{ "id": "81e77336-a6b3-4770-8190-2983b72ccd7f", "created_at": "2026-04-06T00:19:20.39225Z", "updated_at": "2026-04-10T13:12:56.119741Z", "deleted_at": null, "sha1_hash": "61819b006ba4052d4d5ca3e3fd8b382513c65d52", "title": "Linux Modules Connected to Turla APT Discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37253, "plain_text": "Linux Modules Connected to Turla APT Discovered\r\nBy Michael Mimoso\r\nPublished: 2014-12-09 · Archived: 2026-04-02 10:37:20 UTC\r\nResearchers at Kaspersky Lab have found two Linux modules connected to the Turla APT campaigns.\r\nThe Turla APT campaigns have a broader reach than initially anticipated after the recent discovery of two modules\r\nbuilt to infect servers running Linux. Until now, every Turla sample in captivity was designed for either 32- or 64-\r\nbit Windows systems, but researchers at Kaspersky Lab have discovered otherwise.\r\n“The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this\r\nactor a couple years ago,” wrote Kurt Baumgartner and Costin Raiu, researchers with Kasperky’s Global Research\r\nand Analysis Team. “We suspect that this component was running for years at a victim site, but do not have\r\nconcrete data to support that statement just yet.”\r\nLike its Windows brethren, this version of Turla is a backdoor used to open communication to a command and\r\ncontrol server—Kaspersky said it has sink-holed one such domain, which is based on UDP packets, used by one\r\nof the Linux modules—for file exfiltration, remote management and remote code execution.\r\nTurla has been used in espionage campaigns against municipal governments, embassies, militaries and other\r\nindustrial targets, primarily in the Middle East and Europe. In August, another component to these stealthy attacks\r\ncalled Epic Turla was disclosed; Epic is a multistage attack in which victims are compromised via spearphishing\r\nemails and other social engineering scams, or watering hole attacks.\r\nThe Epic Turla campaigns combined commodity exploits with zero-day attacks against Windows XP and\r\nWindows Server 2003 machines, as well as an Adobe Reader zero day.\r\nThe Epic Turla campaigns combined commodity exploits with zero-day attacks against Windows XP and\r\nWindows Server 2003 machines, as well as an Adobe Reader zero day have been used to elevate an attacker’s\r\nprivileges on the underlying system.\r\nMore than 100 websites were reported to be infected in Epic Turla attacks, including the website for City Hall in\r\nPinor, Spain, an entrepreneurial site in Romania and the Palestinian Authority Ministry of Foreign Affairs.\r\nAll of the sites were built using the TYPO3 content management system, indicating the attackers had access to a\r\nvulnerability on that platform.\r\nOnce compromised, the websites then loaded remote JavaScript that performs a number of tasks, including\r\ndropping exploits for flaws in Internet Explorer 6-8, recent Java or Flash bugs, or a phony Microsoft Security\r\nEssentials application signed with a legitimate certificate from Sysprint AG.\r\nKaspersky’s Raiu and Baumgartner said most of the code in the Linux version of Turla comes from public\r\nsources. The backdoor, for example, is based on cd00r, Baumgartner and Raiu wrote. It includes an ELF\r\nhttps://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/\r\nPage 1 of 2\n\nexecutable that is statically linked against the GNU C library, an older version of OpenSSL and libpcap, the\r\ntcpdump network capture library.\r\nThe use of the cd00r backdoor enables the attack to go undetected, researchers said, because it does not require\r\nelevated privileges while running remote commands.\r\n“It can’t be discovered via netstat, a commonly used administrative tool. It uses techniques that don’t require root\r\naccess, which allows it to be more freely run on more victim hosts,” the researchers wrote. “Even if a regular user\r\nwith limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on\r\nthe system.”\r\nTurla was uncovered early this year and researchers also found a connection to the Agent.btz worm which infected\r\nU.S. military networks and led to a government mandate banning the use of USB drives. While Agent.btz and\r\nTurla share characteristics, no one has linked the authors. Turla uses the same XOR key and log file names as\r\nAgent.btz, for example. Kaspersky’s Baumgartner and Raiu said that Linux variants were known to exist, but this\r\nis the first sample caught in the wild.\r\n“Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the implant,” the\r\nsaid. “Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP\r\npackets, as well as the C\u0026C hostname which fits previously known Turla activity.”\r\nSource: https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/\r\nhttps://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/" ], "report_names": [ "109765" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434760, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61819b006ba4052d4d5ca3e3fd8b382513c65d52.pdf", "text": "https://archive.orkl.eu/61819b006ba4052d4d5ca3e3fd8b382513c65d52.txt", "img": "https://archive.orkl.eu/61819b006ba4052d4d5ca3e3fd8b382513c65d52.jpg" } }