{ "id": "18d12d6a-07c7-4873-959e-95fd8377c5e1", "created_at": "2026-04-29T02:21:52.691734Z", "updated_at": "2026-04-29T08:21:23.754295Z", "deleted_at": null, "sha1_hash": "7b8d84456ebcaf9c13fa0b4f7f033e08ac242620", "title": "Turla/Belugasturgeon Compromises Government | Accenture", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 444619, "plain_text": "Turla/Belugasturgeon Compromises Government | Accenture\r\nBy Accenture Cyber Threat Intelligence\r\nArchived: 2026-04-29 02:06:51 UTC\r\nTurla, identified internally by Accenture Cyber Threat Intelligence as Belugasturgeon, continues to target\r\ngovernment organizations using custom malware, including updated legacy tools, designed to maintain persistence\r\nthrough overlapping backdoor access while evading their victim’s defenses. One such tool, the HyperStack\r\nbackdoor (named after its filename on one identified sample), has seen significant updates that appear to be\r\ninspired by the group’s Carbon backdoor and the RPC backdoor described by ESET researchers.\r\nTurla has conducted espionage operations on behalf of its state sponsor for over a decade.  The group primarily\r\ntargets foreign governments and embassies using advanced custom tools designed to stay hidden for long periods\r\nof time. The activity identified by Accenture threat researchers is within the group’s typical targeting set using\r\ntheir custom tools, albeit with some updates.\r\nTactics\r\nAccenture Cyber Threat Intelligence researchers identified a Turla compromise of a European government\r\norganization. During this compromise Turla utilized a combination of remote procedure call (RPC)-based\r\nbackdoors, such as HyperStack and remote administration trojans (RATs), such as Kazuar and Carbon, which\r\nACTI researchers analyzed between June and October 2020. The RATs transmit the command execution results\r\nand exfiltrate data from the victim's network while the RPC-based backdoors use the RPC protocol to perform\r\nlateral movement and issue and receive commands on other machines in the local network.  These tools often\r\ninclude several layers of obfuscation and defense evasion techniques.\r\nThis combination of tools has served Turla well, as some of their current backdoors use code that dates back to\r\n2005, according to Palo Alto researchers. The threat group will likely continue to maintain and rely on this\r\necosystem, and iterations of it, as long as the group targets Windows-based networks.  \r\nTurla uses a variety of command and control (C\u0026C) implementations within each compromise which allows for\r\nmultiple avenues of reentry if parts of the compromise are identified by defenders. Notably, Accenture researchers\r\nrecently identified novel command and control (C\u0026C) configurations for Turla’s Carbon and Kazuar backdoors on\r\nthe same victim network. The Kazuar instances varied in configuration between using external C\u0026C nodes off the\r\nvictim network and internal nodes on the affected network, and the Carbon instance had been updated to include a\r\nPastebin project to receive encrypted tasks alongside its traditional HTTP C\u0026C infrastructure.\r\nHyperStack functionality\r\nHyperStack, first observed in 2018, is one of several RPC backdoors Turla uses. A sample identified in September\r\n2020 has updated functionality which appears to be inspired the RPC backdoors previously publicly disclosed by\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 1 of 10\n\nESET and Symantec Researchers as well as with the Carbon backdoor. Based on these similarities, we assess with\r\nhigh confidence that HyperStack is a custom Turla backdoor.\r\nComparison of Hyperstack to Turla's carbon and RPC backdoors\r\nHyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting\r\nthe HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either\r\nusing a null session or default credentials. IPC$ is a share that facilitates inter-process communication (IPC) by\r\nexposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant\r\ncan forward RPC commands from the controller to the remote device, and likely has the capability to copy itself\r\nonto the remote device.\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 2 of 10\n\nHyperStack usage\r\nAnother version of HyperStack observed in this campaign contained a simpler functionality, allowing Turla\r\noperators to run commands via a named pipe from the controller to the implant, without any of the IPC$\r\nenumeration activity.\r\nVaried command and control\r\nAnalysis of several backdoors identified in this recent operation revealed that Turla has relied on traditional C\u0026C\r\nimplementations, using compromised web servers as C\u0026C, as well as utilizing legitimate web services like\r\nPastebin. Additionally, one analyzed sample of Kazuar is configured for commands sent through likely internal\r\nnodes in the government's network, while others use the more traditional method of external C\u0026C nodes. Varying\r\nthe C\u0026C ensures multiple avenues of recovery into the network if some of the group’s accesses are found and\r\nremediated against by network defenders.