{ "id": "dea7290f-fc15-48ba-a4a9-f10aba26c3b4", "created_at": "2026-04-06T00:19:39.321845Z", "updated_at": "2026-04-10T03:33:35.511834Z", "deleted_at": null, "sha1_hash": "97689346a7edcb951fb872f135dd3f59739c85a1", "title": "Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1410168, "plain_text": "Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence\r\nBy Ionut Ilascu\r\nPublished: 2018-08-22 · Archived: 2026-04-05 16:07:06 UTC\r\nThe Outlook backdoor used by Turla APT group for its espionage operations is an unusual beast built for stealth and\r\npersistence, capable to survive in highly restricted networks.\r\nThe malware does not connect to a command and control server and can receive updates and instructions via PDF files\r\ndelivered to the victim’s email address. Its control depends only on an email exchange that can originate from any address\r\nthe attacker chooses.\r\nSecurity researchers from ESET analyzed the functionality of the utility and managed to learn how it can exfiltrate data\r\nwithout triggering the alarm.\r\nhttps://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Turla group counts on this backdoor since at least 2013 and has developed it from a basic utility that only dumped email\r\ncontent to a tool that can execute PowerShell commands with the help of Empire PSInject open-source kit.\r\nIn its most recent reiterations, the backdoor is a standalone DLL (dynamic link library) that can install itself and interact\r\nwith Outlook and The Bat! email clients. It can do this regardless of its location on the disk.\r\nFor persistence, Turla developers use COM object hijacking - a common, but effective technique they’re well versed in. The\r\nmethod allows the malicious DLL to load each time Outlook loads the COM object. The researchers noticed that this\r\nhappens when the email client starts.\r\nStealth is achieved by relying on the legitimate Messaging Application Programming Interface (MAPI) to interact with\r\nOutlook and get access to the target’s inboxes.\r\nThe researchers say that the operator uses the email transport layer to deliver specially crafted PDF documents containing\r\ncommands for data exfiltration or for downloading additional files. Information is extracted in the same way, by generating a\r\nPDF with the data demanded by the attacker, like outgoing emails and message metadata.\r\nhttps://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nPage 3 of 5\n\n“From the PDF documents, the backdoor is able to recover what attackers call a container in the logs. This is a binary blob\r\nwith a special format that contains encrypted commands for the backdoor,” ESET analysts explain in a report released today.\r\n“Technically, the attachment does not have to be a valid PDF document. The only requirement is that it includes a container\r\nin the right format.”\r\nTo hide the email exchanges from the user, the backdoor deletes the messages sent to or received from the attacker. New\r\nemail notifications may appear for a few seconds, but the message body is not shown to the user, which could pass as a\r\nglitch in the client software.\r\nAlthough they did not get a PDF sample with commands for the backdoor, the researchers were able to create such a\r\ndocument. Once sent to an Outlook inbox controlled by the malware, it recognized the directions and launched the\r\nCalculator app in Windows.\r\nThe complexity of the Outlook backdoor component is also visible in its encryption algorithm. Just like other tools bearing\r\nthe Turla signature, the backdoor uses a less common algorithm, which suffered customizations from the developer.\r\nIt employs MISTY1 symmetric encryption, created by Mitsubishi Electric in 1995. To the original implementation, Turla\r\nadded two XOR operations, changed the key generation method. They also shuffled the values in the s7 and s9 non-linear\r\nlook-up tables, causing all tools that recognize cryptographic algorithms based on the s-table values to break.\r\nWith no command and control server to take down, a modus operandi that can pass as legitimate activity to network security\r\ncomponents, and modifications to standard functions, Turla’s Outlook backdoor proves difficult to fight.\r\nhttps://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nhttps://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/" ], "report_names": [ "turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434779, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97689346a7edcb951fb872f135dd3f59739c85a1.pdf", "text": "https://archive.orkl.eu/97689346a7edcb951fb872f135dd3f59739c85a1.txt", "img": "https://archive.orkl.eu/97689346a7edcb951fb872f135dd3f59739c85a1.jpg" } }