{ "id": "5260157e-1434-4069-a5ff-9d70f50180f8", "created_at": "2026-04-06T00:21:40.42622Z", "updated_at": "2026-04-10T03:37:55.897393Z", "deleted_at": null, "sha1_hash": "b103b2519187e38b2c0dcb6abc6653bd640bed72", "title": "Satellite Turla: APT Command and Control in the Sky", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1863102, "plain_text": "Satellite Turla: APT Command and Control in the Sky\r\nBy Stefan Tanase\r\nPublished: 2015-09-09 · Archived: 2026-04-05 15:44:35 UTC\r\nHave you ever watched satellite television? Were you amazed by the diversity of TV channels and radio stations\r\navailable? Have you ever looked in wonder at satellite phones or satellite-based Internet connections wondering\r\nwhat makes them tick? What if we told you that there’s more to satellite-based Internet connections than\r\nentertainment, traffic and weather? Much, much more.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWhen you are an APT group, you need to deal with many different problems. One of them, and perhaps the\r\nbiggest, is the constant seizure and takedown of domains and servers used for command-and-control (C\u0026C).\r\nThese servers are constantly appropriated by law enforcement or shut down by ISPs. Sometimes they can be used\r\nto trace the attackers back to their physical locations.\r\nSome of the most advanced threat actors or users of commercial hacking tools have found a solution to the\r\ntakedown problem — the use of satellite-based Internet links. In the past, we’ve seen three different actors using\r\nsuch links to mask their operations. The most interesting and unusual of them is the Turla group.\r\nAlso known as Snake or Uroburos, names which come from its top class rootkit, the Turla cyber-espionage group\r\nhas been active for more than 8 years. Several papers have been published about the group’s operations, but until\r\nthe Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual\r\naspects of their operations, such as the first stages of infection through watering-hole attacks.\r\nWhat makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka\r\n“Snake”, as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but\r\nthe exquisite satellite-based C\u0026C mechanism used in the latter stages of the attack.\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 1 of 13\n\nIn this blog, we hope to shed more light on the satellite-based C\u0026C mechanisms that APT groups, including the\r\nTurla/Snake group, use to control their most important victims. As the use of these mechanisms becomes more\r\npopular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.\r\nFor IOCs, see the appendix.\r\nTechnical details\r\nAlthough relatively rare, since 2007 several elite APT groups have been using — and abusing — satellite links to\r\nmanage their operations — most often, their C\u0026C infrastructure. Turla is one of them. Using this approach offers\r\nsome advantages, such as making it hard to identify the operators behind the attack, but it also poses some risks to\r\nthe attackers.\r\nOn the one hand, it’s valuable because the true location and hardware of the C\u0026C server cannot be easily\r\ndetermined or physically seized. Satellite-based Internet receivers can be located anywhere within the area\r\ncovered by a satellite, and this is generally quite large. The method used by the Turla group to hijack the\r\ndownstream links is highly anonymous and does not require a valid satellite Internet subscription.\r\nOn the other hand, the disadvantage comes from the fact that satellite-based Internet is slow and can be unstable.\r\nIn the beginning, it was unclear to us and other researchers whether some of the links observed were commercial\r\nInternet connections via satellite, purchased by the attackers, or if the attackers had breached the ISPs and\r\nperformed Man-in-the-Middle (MitM) attacks at the router level to hijack the stream. We have analyzed these\r\nmechanisms and come to the astonishing conclusion that the method used by the Turla group is incredibly simple\r\nand straightforward, as well as highly anonymous and very cheap to operate and manage.\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 2 of 13\n\nReal satellite links, MitM attacks or BGP hijacking?\r\nPurchasing satellite-based Internet links is one of the options APT groups can choose to secure their C\u0026C traffic.\r\nHowever, full duplex satellite links can be very expensive: a simple duplex 1Mbit up/down satellite link may cost\r\nup to $7000 per week. For longer term contracts this cost may decrease considerably, but the bandwidth still\r\nremains very expensive.\r\nAnother way of getting a C\u0026C server into a satellite’s IP range is to hijack the network traffic between the victim\r\nand the satellite operator and to inject packets along the way. This requires either exploitation of the satellite\r\nprovider itself, or of another ISP on the way.\r\nThese kinds of hijacking attacks have been observed in the past and were documented by Renesys (now part of\r\nDyn) in a blogpost dated November 2013.