\r\nKazuar - Command and Control\r\nIn mid-September, we analyzed a sample of Kazuar that, unlike traditional Kazuar samples, is configured to\r\nreceive commands via Uniform Resource Identifiers (URI) pointing to internal C\u0026C nodes in the victim\r\ngovernment network.\r\nThis Kazuar configuration acts in conjunction with another sample, analyzed in early October, on the same victim\r\nnetwork. Based on references to the internal C\u0026C node, the October sample likely acts as a transfer agent used to\r\nproxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network via an\r\ninternet-facing shared network location.  This set-up allows Turla operators to communicate with Kazuar-infected\r\nmachines in the victim network that are not accessible remotely.\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 3 of 10\n\nKazuar C\u0026C unique implementation\r\nAnother recently analyzed sample of Kazuar from the same victim network had a traditional C\u0026C implementation\r\nwhere the implant communicates directly with a C\u0026C server located outside the victim network. The C\u0026C URLs\r\ncorrespond to compromised legitimate websites for Turla to proxy commands and exfiltrate data to Turla backend\r\ninfrastructure.\r\nKazuar C\u0026C traditional implementation\r\nCarbon - Command and control using Pastebin \r\nTurla has extensively used Carbon, a modular backdoor framework with advanced peer-to-peer capability, for\r\nseveral years. A June 2020 analyzed instance of the Carbon backdoor augmented the traditional threat actor-owned\r\nC\u0026C infrastructure with tasks served from Pastebin, a legitimate web service. The Carbon installer discovered by\r\nACTI analysts dropped a Carbon Orchestrator, two communication modules, and an encrypted configuration file.\r\nThe configuration file contains C\u0026C URLs traditionally observed in Carbon instances, which are likely\r\ncompromised web servers hosting a web shell that transmits commands and exfiltrates data from the victim\r\nnetwork.  It also contains a parameter labeled [RENDEZVOUS_POINT] which contains a URL for a Pastebin\r\nproject.\r\nWhen accessing the Pastebin URL, an encrypted blob is downloaded that requires a corresponding RSA private\r\nkey from the configuration file. The configuration file analyzed did not contain the RSA private key and therefore\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 4 of 10\n\nwe were unable to decrypt the contents of the Pastebin link. We assess the decrypted blob was likely a task for the\r\nCarbon instance.\r\nExploiting legitimate web services for C\u0026C\r\nWe are increasingly observing cyber-espionage groups use legitimate web services for their operational\r\ncommand and control, and Turla is no exception to this trend.\r\nGroups likely use these services for several reasons:\r\nWeb services allow cyber-espionage groups' malicious network traffic to blend easily with\r\nlegitimate network traffic\r\nThreat groups can easily change or create new infrastructure which makes it difficult for\r\ndefenders to shut down or sinkhole their infrastructure\r\nUsing web services complicates attribution since the C\u0026C infrastructure is not owned by the\r\nthreat group\r\nAdditionally, web services have the added benefit of being free or inexpensive and requiring limited\r\nresources for creation and maintenance.\r\nConclusion\r\nTurla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long term\r\naccess to its victims because these tools have proven successful against windows-based networks. Government\r\nentities, in particular, should check network logs for indicators of compromise and build detections aimed at\r\nthwarting this threat actor.\r\nThe Accenture Cyber Threat Intelligence (ACTI) team provides actionable and relevant threat intelligence to\r\nsupport decision makers. The intelligence analysis and assessments in this report are grounded in verified facts;\r\nmore information on this activity is available to subscription customers on ACTI IntelGraph.  IntelGraph is a\r\nproprietary next generation security intelligence platform that allows users to search, visualize, and contextualize\r\nthe relationships between malicious actors, their tools and the vulnerabilities they exploit.\r\nMITRE ATT\u0026CK techniques\r\nTactic Technique ID Technique name\r\nExecution\r\nT1059\r\nT1569\r\nCommand-line Interface\r\nService Execution\r\nPersistence T1543 New Service\r\nPrivilege Escalation T1543 New Service\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 5 of 10\n\nDiscovery\r\nT1135\r\nT1012\r\nNetwork Share Discovery\r\nQuery Registry\r\nLateral Movement T1021 Windows Admin Shares\r\nCommand and Control\r\nT1102\r\nT1001\r\nT1090\r\nT1071\r\nWeb Service\r\nData Obfuscation\r\nProxy\r\nStandard Application Layer Protocol\r\nAccenture Security\r\nAccenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense,\r\napplied cybersecurity solutions and managed security operations. We bring security innovation, coupled with\r\nglobal scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent\r\nOperations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build\r\ncyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at\r\nwww.accenture.com/security.