{ "id": "b6c67d16-fa29-4732-bbdd-874ce4433176", "created_at": "2026-04-06T00:07:02.286187Z", "updated_at": "2026-04-10T03:33:36.181554Z", "deleted_at": null, "sha1_hash": "89725e4d7a0c8e3727ba7a80333ed086dc3d589f", "title": "Microsoft: Hackers turn Exchange servers into malware control centers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3886856, "plain_text": "Microsoft: Hackers turn Exchange servers into malware control centers\r\nBy Lawrence Abrams\r\nPublished: 2023-07-19 ยท Archived: 2026-04-05 18:53:26 UTC\r\nMicrosoft and the Ukraine CERT warn of new attacks by the Russian state-sponsored Turla hacking group, targeting the\r\ndefense industry and Microsoft Exchange servers with a new 'DeliveryCheck' malware backdoor.\r\nTurla, aka Secret Blizzard, KRYPTON, and UAC-0003, is believed to be an advanced persistent threat actor (APT) linked to\r\nRussia's Federal Security Service (FSB).\r\nThe cyberspies have been associated with a wide array of attacks against Western interests over the years, including the\r\nSnake cyber-espionage malware botnet that was recently disrupted in an international law enforcement operation titled\r\nOperation MEDUSA.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nTargeting Microsoft Exchange\r\nIn a coordinated report and Twitter thread published today by CERT-UA and Microsoft, researchers outline a new attack\r\nwhere the Turla threat actors target the defense sector in Ukraine and Eastern Europe.\r\nThe attacks start with phishing emails containing Excel XLSM attachments that contain malicious macros. When activated,\r\nthese macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.\r\nHowever, this task downloads the DeliveryCheck backdoor (also known as CapiBar and GAMEDAY) and launches it in\r\nmemory, where it connects to the threat actor's command and control server to receive commands to execute or deploy\r\nfurther malware payloads.\r\nMicrosoft says that these malware payloads are embedded and launched from XSLT stylesheets.\r\nAttack flow that delivers the DeliveryCheck malware\r\nSource: CERT-UA\r\nAfter infecting devices, the threat actors utilize the backdoor to exfiltrate data from the compromised devices using the\r\nRclone tool.\r\nWhat makes DeliveryCheck stand out is a Microsoft Exchange server-side component that turns the server into a command\r\nand control server for the threat actors.\r\nMicrosoft says this component is installed using Desired State Configuration, a PowerShell module that allows admins to\r\ncreate a standardized server configuration and apply it to devices.\r\nThis feature is usually used to create a default configuration template that can then be used to configure multiple devices\r\nwith the same settings automatically.\r\nThe threat actors use DSC to automatically load a base64-encoded Windows executable which converts the legitimate\r\nExchange server into a malware-distribution server.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nPage 3 of 5\n\nMicrosoft Exchange server-side componet of DeliveryCheck\r\nSource: UA-CERT\r\nDuring the attack, Microsoft and CERT-UA also saw Turla drop the KAZUAR information-stealing backdoor, a \"fully-featured Secret Blizzard implant\".\r\nThis malware is a cyberespionage tool that allows the threat actors to launch javascript on the device, steal data from event\r\nlogs, steal information about systems files, and steal authentication tokens, cookies, and credentials from a wide variety of\r\nprograms, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.\r\n\"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging\r\napplication, which would allow the actor to read private Signal conversations, as well as documents, images, and archive\r\nfiles on targeted systems,\" the Microsoft Threat Intelligence team tweeted.\r\nCERT-UA says they have shared samples of the new malware with cybersecurity companies to aid detection.\r\nHowever, at this time, only 14/70 vendors on VirusTotal detected a submitted DeliveryCheck sample as malware, which will\r\nlikely increase as the day progresses.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-hackers-turn-exchange-servers-into-malware-control-centers/" ], "report_names": [ "microsoft-hackers-turn-exchange-servers-into-malware-control-centers" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434022, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89725e4d7a0c8e3727ba7a80333ed086dc3d589f.pdf", "text": "https://archive.orkl.eu/89725e4d7a0c8e3727ba7a80333ed086dc3d589f.txt", "img": "https://archive.orkl.eu/89725e4d7a0c8e3727ba7a80333ed086dc3d589f.jpg" } }