{ "id": "8528f3d4-9f82-4825-85f5-dcfd77d6d534", "created_at": "2026-04-06T00:21:46.010146Z", "updated_at": "2026-04-10T03:33:36.270241Z", "deleted_at": null, "sha1_hash": "7b1df3bd28db8b60e6c2aa78d276de04aa7014f9", "title": "New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1272806, "plain_text": "New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit\r\nThe Pentagon In 2008 Still Evolving; Part 1/2\r\nBy Omri Ben Bassat\r\nPublished: 2017-08-07 · Archived: 2026-04-05 15:36:01 UTC\r\nAgent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known\r\nfor the 2008 Pentagon breach. Technically speaking, Agent.BTZ is a sophisticated user-mode RAT developed and\r\noperated by the Turla group in conjunction with Snake/Uroburos rootkit. In the past few months, we conducted\r\nresearch on Agent.BTZ’s code-base and how it evolved using Intezer Code Intelligence™ technology. Based on\r\nour research conclusions, we were able to hunt about a dozen new samples and more than seventy\r\npreviously unknown live IP \u0026 DNS addresses indicating the ongoing abuse of satellite internet providers\r\noperating in both Africa \u0026 the Middle East.\r\nThis is a short memo regarding our findings from the past few months; get more details in Part 2 of this blog, a\r\nwhitepaper we wrote on Agent.BTZ/ComRAT describing in more details how we found these new variants using\r\nour technology, along with a thorough analysis of the new samples.\r\nDropper: Although the code itself was written from scratch and has nothing to do with WinRAR, the adversary\r\ntried to mimic WinRAR’s SFX installer. Resource data was duplicated, including icons and layouts used by the\r\noriginal installer, as you can see in the following screenshot:\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 1 of 8\n\nOnce executed, the dropper installs activeds.dll – a proxy dll which is loaded directly to explorer.exe once the\r\nmachine reboots. The purpose of this proxy dll is to load the malware’s main payload –\r\nstdole2.tlb. The dropper then also deletes any previous installation of Agent.BTZ if it exists. This is done using a\r\nhard-coded file path:\r\n“C:Documents and Settings\u003cUSER\u003eApplication Data\\Microsoft\\Windows\\Themes\\termsvr32.dll”\r\n“C:Documents and Settings\u003cUSER\u003eApplication Data\\Microsoft\\Windows\\Themes\\pcasrc.tlb”\r\n**Note: These file names were first used by Agent.BTZ in late 2014, as you can see in this automatic Dr.WEB\r\nreport\r\nOnce finished, the dropper renames and self delete using the following command line:\r\n“C:WINDOWSsystem32rundll32.exe C:DOCUME~1\u003cUSER\u003e~1APPLIC~1MICROS~1Windowsstdole2.tlb,UnInstall C:~$.tmp”\r\nSamples found:\r\n1. 69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548\r\n2. 6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4\r\nstdole2.tlb: As previously mentioned, this file is the main component installed by the fake-sfx dropper and loaded\r\nby activeds.dll. We extracted the configuration from each sample in order to obtain the c2 address and inner\r\nversion (“PVer”), which is built into every Agent.BTZ sample. In the past, Agent.BTZ’s developers have used an\r\nincremental value to indicate the inner build version, the last known value is 3.26 as published by G-Data in late\r\n2014, It seems that the developers have reacted to G-Data’s publication and have stopped using an incremental\r\nvalue. New variants are now using a different numbering system of 0.8/9.\u003cRANDOM_VALUE\u003e, making it more\r\ndifficult for researchers to track the exact version of the samples.\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 2 of 8\n\n**example configuration extracted from one of the samples – PVer 0.9.1528434231.\r\nEven without the PVer numbering, we were able to determine using our technology that these samples are from a\r\nnewer version, which is based on the latest known versions of Agent.BTZ – 3.25 / 3.26. These are the two top files\r\nyou can see in the following screenshot:\r\n1. 4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356(VirusTotal)\r\n2. 3a6c1aa367476ea1a6809814cf534e094035f88ac5fb759398b783f3929a0db2(VirusTotal)\r\nBoth of these files were uploaded almost three years ago to VT(!)\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 3 of 8\n\n**A screenshot from the Intezer Analyze™ product displaying a list of files in our database that share pieces of\r\ncode with one of the new samples.  These pieces of code are specific to the Turla malware family, and were not\r\nseen in any other malicious or legitimate software.\r\nSamples found:\r\n1. 6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96\r\n2. 49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e\r\n3. e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49\r\n4. 