continued development of the\r\nbackdoor itself as well as the new delivery mechanisms.\r\nConclusion\r\nBecause the samples were obtained from a public malware repository and we have not yet observed them in the\r\nwild, the full scope and impact of the attack (or, possibly, a pending attack) cannot be fully assessed. However, for\r\nPCs running the .NET framework (which includes most modern Windows operating systems), the potential impact\r\nis high:\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 6 of 8\n\nThe JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak\r\nbackdoor.\r\nKopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing\r\narbitrary commands provided by the actor(s)\r\nThe high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the\r\ntools involved bear further watching. We have notified CERT-Bund of this activity.\r\nWe will continue to track the activities associated both with this actor and these new tools and update this blog as\r\ndetails emerge.\r\nReferences\r\n[1] https://en.wikipedia.org/wiki/2008_cyberattack_on_United_States\r\n[2] https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case\r\n[3] https://securelist.com/the-epic-turla-operation/65545/\r\n[4] https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/\r\n[5] https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf\r\n[6] https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf\r\n[7] https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\r\n[8] https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/\r\n[9] https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\n[10] https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\n[11] https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/\r\nIndicators of Compromise (IOCs)\r\nKopiLuwak MSIL Dropper\r\n7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b\r\nKopiLuwak JS Dropper “Scr.js”\r\n1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19\r\nKopiLuwak JavaScript Decryptor “appidpolicyconverter.js”\r\n5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 7 of 8\n\nBenign PDF Decoy “Save the Date G20 Digital Economy Taskforce 23 24 October.pdf”\r\nc978da455018a73ddbc9e1d2bf8c208ad3ec2e622850f68ef6b0aae939e5d2ab\r\nKopiLuwak C\u0026C\r\nhxxp://www[.]huluwa[.]uk/wp-content/plugins/woocommerce/includes/class-wc-log.php\r\nhxxp://tresor-rare[.]com[.]hk/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/xrstf/Composer52/LogsLoader.php\r\nET and ETPRO Suricata/Snort Coverage\r\n2827574,ETPRO TROJAN Turla JS/KopiLuwak CnC Beacon M1\r\n2827575,ETPRO TROJAN Turla JS/KopiLuwak CnC Beacon M2\r\nSource: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nhttps://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" ], "report_names": [ "turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d606e28dce67792b2960e4805b322b594e5111f.pdf", "text": "https://archive.orkl.eu/5d606e28dce67792b2960e4805b322b594e5111f.txt", "img": "https://archive.orkl.eu/5d606e28dce67792b2960e4805b322b594e5111f.jpg" } }