{ "id": "bc4f1b6c-ad67-4d63-80ce-7c5fa14dd5a6", "created_at": "2026-04-06T00:11:59.925471Z", "updated_at": "2026-04-10T13:12:21.367159Z", "deleted_at": null, "sha1_hash": "7529364cc1f0c39d6656c405d6f8faacb1744fc3", "title": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 670441, "plain_text": "TinyTurla - Turla deploys new malware to keep a secret backdoor\r\non victim machines\r\nBy Holger Unterbrink\r\nPublished: 2021-09-21 · Archived: 2026-04-05 15:36:58 UTC\r\nTuesday, September 21, 2021 08:11\r\nNews summary\r\nCisco Talos recently discovered a new backdoor used by the Russian Turla APT group.\r\nWe have seen infections in the U.S., Germany and, more recently, in Afghanistan.\r\nIt is likely used as a stealth second-chance backdoor to keep access to infected devices\r\nIt can be used to download, upload and/or execute files.\r\nThe backdoor code is quite simple but is efficient enough that it will usually fly under the radar.\r\nWhat's new?\r\nCisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This\r\nsimple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary\r\nmalware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.\r\nHow did it work?\r\nThe adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the\r\nradar by naming the service \"Windows Time Service\", like the existing Windows service. The backdoor can\r\nupload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor\r\ncontacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if\r\nthere were new commands from the operator.\r\nSo what?\r\nDue to this backdoor's limited functionality and simple coding style, it is not easy for anti-malware systems to\r\ndetect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at\r\nleast 2020.\r\nThis malware specifically caught our eye when it targeted Afghanistan prior to the Taliban’s recent takeover of the\r\ngovernment there and the pullout of Western-backed military forces. Based on forensic evidence, Cisco Talos\r\nassesses with moderate confidence that this was used to target the previous Afghan government.This is a good\r\nexample of how easy malicious services can be overlooked on today's systems that are clouded by the myriad of\r\nlegit services running in the background at all times. It's often difficult for an administrator to verify that all\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 1 of 11\n\nrunning services are legitimate. It is important to have software and/or automated systems detecting unknown\r\nrunning services and a team of skilled professionals who can perform a proper forensic analysis on potentially\r\ninfected systems.\r\nThis malware contacts the C2 every five seconds. A good defense system would detect this anomaly in the\r\nnetwork traffic and raise an alarm, showing a great example of how important it is to incorporate network\r\nbehavior-based detection into your security approach. Turla is well-known and closely monitored by the security\r\nindustry. Nevertheless, they managed to use this backdoor for almost two years. This clearly shows that there is\r\nroom for improvement on the defensive side.\r\nWho is Turla\r\nTurla has many names in the information security industry — it is also known as Snake, Venomous Bear,\r\nUroburos and WhiteBear. It is a notorious Russian-based and espionage-focused Advanced Persistent Threat\r\n(APT) group that’s been active since at least 2004.\r\nOver the years, they developed and maintained a huge set of offensive tools to attack victims all over the world,\r\nfrom different European government entities, to targets in the U.S., Ukraine or Arabic countries.\r\nTurla likes to use compromised web servers and hijacked satellite connections for their command and control (C2)\r\ninfrastructure. In some operations, they also do not directly communicate to the C2 server. Instead, they use a\r\ncompromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server.\r\nWell-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has\r\nshown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be\r\nattributed to them. However, over the years, the security industry has closely monitored the different Russian\r\nactors and technical evidence combined with tactics, techniques and procedures (TTPs). By tracking these plus\r\npolitical interests, it’s often possible to attribute certain campaigns and toolsets to this actor.\r\nTechnical details\r\nWe found the backdoor via our telemetry, but we didn't know the exact way the malware was installed on the\r\nvictim system. We still knew the adversaries used a .bat file, similar to the one shown later on, to install the\r\nbackdoor. The backdoor comes in the form of a service DLL called w64time.dll. The description and filename\r\nmakes it look like a valid Microsoft DLL.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 2 of 11\n\nThere is a real Microsoft w32time.dll on non-infected Windows systems in the %SYSTEMROOT%\\system32\r\ndirectory, but it doesn't have a w64time.dll brother. The malicious w64time.dll and the original w32time.dll are\r\n64-bit PE files on a 64-bit Microsoft Windows system. Windows contains many applications that come in 32- and\r\n64-bit versions, so it’s not easy to immediately recognize this malicious software by name.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 3 of 11\n\nThe adversaries used a .bat file similar to the one below to install the backdoor as a harmless-looking fake\r\nMicrosoft Windows Time service. The .bat file is also setting the configuration parameters in the registry the\r\nbackdoor is using. We have removed the original C2 IP addresses due to ongoing investigations.