89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea\r\nIndicators of Compromise:\r\ntype indicator notes\r\nsha256 69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548 dropper\r\nsha256 6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4 dropper\r\nsha256 73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88 activeds.dll\r\nsha256 50067ebcc2d2069b3613a20b81f9d61f2cd5be9c85533c4ea34edbefaeb8a15f activeds.dll\r\nsha256 380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac activeds.dll\r\nsha256 9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426 activeds.dll\r\nsha256 628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24 activeds.dll\r\nsha256 f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2 activeds.dll\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 4 of 8\n\nsha256 a093fa22d7bc4ee99049a29b66a13d4bf4d1899ed4c7a8423fbb8c54f4230f3c activeds.dll\r\nsha256 6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96 stdole2.tlb\r\nsha256 49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e stdole2.tlb\r\nsha256 e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49 stdole2.tlb\r\nsha256 89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea stdole2.tlb\r\nip 81.199.34[.]150\r\ndns elephant.zzux[.]com\r\ndns angrybear.ignorelist[.]com\r\ndns bigalert.mefound[.]com\r\ndns bughouse.yourtrap[.]com\r\ndns getfreetools.strangled[.]net\r\ndns news100top.diskstation[.]org\r\ndns pro100sport.mein-vigor[.]de\r\ndns redneck.yourtrap[.]com\r\ndns savage.2waky[.]com\r\ndns tehnologtrade.4irc[.]com\r\nip 81.199.160[.]11\r\ndns forums.chatnook[.]com\r\ndns goodengine.darktech[.]org\r\ndns locker.strangled[.]net\r\ndns simple-house.zzux[.]com\r\ndns specialcar.mooo[.]com\r\ndns sunseed.strangled[.]net\r\ndns whitelibrary.4irc[.]com\r\ndns bloodpearl.strangled[.]net\r\ndns getlucky.ignorelist[.]com\r\ndns proriot.zzux[.]com\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 5 of 8\n\ndns fourapi.mooo[.]com\r\ndns nopasaran.strangled[.]net\r\nip 78.138.25[.]29\r\ndns showme.twilightparadox[.]com\r\ndns mouses.strangled[.]net\r\nip 82.146.175[.]69\r\ndns mouses.strangled[.]net\r\nip 178.219.68[.]242\r\ndns ftp.fueldust.compress[.]to\r\ndns ftp.linear.wikaba[.]com\r\ndns ftp.mysterysoft.epac[.]to\r\ndns ftp.scroller.longmusic[.]com\r\ndns ftp.spartano.mefound[.]com\r\ndns fueldust.compress[.]to\r\ndns linear.wikaba[.]com\r\ndns mysterysoft.epac.to\r\ndns safety.deaftone[.]com\r\ndns salary.flnet[.]org\r\ndns scroller.longmusic[.]com\r\ndns spartano.mefound[.]com\r\nip 88.83.25[.]122\r\ndns robot.wikaba[.]com\r\nip 41.223.91[.]217\r\ndns smileman.compress[.]to\r\ndns decent.ignorelist[.]com\r\ndns dekka.biz[.]tm\r\ndns disol.strangled[.]net\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 6 of 8\n\ndns eraser.2waky[.]com\r\ndns filelord.epac[.]to\r\ndns justsoft.epac[.]to\r\ndns smuggler.zzux[.]com\r\ndns sport-journal.twilightparadox[.]com\r\ndns sportinfo.yourtrap[.]com\r\ndns stager.ignorelist[.]com\r\ndns tankos.wikaba[.]com\r\ndns grandfathers.mooo[.]com\r\ndns homeric.mooo[.]com\r\ndns jamming.mooo[.]com\r\ndns pneumo.mooo[.]com\r\ndns razory.mooo[.]com\r\ndns anger.scieron[.]com\r\ndns gantama.mefound[.]com\r\ndns letgetbad.epac[.]to\r\ndns rowstate.epac[.]to\r\ndns memento.info[.]tm\r\nip 196.43.240[.]177\r\ndns bughouse.yourtrap[.]com\r\ndns news100top.diskstation[.]org\r\nip 169.255.102[.]240\r\ndns harm17.zzux[.]com\r\ndns mountain8.wikaba[.]com\r\nsha256 0e0045d2c4bfff4345d460957a543e2e7f1638de745644f6bf58555c1d287286 other\r\nsha256 bdcc7e900f10986cdb6dc7762de35b4f07f2ee153a341bef843b866e999d73a3 other\r\nsha256 fac13f08afe2745fc441ada37120cebce0e0aa16d03a03e9cda3ec9384dd40f2 backdoor\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 7 of 8\n\nsha256 bae62f7f96c4cc300ec685f42eb451388cf50a13aa624b3f2a019d071fddaeb1 other\r\nRelated articles:\r\n1. https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\n2. https://www.gdatasoftware.com/blog/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat\r\n3. http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html\r\n4. https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/\r\n5. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf\r\n6. https://securelist.com/the-epic-turla-operation/65545/\r\n7. http://artemonsecurity.com/snake_whitepaper.pdf\r\n8. https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\r\nSource: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nhttp://www.intezer.com/new-variants-of-agent-btz-comrat-found/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/" ], "report_names": [ "new-variants-of-agent-btz-comrat-found" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434906, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b1df3bd28db8b60e6c2aa78d276de04aa7014f9.pdf", "text": "https://archive.orkl.eu/7b1df3bd28db8b60e6c2aa78d276de04aa7014f9.txt", "img": "https://archive.orkl.eu/7b1df3bd28db8b60e6c2aa78d276de04aa7014f9.jpg" } }