{ "id": "6b845502-df36-4a54-9b9c-d8974c97af47", "created_at": "2026-04-06T00:18:49.94551Z", "updated_at": "2026-04-10T03:33:35.554593Z", "deleted_at": null, "sha1_hash": "a7fe9b1dbc59b5de0c74b2b5c62605c4fbc5feb0", "title": "The ‘Penquin’ Turla", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 299576, "plain_text": "The ‘Penquin’ Turla\r\nBy Kurt Baumgartner\r\nPublished: 2014-12-08 · Archived: 2026-04-05 16:52:45 UTC\r\nRecently, an interesting malicious sample was uploaded to a multi-scanner service. This immediately triggered our\r\ninterest because it appears to represent a previously unknown piece of a larger puzzle. That puzzle is “Turla”, one\r\nof the most complex APTs in the world.\r\nWe have written previously about the Turla APT with posts about their Epic Turla operations  and Agent.btz\r\ninspiration.\r\nSo far, every single Turla sample we’ve encountered was designed for the Microsoft Windows family, 32 and 64\r\nbit operating systems. The newly discovered Turla sample is unusual in the fact that it’s the first Turla sample\r\ntargeting the Linux operating system that we have discovered.\r\nhttps://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nPage 1 of 5\n\nThis newly found Turla component supports Linux for broader system support at victim sites. The attack tool\r\ntakes us further into the set alongside the Snake rootkit and components first associated with this actor a couple\r\nyears ago. We suspect that this component was running for years at a victim site, but do not have concrete data to\r\nsupport that statement just yet.\r\nThe Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its\r\nfile size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease\r\nfile size. Its functionality includes hidden network communications, arbitrary remote command execution, and\r\nremote management. Much of its code is based on public sources.\r\nMd5 Size Verdict Name\r\n0994d9deb50352e76b0322f48ee576c6 627.2 kb N/A (broken file)\r\n14ecd5e6fc8e501037b54ca263896a11 637.6 kb HEUR:Backdoor.Linux.Turla.gen\r\nGeneral executable characteristics:\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped\r\nStatically linked libraries:\r\nglibc2.3.2 – the GNU C library\r\nopenssl v0.9.6 – an older OpenSSL library\r\nlibpcap – tcpdump’s network capture library\r\nHardcoded C\u0026C, known Turla activity: news-bbc.podzone[.]org\r\nThe domain has the following pDNS IP: 80.248.65.183\r\n80.248.65.183\r\naut-num:        AS30982\r\nannouncement:   80.248.65.0/24\r\nas-name:        CAFENET\r\ndescr:          CAFE Informatique et telecommunications\r\nhttps://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nPage 2 of 5\n\nadmin-c:        YN2-AFRINIC\r\ntech-c:         AN39-AFRINIC\r\norg:            ORG-CIet1-AFRINIC\r\nmnt-by:         AFRINIC-HM-MNT\r\nmnt-lower:      CAFENET-NOC\r\nsource:         AFRINIC # Filtered\r\nNote: the C\u0026C domain is currently sinkholed by Kaspersky Lab.\r\nFunctional description\r\nThe sample is a stealth backdoor based on the cd00r sources.\r\nThis Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary\r\nremote commands. It can’t be discovered via netstat, a commonly used administrative tool. It uses techniques that\r\ndon’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with\r\nlimited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the\r\nsystem.\r\nStartup and Execution\r\nTo start execution, the process requires two parameters: ID (a numeric value used as a part of the “magic packet\r\nfor authentication”) and an existing network interface name. The parameters can be inputted two different ways:\r\nfrom STDIN, or from dropper a launching the sample. This is NOT a command-line parameter, it’s a real prompt\r\nasking the attacker user to provide the input parameters. After the ID and interface name are entered and the\r\nprocess launched, the backdoor’s process PID is returned. Here is a screenshot of this simple interface:\r\nWhile there is no initial network callback, a section of code maintains a hardcoded c2 string “news-bbc.podzone[.]org”. This fully qualified domain name was first set up in 2010, suggesting that this binary is fairly\r\nrecent in the string of Turla campaigns. Also, while we haven’t seen additional file download activity from this\r\nserver by this tool, it likely participated as a file server of sorts.\r\nMagic Packets for Remote Command Execution\r\nThe module statically links PCAP libraries, and uses this code to get a raw socket, applies a filter on it, and\r\ncaptures packets, checking for a specific condition (the *original cd00r first used this method, based on ports and\r\nhttps://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nPage 3 of 5\n\nSYN-packets). This condition is expressed here (it is based on the ID value input at startup by the attacker):\r\nID = 123 Filter = (tcp[8:4] \u0026 0xe007ffff = 0xe003bebe) or (udp[12:4] \u0026 0xe007ffff = 0xe003bebe) ID = 321\r\nFilter = (tcp[8:4] \u0026 0xe007ffff = 0x1bebe) or (udp[12:4] \u0026 0xe007ffff = 0x1bebe)\r\nIn simple terms, it checks for an ACK number in the TCP header, or the second byte from the UDP packet body.\r\nIf such a packet is received and the condition check is successful, execution jumps to the packet payload contents,\r\nand it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It’s not the\r\ntypical recv/send used in this code. It uses this new socket to connect to the source address of the “magic packets”.\r\nThen it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote\r\ncommands. When a command arrives, it is executed with a “/bin/sh -c ” script.\r\nFurther analysis of the sample’s functionality will be updated here.\r\nConclusions\r\nAlthough Linux variants from the Turla framework were known to exist, we haven’t seen any in the wild yet.\r\nThis specific module appears to have been put together from public sources with some added functionality from\r\nthe attackers. Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the\r\nimplant. Perhaps the most interesting part here is the unusual command and control mechanism based on\r\nTCP/UDP packets, as well as the C\u0026C hostname which fits previously known Turla activity.\r\nThe discovery of this Turla module rises one big question: how many other unknown Turla variants exist?\r\nUpdate: Since the publishing of this blogpost, we have discovered another Linux Turla module, which apparently\r\nrepresents a different malware generation than the previously known samples:\r\nhttps://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nPage 4 of 5\n\nThe new sample was heuristically detected by our product due to similarities with the previously discovered\r\nsamples.\r\nMd5 Size Verdict Name\r\n19fbd8cbfb12482e8020a887d6427315 801,561 bytes HEUR:Backdoor.Linux.Turla.gen\r\nBAE Systems – The Snake Campaign\r\nKaspersky Lab – The Epic Turla Operation\r\n“TR-25 Analysis – Turla / Pfinet / Snake/ Uroburos” by CIRCL.LU\r\n“Uroburos: the snake rootkit”, technical analysis by deresz and tecamac\r\nAgent.BTZ – A Source of Inspiration?\r\nSource: https://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nhttps://securelist.com/blog/research/67962/the-penquin-turla-2/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/blog/research/67962/the-penquin-turla-2/" ], "report_names": [ "the-penquin-turla-2" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7fe9b1dbc59b5de0c74b2b5c62605c4fbc5feb0.pdf", "text": "https://archive.orkl.eu/a7fe9b1dbc59b5de0c74b2b5c62605c4fbc5feb0.txt", "img": "https://archive.orkl.eu/a7fe9b1dbc59b5de0c74b2b5c62605c4fbc5feb0.jpg" } }