\r\nAccording to Renesys: “Various providers’ BGP routes were hijacked, and as a result a portion of their Internet\r\ntraffic was misdirected to flow through Belarusian and Icelandic ISPs. We have BGP routing data that show the\r\nsecond-by-second evolution of 21 Belarusian events in February and May 2013, and 17 Icelandic events in July-August 2013.”\r\nIn a more recent blogpost from 2015, Dyn researchers point out that: “For security analysts reviewing alert logs,\r\nit is important to appreciate that the IP addresses identified as the source of incidents can and are regularly\r\nspoofed. For example, an attack that appeared to come from a Comcast IP located in New Jersey may really have\r\nbeen from a hijacker located in Eastern Europe, briefly commandeering Comcast IP space. It is interesting to note\r\nthat all six cases discussed above were conducted from either Europe or Russia.”\r\nObviously, such incredibly apparent and large-scale attacks have little chance of surviving for long periods of\r\ntime, which is one of the key requirements for running an APT operation. It is therefore not very feasible to\r\nperform the attack through MitM traffic hijacking, unless the attackers have direct control over some high-traffic\r\nnetwork points, such as backbone routers or fiber optics. There are signs that such attacks are becoming more\r\ncommon, but there is a much simpler way to hijack satellite-based Internet traffic.\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 3 of 13\n\nSatellite link (DVB-S) hijacking\r\nThe hijacking of satellite DVB-S links has been described a few times in the past and a presentation on hijacking\r\nsatellite DVB links was delivered at BlackHat 2010 by the S21Sec researcher Leonardo Nve Egea.\r\nTo hijack satellite DVB-S links, one needs the following:\r\nA satellite dish – the size depends on geographical position and satellite\r\nA low-noise block downconverter (LNB)\r\nA dedicated DVB-S tuner (PCIe card)\r\nA PC, preferably running Linux\r\nWhile the dish and the LNB are more-or-less standard, the card is perhaps the most important component.\r\nCurrently, the best DVB-S cards are made by a company called TBS Technologies. The TBS-6922SE is perhaps\r\nthe best entry-level card for the task.\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 4 of 13\n\nTBS-6922SE PCIe card for receiving DVB-S channels\r\nThe TBS card is particularly well-suited to this task because it has dedicated Linux kernel drivers and supports a\r\nfunction known as a brute-force scan which allows wide-frequency ranges to be tested for interesting signals. Of\r\ncourse, other PCI or PCIe cards might work as well, while, in general the USB-based cards are relatively poor and\r\nshould be avoided.\r\nUnlike full duplex satellite-based Internet, the downstream-only Internet links are used to accelerate Internet\r\ndownloads and are very cheap and easy to deploy. They are also inherently insecure and use no encryption to\r\nobfuscate the traffic. This creates the possibility for abuse.\r\nCompanies that provide downstream-only Internet access use teleport points to beam the traffic up to the satellite.\r\nThe satellite broadcasts the traffic to larger areas on the ground, in the Ku band (12-18Ghz) by routing certain IP\r\nclasses through the teleport points.\r\nHow does satellite internet hijacking work?\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 5 of 13\n\nTo attack satellite-based Internet connections, both the legitimate users of these links as well as the attackers’ own\r\nsatellite dishes point to the specific satellite that is broadcasting the traffic. The attackers abuse the fact that the\r\npackets are unencrypted. Once an IP address that is routed through the satellite’s downstream link is identified, the\r\nattackers start listening for packets coming from the Internet to this specific IP. When such a packet is identified,\r\nfor instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the\r\nsource using a conventional Internet line.\r\nAt the same time, the legitimate user of the link just ignores the packet as it goes to an otherwise unopened port,\r\nfor instance, port 80 or 10080. There is an important observation to make here: normally, if a packet hits a closed\r\nport, a RST or FIN packet will be sent back to the source to indicate that there is nothing expecting the packet.\r\nHowever, for slow links, firewalls are recommended and used to simply DROP packets to closed ports. This\r\ncreates an opportunity for abuse.\r\nAbused Internet ranges\r\nDuring the analysis, we observed the Turla attackers abusing several satellite DVB-S Internet providers, most of\r\nthem offering downstream-only connections in the Middle East and Africa. Interestingly, the coverage of these\r\nbeams does not include Europe or Asia, meaning that a dish is required in either the Middle East or Africa.\r\nAlternatively, a much larger dish (3m+) can be used in other areas to boost the signal.