\r\nThis means the malware is running as a service, hidden in the svchost.exe process. The DLL's ServiceMain startup\r\nfunction is doing not much more than executing the function we called \"main_malware,\" which includes the\r\nbackdoor code.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 4 of 11\n\nFirst, the backdoor reads its configuration from the registry and saves it in the \"result\" structure, which is later on\r\nassigned to the \"sConfig\" structure.\r\nThe whole DLL is pretty simple. It mainly consists of a few functions and two while loops, which include the\r\nwhole malware logic.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 5 of 11\n\nAfter the beginning of the first while loop, the backdoor registers itself at the C2 server. Then, the reply is parsed\r\nand the backdoor is ready to receive commands. It is going through the list of C2 servers stored in its registry\r\nconfiguration parameter until it finds one responding. The hosts are stored in the aforementioned \"Hosts\" registry\r\nkey in the format \u003cIP Address Host1\u003e \u003cTcpPort\u003e \u003cIP Address Host2\u003e \u003cTcpPort\u003e \u003cIP Address Host3\u003e \u003cTcpPort\u003e,\r\netc. the delimiter is a blank.\r\nIf none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns\r\nzero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 6 of 11\n\n\u003cTimeLong\u003e registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the\r\nconfigured C2 servers, again host-by-host, until one response.\r\nIf a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while\r\nloop (C2 control loop) and checks for commands every \u003cTimeShort\u003e number of milliseconds.\r\nC2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows\r\nWinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The\r\nadversaries use SSL/TLS to encrypt the C2 traffic.\r\nEven if the traffic is TLS encrypted, the backdoor doesn't check the certificate.\r\nThe only authentication they use is the password stored in the \"Security\" Registry key, which is checked at the\r\nbeginning of the C2_ProcessCommand function.\r\nAs the name says, the C2_ProcessCommand function handles the received C2 command. It is using a switch\r\nstatement to execute the related backdoor function. The code below shows the beginning of the switch statement.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 7 of 11\n\nTalos has gathered the following C2_command_codes for the different backdoor functions:\r\n0x00:'Authentication'\r\n0x01:'Execute process'\r\n0x02:'Execute with output collection'\r\n0x03:'Download file'\r\n0x04:'Upload file'\r\n0x05:'Create Subprocess'\r\n0x06:'Close Subprocess '\r\n0x07:'Subprocess pipe in/out'\r\n0x08:'Set TimeLong'\r\n0x09:'Set TimeShort'\r\n0x0A:'Set new 'Security' password'\r\n0x0B:'Set Host(s)'\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 8 of 11\n\nAnother interesting indicator is that they are using the \"Title\" string in their HTTP headers set to the victim\r\nmachine's GUID. The format in the HTTP header is \"Title: 01234567-1234-1234-1234-123456789abc\".\r\nWe will continue to monitor Turla and the other state-sponsored actors to protect our customers against these\r\nattacks. The majority of malware is constantly improving its infection techniques. The adversaries combine clever\r\ntechniques to make detection harder.\r\nIt's more important now than ever to have a multi-layered security architecture in place to detect these kinds of\r\nattacks. It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is\r\nmuch harder for them to bypass all of them. These campaigns and the refinement of the TTPs being used will\r\nlikely continue for the foreseeable future.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 9 of 11\n\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duoprovides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nFiles:\r\n%SYSTEMROOT%\\system32\\w64time.dll\r\nHash:\r\n030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01\r\nYARA:\r\nimport \"pe\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \"Cisco Talos\"\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 10 of 11\n\ndescription = \"Detects Tiny Turla backdoor DLL\"\r\nstrings:\r\n$a = \"Title:\" fullword wide\r\n$b = \"Hosts\" fullword wide\r\n$c = \"Security\" fullword wide\r\n$d = \"TimeLong\" fullword wide\r\n$e = \"TimeShort\" fullword wide\r\n$f = \"MachineGuid\" fullword wide\r\n$g = \"POST\" fullword wide\r\n$h = \"WinHttpSetOption\" fullword ascii\r\n$i = \"WinHttpQueryDataAvailable\" fullword ascii\r\ncondition:\r\npe.is_pe and\r\npe.characteristics \u0026 pe.DLL and\r\npe.exports(\"ServiceMain\") and\r\nall of them\r\n}\r\nSource: https://blog.talosintelligence.com/2021/09/tinyturla.html\r\nhttps://blog.talosintelligence.com/2021/09/tinyturla.html\r\nPage 11 of 11\n\nand the backdoor configuration is ready to receive parameter until it finds commands. It one responding. is going through The hosts are the list of C2 servers stored in the aforementioned stored in its \"Hosts\" registry registry\nkey in the format \u003cIP Address Host1\u003e \u003cTcpPort\u003e \u003cIP Address Host2\u003e \u003cTcpPort\u003e \u003cIP Address Host3\u003e \u003cTcpPort\u003e,\netc. the delimiter is a blank. \nIf none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns\nzero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the\n Page 6 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/09/tinyturla.html" ], "report_names": [ "tinyturla.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434319, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7529364cc1f0c39d6656c405d6f8faacb1744fc3.pdf", "text": "https://archive.orkl.eu/7529364cc1f0c39d6656c405d6f8faacb1744fc3.txt", "img": "https://archive.orkl.eu/7529364cc1f0c39d6656c405d6f8faacb1744fc3.jpg" } }