\r\nAccenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered\r\ntrademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are\r\nproperties of their respective owners. All materials are intended for the original recipient only. The reproduction\r\nand distribution of this material is forbidden without express written permission from Accenture. The opinions,\r\nstatements, and assessments in this report are solely those of the individual author(s) and do not constitute legal\r\nadvice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent\r\nnature of threat intelligence, the content contained in this report is based on information gathered and understood\r\nat the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without\r\nrepresentation or warranty and accepts no liability for any action or failure to act taken in response to the\r\ninformation contained or referenced in this report.\r\nCopyright © 2020 Accenture. All rights reserved.\r\nTechnical details\r\nHyperStack Execution Routine\r\nUpon execution, HyperStack undergoes a similar registry key check to Turla’s RPC backdoor and updates the\r\nsame registry key to determine which named pipes can be accessed anonymously. The HyperStack backdoor first\r\ncopies itself to C:\\ADSchemeIntegrity.exe and then installs itself with system-level privileges as the service\r\nActive Directory Scheme Integrity Service. HyperStack checks for the following registry entry and, when found,\r\nadds the name of its communication pipe (‘adschemerpc’) to the key value:\r\nHKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 6 of 10\n\nTo make the pipe available to anyone, HyperStack sets the security descriptor for the pipe to S:(ML;;NW;;;S-1-16-\r\n0)—a method that Turla also uses in its RPC backdoor.\r\nHyperStack Custom Handshake\r\nNext, HyperStack uses a custom handshake that is similar to handshakes used for Carbon named-pipe\r\ncommunications.  To detect incoming connections from the controller, the HyperStack implant uses the Windows\r\nAPI call ‘ConnectNamedPipe’. When HyperStack receives an incoming connection, it starts a new thread and\r\ncontinues with the custom handshake. The malware reads 8 bytes from the pipe and checks if it matches :\r\nB19B055CA11CACA0. If it matches, the HyperStack implant returns the value CACA05ACCE55F11E to the\r\ncontroller. Similar 8-byte hex values are exchanged as part of the Carbon backdoor’s custom handshake.\r\nConfiguration file\r\nHyperStack writes a configuration file named backport.inf, the same file format as the Carbon malware's\r\nconfiguration file. The configuration file is written to %SystemRoot%\\INF\\backport.inf and contains a [Version]\r\nsection with various keys:\r\nFigure 1. HyperStack configuration file\r\nThe [Version] section of the file contains several keys that the malware writes including:\r\nType – Likely a form of version control. The malware sets the Type key to SilentMoon.\r\nCLSID – The class ID for the implant seeded with a call to rand().\r\nPRVK – Stores the RSA key pair needed for session key encryption.\r\nRevision and Signature – Read from the file prior to RSA key generation.\r\nHyperStack checks the configuration file to determine if the Type equals SilentMoon. If yes, it generates an RSA\r\nPKCS key using CryptGenKey that is used for encryption of communication session keys. It then writes the RSA\r\nkey to the PRVK key  in the [Version] section of the config file. Turla’s Carbon backdoor also implements RSA\r\nencryption on the session keys for some of its C\u0026C channels.\r\nUse of inter-process communication (IPC$) share \r\nHyperStack sets the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\\Restrict Anonymous value to\r\n0 so anonymous logon users (i.e., null session connections) can list all account names and enumerate all shared\r\nresources on a remote share. The implant can then use the WNetAddConnection2 API call to connect to another\r\nremote device's IPC$ share. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named\r\npipes to write to or read from. The implant attempts to connect to the IPC$ share using a null session, or if this\r\nfails, with default credentials.\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 7 of 10\n\nHyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting\r\nthe HyperStack implant. If the implant’s connection to the IPC$ is successful, the implant can forward RPC\r\ncommands from the controller to the remote device, and likely has the capability to copy itself onto the remote\r\ndevice.