{ "id": "94190672-f65a-417d-99cc-ae98683b210f", "created_at": "2026-04-06T00:09:37.304315Z", "updated_at": "2026-04-10T03:33:36.067452Z", "deleted_at": null, "sha1_hash": "6fa104a20edcc485c333b7fa7b1ff6daec19835c", "title": "Looking for Penquins in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2622328, "plain_text": "Looking for Penquins in the Wild\r\nPublished: 2022-02-28 · Archived: 2026-04-05 14:31:09 UTC\r\nDuring 2020 Leonardo analysts discovered and published a very in depth analysis of a threat known as Penquin, attributed to\r\nthe APT group Turla. 32-bit samples of this threat had been detected and analyzed by Kaspersky before, but the analysis in\r\nthis most recent publication was focused on a new 64-bit sample.\r\nIt firstly caught our attention the fact that this threat does not have its own command and control server, but rather stands by\r\nwaiting for a very specific packet generated by the attacker and from that packet it extracts its command and control server.\r\nThis results in the following logical scenario for an attacker to take control of the threat:\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 1 of 7\n\nIn the report published by Leonardo there is a lot of information related to the structure of such packet and the threat\r\nactivation protocol, in fact, they published a version of an UDP scanner with a specific packet contacting an internal IP, in\r\norder to allow scanning internal networks for threats.\r\nThis threat, despite being a compiled and relatively complex binary, has the same capabilities that are usually found in\r\nwebshells. Furthermore, the group itself could be said to use them in a similar way than other less advanced groups using\r\nwebshells since it has been observed how in servers infected by this threat, command and controls from other Turla tools\r\nhave been deployed in order to use them as infrastructure in recent campaigns.\r\nThis fact implies that the possibility of detecting new infections of this threat all over the Internet may allow identifying the\r\ninfrastructure of current, and even future, Turla campaigns.\r\nFor this, we firstly need to be able to generate activation packets for public IPs controlled by us. Secondly, we are interested\r\nin being able to scan TCP ports as well, since there are cases of servers that have specific TCP ports exposed to the Internet\r\nand all UDP ports blocked.\r\nStarting from public samples and the work already done and documented as a resource, we decided to implement a function\r\nthat emulates the threat’s logic of checking the validity of that “Magic” packet and extracting the IP address of the C2 it is\r\nordered to contact.\r\nThis allows us to quickly and automatically validate an inferred activation packet.\r\nRather than completely reverse the validation logic, in order to reverse the algorithm and try to generate specific packets we\r\nfirst tried brute-forcing the different elements within the UDP and TCP packets, and then leverage the function we had\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 2 of 7\n\nextracted from the threat to validate each combination for a public target IP controlled by us.\r\nWe know that the sample first extracts 32 bits from the packet, and compares them with the mask “0xbdbd0560”. In case it\r\npasses this first filter, it extracts another 32 bits and the source port, and passes this extracted information to the validation\r\nfunction we already have. The problem was that brute-forcing so many bytes would be too slow and not feasible.\r\nFortunately, there is a good part of the algorithm already described. Some of these elements are the fixed bits of the first\r\nmask and the bits that compose the IP address with which Penquin will contact (our controlled IP, in this case).\r\nThe fixed bits of the first check take away most of the second block of 32 bits, and since we will want to generate the\r\npackets for an IP address controlled by us, we can subtract another 28 bits from the two blocks of 32, since these will have\r\nto be exactly those that build the IP of our server. In fact we could subtract 4 more bits from the source port that will also be\r\ndependent on the final IP, although in our case we consider it unnecessary. So instead of brute-forcing all possible\r\ncombinations of two 32-bit blocks plus the port (16 bits more), we only have to brute-force 4 bits + 4 bits + 2 bits + 3 bits +\r\nthe source port, which becomes trivial.\r\nThis would allow us to generate combinations for a destination IP and then check if the result is valid and it still generates\r\nthe IP we expected it to generate.\r\nHowever, there is still one last element to take into account:\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 3 of 7\n\nThe function that checks the validity of the packet within the threat (in the screenshot renamed to MagicStuff), returns as a\r\nparameter an ID extracted from the calculations it performs, which can contain a value between 0 and 3. Just before\r\ncontacting the target server it compares this ID with the ID of the last contact with a C2, and it is initialized to 0 when the\r\nthreat is executed for the first time. This avoids accepting the same packet twice, (and at the same time, the first packet\r\ncannot result in 0 after that calculation). Therefore, we need to generate two different packets if we want to make sure that in\r\ncase we send it to an infected server, it will reply and avoid not receiving contact simply because we have sent the same ID\r\nas the attacker in the last contact.