{ "id": "aa9af589-3416-4bc3-8ad0-446c5d043a71", "created_at": "2026-04-06T00:13:35.522208Z", "updated_at": "2026-04-10T03:37:50.047953Z", "deleted_at": null, "sha1_hash": "9a4b9823643bad06df6460873c4d6af08dabd747", "title": "Threat actor of in-Tur-est", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025707, "plain_text": "Threat actor of in-Tur-est\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 18:54:07 UTC\r\nBy Jack Simpson, Cyber Threat Intelligence, PwC\r\nIn January 2021, PwC observed a phishing page that prompted an investigation into a new threat actor we now call ‘White\r\nTur’. Per our in-house naming convention for threat actors, the use of the colour 'White' indicates that we have not yet\r\nformally attributed White Tur as being based in a specific geographic location.\r\nOur journey began when hunting for newly registered domains with TLS certificates that use the term ‘qov’, spoofing the\r\nlegitimate term ‘gov’. Spoofing the word ‘gov’ has previously been a favoured technique of several unrelated threat actors,\r\nsuch as Blue Athena (a.k.a. Sofacy, APT28)1. On 31st January 2021, we observed the subdomain mail[.]mod[.]qov[.]rs\r\nbeing used to phish for Serbian Ministry of Defence credentials. The phishing page shown in Figure 1 when visited not only\r\nlogged credentials, but logged visits to the phishing page itself.\r\nFigure 1 - Serbian Ministry of Defence phishing page mail[.]mod[.]qov[.]rs\r\nWhen tracking domain registrations and domain resolutions to White Tur attributed infrastructure, we observed it to be a\r\npersistent threat actor operating over a number of years, from at least 2017 through to 2021, as shown in Figure 2.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 1 of 6\n\nFigure 2 - Timeline of domain registration and domain resolution activity by White Tur\r\nThe techniques used by White Tur included:\r\nWeaponised documents - Ranging from documents containing macros to exploits such as CVE-2017-0199;\r\nHTA scripts - Scripts that lead to the execution of PowerShell were often observed being used as an alternative to\r\nweaponised documents as an initial infection vector;\r\nXSL Scripts - Used inside weaponised documents to execute a payload. From our observations the XSL scripts can\r\nbe used to execute a JScript or Windows binary backdoor;\r\nPowerShell Scripts - Part of the infection chain to download and execute the final payload;\r\nJScript - One of the backdoors used by White Tur was developed in JScript (One of the interpreted languages used in\r\nWindows Script Host);\r\nWindows binaries - Another backdoor used by White Tur was packaged as a Windows binary; and,\r\nPhishing - Phishing activity with governmental, defence, research and development and telecommunications themes.\r\nThis blog is focused on our analysis of White Tur’s use of the open-source project OpenHardwareMonitor for payload\r\nexecution. This project monitors temperature sensors, fan speeds, voltage and load and clock speeds of a computer2. We\r\nobserved an archive named OpenHardwareMonitor-revised.zip with patterns we commonly associate with White Tur.\r\nFilename OpenHardwareMonitor-revised.zip\r\nSHA-256 317f14542cba69453d1f5da8c7d5a2ecad2b502ebcbb6256cc397a9fdb18bb9c\r\nFile type Zip archive\r\nFile size 2,810,227 bytes\r\nFirst Observed 2021-05-26 17:50:34\r\nAnalysis\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 2 of 6\n\nAfter analysing the contents of the ZIP file, we assessed that White Tur was likely packaging the OpenHardwareMonitor\r\nproject and backdooring parts of it to execute its payloads. There were three files that White Tur had modified or created\r\ninside the archive, listed in Table 1.\r\nTable 1 - Malicious files in the OpenHardwareMonitor archive\r\nFilename SHA-256 Description\r\nOpenHardwareMonitorLib.csproj 7e187735d3701b681e60605563e4bb9c0febab5f4af2cbf40ba92722bf3e8f9e\r\nModified\r\nVisual\r\nStudio\r\nproject\r\nthrough the\r\npre-build\r\nevent\r\ncommand.dat 3e59b5a07becf6956ee9271d57135d4d6524bfc3f4e9bd7866c16810f4ff3020\r\nWindows\r\nbinary\r\nmalware\r\nCWRITE.ps1 3f99e107781c531db626e94a457bb630df4f4f37893ec2dfb2789a0b3115064b\r\nPowerShell\r\ndownloader\r\nOpenHardwareMonitorLib.csproj\r\nIn the file OpenHardwareMonitorLib.csproj, White Tur modified the file to inject PowerShell code into the pre-build event,\r\navailable in Visual Studio projects. This technique for gaining execution was discussed by Microsoft in January 2021, when\r\nthey observed the North Korea-based threat actor ZINC (which we track as Black Artemis) using this method3. The\r\nPowerShell code retrieves environmental information from the victim using PowerShell WMI objects and utilises the\r\nBitsTransfer Module available in PowerShell to download a payload shown in Figure 3. The payload is downloaded and\r\ncopied to \\APPDATA\\Local\\Microsoft\\OneDrive\\WOFUTIL.dll - this filename has been observed in previous White Tur\r\nactivity.