{ "id": "683ed26d-eba7-49ea-918d-8ceb34149244", "created_at": "2026-04-06T00:12:31.920689Z", "updated_at": "2026-04-10T13:12:14.076443Z", "deleted_at": null, "sha1_hash": "7576662629dae5e36dddb4c75ec8e04977d963ff", "title": "Penquin Turla (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63080, "plain_text": "Penquin Turla (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:57:50 UTC\r\nThere is no description at this point.\r\n2022-02-28 ⋅ Lab52 ⋅\r\nLooking for Penquins in the Wild\r\nPenquin Turla 2020-12-21 ⋅ Intezer ⋅ Intezer\r\nTop Linux Cloud Threats of 2020\r\nAgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN\r\nPenquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT\r\n2020-09-10 ⋅ Kaspersky Labs ⋅ GReAT\r\nAn overview of targeted attacks and APTs on Linux\r\nCloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent 2020-07-29 ⋅\r\nKaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2020\r\nPhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya\r\nGodlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess\r\nX-Agent XTunnel 2020-06-09 ⋅ Kaspersky Labs ⋅ Costin Raiu\r\nLooking at Big Threats Using Code Similarity. Part 1\r\nPenquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel 2020-06-07 ⋅ Youtube (OPCDE) ⋅\r\nAntonio Villani, Silvio La Porta\r\nThe Penquin is in da house\r\nPenquin Turla 2020-05-14 ⋅ Leonardo ⋅ Leonardo’s Cyber Security division\r\nMalware Technical Insight Turla \"Penquin_x64\"\r\nPenquin Turla 2020-04-07 ⋅ Blackberry ⋅ Blackberry Research\r\nDecade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android\r\nPenquin Turla XOR DDoS ZXShell 2018-03-01 ⋅ Kaspersky Labs ⋅ Costin Raiu, Daniel Moore, Juan Andrés Guerrero-Saade,\r\nThomas Rid\r\nPenquin's Moonlit Maze\r\nPenquin Turla 2017-12-24 ⋅ Twitter (@juanandres_gs) ⋅ Juan Andrés Guerrero-Saade\r\nTweet on Turla Penquin\r\nPenquin Turla 2017-04-03 ⋅ Kaspersky Labs ⋅ Costin Raiu, Daniel Moore, Juan Andrés Guerrero-Saade, Thomas Rid\r\nMoonlight Maze Technical Report (Appendix B)\r\nPenquin Turla 2017-04-03 ⋅ Kaspersky Labs ⋅ Costin Raiu, Daniel Moore, Juan Andrés Guerrero-Saade, Thomas Rid\r\nPenquin’s Moonlit Maze\r\nPenquin Turla\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla" ], "report_names": [ "elf.penquin_turla" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e16a6567-2b9a-4419-960b-1e03fccc8812", "created_at": "2023-01-06T13:46:39.128684Z", "updated_at": "2026-04-10T02:00:03.224215Z", "deleted_at": null, "main_name": "NOTROBIN", "aliases": [], "source_name": "MISPGALAXY:NOTROBIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434351, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7576662629dae5e36dddb4c75ec8e04977d963ff.pdf", "text": "https://archive.orkl.eu/7576662629dae5e36dddb4c75ec8e04977d963ff.txt", "img": "https://archive.orkl.eu/7576662629dae5e36dddb4c75ec8e04977d963ff.jpg" } }