{
	"id": "feacba15-d84a-44ee-9d98-ac1ef45ae814",
	"created_at": "2026-04-06T00:13:48.933502Z",
	"updated_at": "2026-04-10T03:33:36.217805Z",
	"deleted_at": null,
	"sha1_hash": "9b8a60b1630c5c5f5febbfe2aa2c56908d608e32",
	"title": "This hacking gang just updated the malware it uses against UK targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64638,
	"plain_text": "This hacking gang just updated the malware it uses against UK\r\ntargets\r\nBy Written by Danny Palmer, Senior WriterSenior Writer Jan. 22, 2018 at 4:04 a.m. PT\r\nArchived: 2026-04-05 12:50:21 UTC\r\nVideo: Gazer malware enables hacking group to spy on Europe's embassies\r\nSecurity\r\nA notorious hacking group is targeting the UK with an updated version of malware designed to embed itself into\r\ncompromised networks and stealthily conduct espionage.\r\nBoth the Neuron and Nautilus malware variants have previously been attributed to the Turla advanced persistent\r\nthreat group, which regularly carries out cyber-espionage against a range of targets, including government,\r\nmilitary, technology, energy, and other commercial organisations.\r\nWithin the last year, the group appears to have been particularly focusing on diplomatic targets, including\r\nconsulates and embassies.\r\nPrimarily targeting Windows mail servers and web servers, the Turla group deploys specially-crafted phishing\r\nemails to compromise targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit.\r\nBy using a combination of these tools, Turla is able to gain persistent network access on compromised systems,\r\nproviding covert access to sensitive data or the ability to use the system as a gateway for carrying out further\r\nattacks.\r\nThe advanced nature of the group means Turla is continually updating and developing its attacks and now the\r\nUK's National Cyber Security Centre (NCSC) -- the cybersecurity arm of GCHQ -- has issued a warning that\r\nTurla is deploying a new version of Neuron which has been modified to evade discovery.\r\nAlterations to the dropper and loading mechanisms of Neuron are designed to avoid the malware being detected,\r\nallowing its malicious activities to continue without being interrupted.\r\nistock-hands-of-a-hacker.jpg\r\nHackers are using an updated version of Neuron malware to conduct espionage against UK targets,\r\nwarns the NCSC.\r\nhttps://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/\r\nPage 1 of 3\n\nImage: iStock\r\nOne of the ways this is achieved is using an in-memory payload, which is encrypted within the loader to ensure it\r\nnever touches the disk in plaintext. This modification allows Neuron to evade detection during disk scans\r\nperformed by antivirus software, although the NCSC say it's \"likely\" that AV suites which scan memory will still\r\nuncover the payload.\r\nSee also: The secret to being a great spy agency in the 21st century: Incubating startups\r\nThe authors of Neuron have also altered the encryption of the new version, now configuring multiple hardcoded\r\nkeys rather than just using one. Like many of the other changes, it's most likely these have been implemented to\r\nmake detection and decryption by network defenders more difficult.\r\nThe Turla group moves quickly: the compile times contained within the code show that the new version of the\r\nmalware was compiled just five days after previous warnings about Neuron were made public in November.\r\nAdvice by the NCSC for organisations that have previously been targeted by Turla is to \"be diligent in checking\r\nfor the presence of these additional tools\".\r\nDownload now: Intrusion detection policy (free PDF)\r\nThe National Cyber Security Centre doesn't point to the work of Turla being associated with any particular threat\r\nactor -- instead referring to it as \"a prevalent cyber threat group targeting the UK\".\r\nHowever, cybersecurity researchers have previously argued that Turla is a state-sponsored operation which works\r\nto further the aims of the Russian government.\r\nRecent and related coverage\r\nTracking Turla: Hackers abuse satellite signals high in the sky\r\nA sophisticated hacking group is using satellites in a novel manner to disguise their tracks.\r\nStealthy malware targets embassies in snooping campaign\r\nThe Turla hacking group is using the new Gazer backdoor to conduct espionage, according to\r\nresearchers at ESET.\r\nRussian hacking campaign targets G20 attendees with booby-trapped invites\r\nTurla APT group is sending out invites to a real G20 event in Hamburg, targeting politicians, policy\r\nmakers and other experts for the purposes of espionage.\r\nREAD MORE ON CYBERCRIME\r\nHackers target Winter Olympics with new custom-built fileless malware\r\nNew Mac malware linked to Russian hackers of US election [CNET]\r\nRussian malware controls hiding in plain sight -- on Britney Spears' Instagram page\r\nhttps://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/\r\nPage 2 of 3\n\nThis stealthy cat-and-mouse hacking campaign aims to steal diplomatic secrets\r\nThe future of cyberwar: Weaponised ransomware, IoT attacks and a new arms race [TechRepublic]\r\nSource: https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/\r\nhttps://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/"
	],
	"report_names": [
		"this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b8a60b1630c5c5f5febbfe2aa2c56908d608e32.pdf",
		"text": "https://archive.orkl.eu/9b8a60b1630c5c5f5febbfe2aa2c56908d608e32.txt",
		"img": "https://archive.orkl.eu/9b8a60b1630c5c5f5febbfe2aa2c56908d608e32.jpg"
	}
}