\r\n4\r\nFigure 3 - PowerShell code contained in the PreBuildEvent tag\r\nThe PowerShell script will generate a unique ID for the infected machine and name it a ‘UUID’. This unique identifier is\r\nsent to the C2 when the payload is downloaded through the URL: \r\nhxxp[:]//onedrive-login[.]us/download.php?uuid=\u003cunique_ID\u003e\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 3 of 6\n\nCWRITE.ps1\r\nCWRITE.ps1 is a PowerShell downloader script; however, unlike the prebuild event, it uses a different technique for C2\r\ncommunication and logs environmental information to a separate IP. The PowerShell script sends environmental information\r\nto the following URL via BitsTransfer:\r\nhxxp[:]//193.37.213[.]135/BitsData/\r\nThe PowerShell script will then download the payload to the same folder via the same URL as the previous script:\r\nhxxp[:]//onedrive-login[.]us/download.php?uuid=\u003cunique_ID\u003e\r\nHowever, its method for communication has been modified; in this sample, the PowerShell script initiates a COM object,\r\nspecifically XML HTTP 3.05. The script uses the .Open() method to send a HTTP request shown in Figure 4.\r\nFigure 4 - Payload being downloaded using XML HTTP 3.0 COM object in PowerShell\r\nCommand.dat\r\nThe binary command.dat is a DLL that contains exports previously observed in White Tur payloads. These exports are:\r\nGetAdaptersAddresses;\r\nGetAdaptersInfo;\r\nGetLoaderInterface; and,\r\nGetTeamViewerInterface.\r\nThe payload correctly functions by executing the default DLL entry point, DllEntrypoint. PwC assesses White Tur likely\r\nuses the name WOFUTIL.dll for payloads in a DLL search order hijacking attack. The Windows binary\r\nOneDriveStandAloneUpdater.exe is vulnerable to DLL side order hijacking and loads the DLL WOFUTIL.dll6. The DLL\r\nalso makes use of the BitsTransfer COM objects, it calls CoCreateInstance with class identifiers (CLSIDs) related to the\r\nBitsTransfer control class shown in Figure 5.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 4 of 6\n\nFigure 5 - Malware utilising BitsTransfer control class COM objects\r\nLike the PowerShell scripts, the Windows binary will generate a unique identifier for the victim. This is achieved by\r\ndynamically loading the library RPCRT4.dll and calling UuidCreateSequential(). The malware will use the following URL\r\nwith the BitsTransfer COM object for C2 communication:\r\nhxxp[:]//onedrive-login[.]us/tp/reply.php\r\nFrom our observations, this is the most functional backdoor we have observed from White Tur which is capable of:\r\nFile management;\r\nUpload and download of files;\r\nExecution of commands; and,\r\nSet malware sleep time.\r\nHowever, White Tur has been experimenting with malware development and open-source projects. For example, we identify\r\nan open-source malware project name present on the command.dat PDB path. “Storm Kitty” is an open-source C# stealer\r\nused to capture credentials and keylogs by the victim. \r\nC:\\Users\\tensho\\Desktop\\StormKitty-master\\Cameleon\\Release\\Cameleon.pdb\r\nThis threat actor uses several techniques often observed by a wide variety of threats actors, such as DLL search order\r\nhijacking, phishing and use of COM objects. The unique feature this threat actor has is its victimology, targeting defence,\r\ngovernmental and research organisations based in Serbia and Republika Srpska. The full infection chain we observed with\r\nthis technique is shown in Figure 6.\r\nFigure 6 - Part of the infection chain used by White Tur\r\nFootnotes \r\n[1] ‘APT28: A Window into Russia’s Cyber Espionage Operations?’, FireEye, https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf (5th February 2010)\r\n[2] 'Open Hardware Monitor - Core temp, fan speed and voltages in a free software gadget', OpenHardwareMonitor,\r\nhttps://openhardwaremonitor.org/ (n.d)\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 5 of 6\n\n[3] ‘ZINC attacks against security researchers’, Microsoft, https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ (28th January 2021)\r\n[4] CTO-TIB-20210903-01A - Darth Vladars under attack Part 3\r\n[5] ‘MSXML 3.0 GUIDs and ProgIDs’, Microsoft, https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766426(v=vs.85) (27th October 2018)\r\n[6] ‘Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon’, SecurityIntelligence,\r\nhttps://securityintelligence.com/posts/hunting-evidence-dll-side-loading-powershell-sysmon/ (18th August 2021)\r\n[7] 'Attribution of Advanced Persistent Threats', Springer: Timo Steffens, 20th July 2020,\r\nhttps://link.springer.com/book/10.1007/978-3-662-61313-9\r\nSource: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html" ], "report_names": [ "threat-actor-of-in-tur-est.html" ], "threat_actors": [ { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434415, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a4b9823643bad06df6460873c4d6af08dabd747.pdf", "text": "https://archive.orkl.eu/9a4b9823643bad06df6460873c4d6af08dabd747.txt", "img": "https://archive.orkl.eu/9a4b9823643bad06df6460873c4d6af08dabd747.jpg" } }