\r\nTurla also used the IPC$ share during the lateral movement stage of its compromise of Swiss defense firm RUAG,\r\naccording to the Swiss Government Computer Emergency Response Team's technical report describing the\r\nincident.\r\nMessage and log files\r\nThe HyperStack implant writes command results and error messages to log files stored in the %Temp% directory.\r\nThe log files have randomly generated names with the prefixes  ‘sm’ and ‘~D’. Turla uses the same ‘~D’ prefix for\r\nthe names of Carbon log files. The HyperStack implant also searches for log files with the prefix ~X and deletes\r\nthem, suggesting it may be cleaning up after previous versions or another malware family's logs.\r\nAnother version of HyperStack observed in this campaign contained a simpler functionality, allowing Turla\r\noperators to run commands via a named pipe from the controller to the implant, without any of the IPC$\r\nenumeration activity.\r\nThe similarities between the updated functionality in the HyperStack implementation found in September 2020,\r\nthe RPC backdoor, and the Carbon malware suggest these HyperStack updates were inspired by Turla’s other\r\nmalware operations, potentially in response to remediation activity taken by the victim.\r\nIOCs\r\nTo mitigate the threat of Carbon, Kazuar, and HyperStack, ACTI recommends checking network logs for\r\nindicators related to these backdoors including the following IOCs:\r\nSHA256 Filename NAME\r\ne888b93f4d5f28699b29271a95ccad55ca937977d4\r\n2228637ad9a7c037d3a6a4\r\nDebugView.exe Kazuar backdoor\r\n1f7b35e90b5ddf6bfd110181b1b70487011ab29ca5f9\r\n42170af7e8393a1da763\r\nAgent.exe Kazuar backdoor\r\n1fca5f41211c800830c5f5c3e355d31a05e4c702401\r\na61f11e25387e25eeb7fa\r\nRuntimeBroker.exe Kazuar backdoor\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 8 of 10\n\n60000bc2598eff85a6a83d5302fc3ed2565005d8f\r\nd0d9f09d837123a1599ef8d\r\nWSUSTransfer.exe Kazuar Backdoor\r\n493e5fae191950b901764868b065ddddffa4f4c9b4\r\n97022ee2f998b4a94f0fc2\r\nDSCEBIN.EXE\r\nCarbon\r\nInstaller\r\nf3aaa091fdbc8772fb7bd3a81665f4d33c3b62bf98c\r\naad6fee4424654ba26429\r\nsacril.dll Carbon Orchestrator\r\n2b969111dd1968d47b02d6390c92fb622cd03570b\r\n02ecf9215031ff03611a2b7\r\nablhelper.dll\r\nCarbon Communication\r\nFile\r\n7d5794ad91351c7c5d7fbad8e83e3b71a09baac65fb\r\n09ca75d8d18339d24a46f\r\nfrontapp.dll\r\nCarbon Communication\r\nFile\r\n8ef22c8b5d6bc2445d3227650804b2e1435a5f9861\r\n34a9aa7e07f3b948921b5b\r\nestdlawf.fes Carbon Configuration File\r\n6ca0b4efe077fe05b2ae871bf50133c706c7090a54\r\nd2c3536a6c86ff454caa9a\r\nADSchemeIntegrity\r\n.exe\r\nHyperStack\r\n722fa0c893b39fef787b7bc277c979d29adc1525d77\r\ndd952f0cc61cd4d0597cc\r\n101_iex_memory_code\r\n_exe.exe\r\nRPC backdoor\r\n97187123b80b1618f0d8afc2a5f84e9a17ac8e53a6e4\r\nce8b0aa39fe06cec1f36\r\n1.ps1\r\nReflective PowerShell\r\nloader\r\n20691ff3c9474cfd7bf6fa3f8720eb7326e6f87f64a1f\r\n190861589c1e7397fa5\r\nhyperstack.exe HyperStack\r\ne33580ae3df9d27d7cfb7b8f518a2704e55c92dd74\r\ncbbab8ef58ddfd36524cc8\r\nADSchemeIntegrity\r\n.exe\r\nHyperStack\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 9 of 10\n\nC\u0026C URLs for Carbon implant\r\nwww.berlinguas[.]com/wp-content/languages/index.php\r\nwww.balletmaniacs[.]com/wp-includes/fonts/icons/\r\npastebin[.]com:443/raw/5qXBPmAZ\r\nsuplexrpc – Named pipe\r\nC\u0026C URLs for Kazuar implant\r\nhttps://www.bombheros[.]com/wp-content/languages/index[.]php\r\nhttps://www.simplifiedhomesales[.]com/wp-includes/images/index.php\r\nhttp://mtsoft.hol[.]es/wp-content/gallery/\r\nhttp://www.polishpod101[.]com/forum/language/en/sign/\r\nSource: https://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromise\r\ns-government-entity\r\nhttps://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20201101015247/https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" ], "report_names": [ "turla-belugasturgeon-compromises-government-entity" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-29T06:58:57.540835Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-29T06:58:58.237414Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-29T06:58:56.196911Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "SIG23", "UNC4210", "UAC-0144", "UAC-0024", "VENOMOUS Bear", "Hippo Team", "Group 88", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "IRON HUNTER", "UAC-0003", "Uroburos", "Pacifier APT", "MAKERSMARK", "ATK13", "G0010", "ITG12", "Blue Python", "Secret Blizzard" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-29T06:58:57.719008Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429312, "ts_updated_at": 1777450883, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b8d84456ebcaf9c13fa0b4f7f033e08ac242620.pdf", "text": "https://archive.orkl.eu/7b8d84456ebcaf9c13fa0b4f7f033e08ac242620.txt", "img": "https://archive.orkl.eu/7b8d84456ebcaf9c13fa0b4f7f033e08ac242620.jpg" } }