{
	"id": "61ff3c0d-5778-42d1-abb5-33e89105950a",
	"created_at": "2026-04-06T00:13:53.400485Z",
	"updated_at": "2026-04-10T03:33:46.246673Z",
	"deleted_at": null,
	"sha1_hash": "9b73d28ae9160df9efaa71678b78e6b06fa9d2c6",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55255,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-02 12:38:21 UTC\n APT group: Nazar\nNames\nNazar (Epic Turla)\nSIG37 (NSA)\nCountry Iran\nMotivation Information theft and espionage\nFirst seen 2008\nDescription\n(Epic Turla) It’s hard to understand the scope of this operation without access to victimology\n(e.g.: endpoint visibility or command-and-control sinkholing). Additionally, some possible\ntimestomping muddies the water between this operation possible originating in 2008-2009 or\nactually coming into full force in 2010-2013 (the latter dates being corroborated by VT\nfirstseen submission times and second-stage drop timestamps). There’s a level of variable\ndevelopmental capability visible throughout the stages. Multiple components are abused\ncommonly-available resources, while the orchestrator and two of the DLL drops actually\ndisplay some developmental ingenuity (in the form of seemingly novel COM techniques). Far\nfrom the most advanced coding practices but definitely better than the sort of .NET garbage\nother ‘Farsi-speaking’ APTs have gotten away with in the past.\nSomehow, this operation found its way onto the NSA’s radar pre-2013. As far as I can tell, it’s\neluded specific coverage from the security industry. A possible scenario to account for the\ndisparate visibility between the NSA and Western researchers when it comes to this cluster of\nactivity is that these samples were exclusively encountered on Iranian boxes overlapping with\nEQGRP implants. Submissions of Nazar subcomponents from Iran (as well as privately shared\nvisibility into historical and ongoing victimology clustered entirely on Iranian machines) could\nsupport that theory. Perhaps this is an internal monitoring framework (a la Attor) but given the\nsparse availability of historical data, I wouldn’t push that beyond a low-confidence\nassessment, at this time.\nObserved\nTools used Distribute.exe, EYService, GpUpdates.exe, Microolap Packet Sniffer.\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7bc83157-e747-4668-ab0d-f343aead75c1\nPage 1 of 2\n\nLast change to this card: 13 March 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7bc83157-e747-4668-ab0d-f343aead75c1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7bc83157-e747-4668-ab0d-f343aead75c1\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7bc83157-e747-4668-ab0d-f343aead75c1"
	],
	"report_names": [
		"showcard.cgi?u=7bc83157-e747-4668-ab0d-f343aead75c1"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bf773c52-830b-46e3-aa61-58c82eb323ee",
			"created_at": "2023-01-06T13:46:39.135077Z",
			"updated_at": "2026-04-10T02:00:03.226187Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "MISPGALAXY:Nazar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f3b19931-3751-4ece-a235-15b397951dc2",
			"created_at": "2022-10-25T16:07:23.889537Z",
			"updated_at": "2026-04-10T02:00:04.780137Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "ETDA:Nazar",
			"tools": [
				"Distribute.exe",
				"EYService",
				"GpUpdates.exe",
				"Microolap Packet Sniffer",
				"TCPDUMP for Windows"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a76ba723-d744-472a-b683-19d80e105d9f",
			"created_at": "2023-01-06T13:46:39.089347Z",
			"updated_at": "2026-04-10T02:00:03.209505Z",
			"deleted_at": null,
			"main_name": "Attor",
			"aliases": [],
			"source_name": "MISPGALAXY:Attor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775792026,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b73d28ae9160df9efaa71678b78e6b06fa9d2c6.pdf",
		"text": "https://archive.orkl.eu/9b73d28ae9160df9efaa71678b78e6b06fa9d2c6.txt",
		"img": "https://archive.orkl.eu/9b73d28ae9160df9efaa71678b78e6b06fa9d2c6.jpg"
	}
}