\r\nOnce two packets with different IDs and a controlled public IP have been generated, the last thing is to send them to a TCP\r\nor UDP port that is open on as many servers as possible and wait to receive responses on our server’s IP from the scanned IP\r\naddresses.\r\nFor this, in the case of UDP we already have the work done, but in the case of TCP the payload that checks the threat is not\r\nin the body of the TCP packet received, but in the headers, specifically in the Sequence Number and Aknowledgement\r\nNumber, so we need to generate the packet in RAW to be able to control these elements:\r\nOnce all the elements are prepared and finished with a close resemblance to this one:\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 4 of 7\n\nNow we finally can perform the scan 🙂\r\nDifferent strategies have been used for the scanning. We have scanned ports 25 (TCP), 53 (UDP/ TCP), 80(TCP), 443(TCP),\r\n8080(TCP) and we have tried to vary the “callback” port. To avoid unnecessary traffic, the sending and receiving packets are\r\nplaced in different ip addresses. The IP address from where it is activated (source of our crafted packets) and the “supposed”\r\nC2 (server expected to be contacted) are in different servers. In the case of receiving packets in the expected address, a\r\ndouble check is made sending only to that IP, in order to verify that we are still receiving a response from Penquin.\r\nAfter a first scan in June 2020 we registered 86 ip addresses hosting Penquin.\r\nFirst of all, we were struck by the distribution of these infections, as they were all located in Europe, Russia and the United\r\nStates.\r\nThe IP’s found correspond in most of the cases with VPS from a wide variety of providers.\r\nOn the other hand, Shodan offers us information suggesting that many of the IPs, as expected, have multitude of\r\nvulnerabilities.\r\nIn the image above we can see the vulnerabilities in RED color and the IPs in ORANGE color.\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 5 of 7\n\nIn total, vulnerabilities have been identified in 65% (+ or -) of the detected IPs.\r\nAmong the detections observed, these two IP addresses stand out:\r\n85.25.95[.]16\r\n162.223.94[.]14\r\nAt “first sight”, it can be observed how in VT this address is related to a binary that some antivirus vendors along with\r\nIntezer catalog as Turla.\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 6 of 7\n\nResearching for more details about this sample, we find that it is mentioned in an AnhLab Report about a Turla campaign\r\nagainst the Korean Defense sector, which, along with this paragraph from Cisto Talos from July 2021 “One public reason\r\nwhy we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that\r\nhave been clearly attributed to their Penguin Turla Infrastructure.” Related to their analysis of Tinyturla, reinforces the\r\nhypothesis that they use Penquin as a tool to control machines that are then used as command and control servers or\r\nintermediate node servers for their operations.\r\nReferences:\r\n[1]\r\nhttps://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%8\r\n[2] https://cn.ahnlab.com/global/upload/download/asecreport/ahnlab_zh_202006%20vol.91.pdf\r\n[3] https://blog.talosintelligence.com/2021/09/tinyturla.html\r\nIOCs\r\n1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905 SHA256\r\n2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08 SHA256\r\n3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4 SHA256\r\n5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8 SHA256\r\n67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502 SHA256\r\n8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667 SHA256\r\n8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc SHA256\r\nd49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0 SHA256\r\nd9f2467ff11efae921ec83e074e4f8d2eac7881d76bff60a872a801bd45ce3d5 SHA256\r\n85.25.95.16 Infected Server\r\n162.223.94.14 Infected Server\r\nCustomers with Lab52’s APT intelligence private feed service already have more tools and means of detection for this\r\ncampaign.\r\nIn case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been applied.\r\nIf you need more information about Lab52’s private APT intelligence feed service, you can contact us through the following\r\nlink\r\nSource: https://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nhttps://lab52.io/blog/looking-for-penquins-in-the-wild/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/looking-for-penquins-in-the-wild/" ], "report_names": [ "looking-for-penquins-in-the-wild" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434177, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6fa104a20edcc485c333b7fa7b1ff6daec19835c.pdf", "text": "https://archive.orkl.eu/6fa104a20edcc485c333b7fa7b1ff6daec19835c.txt", "img": "https://archive.orkl.eu/6fa104a20edcc485c333b7fa7b1ff6daec19835c.jpg" } }