\r\nTo calculate the dish size, one can use various tools, including online resources such as satbeams.com:\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 6 of 13\n\nSample dish calculation – (c) www.satbeams.com\r\nThe table below shows some of the command-and-control servers related to the Turla actor with domains\r\nresolving to an IP belonging to satellite-based Internet providers:\r\nIP First seen Hosts\r\n84.11.79.6 Nov, 2007 n/a, see note below\r\n92.62.218.99 Feb 25th, 2014\r\npressforum.serveblog.net\r\nmusic-world.servemp3.com\r\n209.239.79.47 Feb 27th, 2014\r\npressforum.serveblog.net\r\nmusic-world.servemp3.com\r\n209.239.79.52 March 18th, 2014 hockey-news.servehttp.com\r\n209.239.79.152 March 18th, 2014 hockey-news.servehttp.com\r\n209.239.79.33 January 25th, 2014 eu-society.com\r\n92.62.220.170 March 19th, 2014 cars-online.zapto.org\r\nfifa-rules.25u.com\r\nforum.sytes.net\r\nhealth-everyday.faqserv.com\r\nmusic-world.servemp3.com\r\nnhl-blog.servegame.com\r\nolympik-blog.4dq.com\r\nsupernews.sytes.net\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 7 of 13\n\ntiger.got-game.org\r\ntop-facts.sytes.net\r\nx-files.zapto.org\r\n92.62.219.172 April 26th, 2013 eu-society.com\r\n82.146.174.58 May 28th, 2014\r\nforum.sytes.net\r\nhockey-news.servehttp.com\r\nleagueoflegends.servequake.com\r\nmusic-world.servemp3.com\r\n82.146.166.56 March 11th, 2014 easport-news.publicvm.com\r\n82.146.166.62 June 24th, 2014 hockey-news.servehttp.com\r\n62.243.189.231 April 4th, 2014\r\nafricankingdom.deaftone.com\r\naromatravel.org\r\nmarketplace.servehttp.com\r\nnewutils.3utilities.com\r\npeople-health.net\r\npressforum.serveblog.net\r\nweather-online.hopto.org\r\n77.246.76.19 March 17th, 2015 onlineshop.sellclassics.com\r\n62.243.189.187 May 2nd, 2012 eu-society.com\r\n62.243.189.215 January 3rd, 2013 people-health.net\r\n217.20.243.37 July 3, 2014\r\nforum.sytes.net\r\nmusic-world.servemp3.com\r\n217.20.242.22 September 1st, 2014 mediahistory.linkpc.net\r\n83.229.75.141 August 05, 2015\r\naccessdest.strangled.net\r\nchinafood.chickenkiller.com\r\ncoldriver.strangled.net\r\ndeveloparea.mooo.com\r\ndowntown.crabdance.com\r\ngreateplan.ocry.com\r\nindustrywork.mooo.com\r\nradiobutton.mooo.com\r\nsecuresource.strangled.net\r\nsportnewspaper.strangled.net\r\nsupercar.ignorelist.com\r\nsupernews.instanthq.com\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 8 of 13\n\nNote: 84.11.79.6 is hardcoded in the configuration block of the malicious sample.\r\nThe observed satellite IPs have the following ‘WHOIS’ information:\r\nIP Country ISP\r\n92.62.220.170\r\n92.62.219.172\r\n92.62.218.99\r\nNigeria Skylinks Satellite Communications Limited\r\n209.239.79.47\r\n209.239.79.52\r\n209.239.79.152\r\n209.239.79.33\r\nUAE Teleskies, Telesat Network Services Inc\r\n82.146.174.58\r\n82.146.166.56\r\n82.146.166.62\r\nLebanon Lunasat Isp\r\n62.243.189.231\r\n62.243.189.187\r\n62.243.189.215\r\nDenmark Emperion\r\n77.246.71.10\r\n77.246.76.19\r\nLebanon Intrasky Offshore S.a.l.\r\n84.11.79.6 Germany IABG mbH\r\n217.20.243.37 Somalia Sky Power International Ltd\r\n217.20.242.22 Nigeria Sky Power International Ltd\r\n83.229.75.141 United Kingdom SkyVision Global Networks Ltd\r\n217.194.150.31 Niger SkyVision Global Networks Ltd\r\n41.190.233.29 Congo Orioncom\r\nOne interesting case is probably 84.11.79.6, which falls into the satellite IP range of IABG mbH.\r\nThis IP is encrypted in the C\u0026C of the following backdoor used by Turla group, known as “Agent.DNE“:\r\nmd5 0328dedfce54e185ad395ac44aa4223c\r\nsize 91136 bytes\r\ntype Windows PE\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 9 of 13\n\nAgent.DNE C\u0026C configuration\r\nThis Agent.DNE sample has a compilation timestamp of Thu Nov 22 14:34:15 2007, meaning that the Turla group\r\nhas been using satellite-based Internet links for almost eight years.\r\nConclusions\r\nThe regular usage of satellite-based Internet links by the Turla group represents an interesting aspect of their\r\noperation. The links are generally up for several months, but never for too long. It is unknown if this is due to\r\noperational security limitations self-imposed by the group or because of shutdown by other parties due to\r\nmalicious behavior.\r\nThe technical method used to implement these Internet circuits relies on hijacking downstream bandwidth from\r\nvarious ISPs and packet-spoofing. This is a method that is technically easy to implement, and provides a much\r\nhigher degree of anonymity than possibly any other conventional method such as renting a VPS or hacking a\r\nlegitimate server.\r\nTo implement this attack methodology, the initial investment is less than $1000. Regular maintenance should be\r\nless than $1000 per year. Considering how easy and cheap this method is, it is surprising that we have not seen\r\nmore APT groups using it. Even though this method provides an unmatched level of anonymfor logistical reasons\r\nit is more straightforward to rely on bullet-proof hosting, multiple proxy levels or hacked websites. In truth, the\r\nTurla group has been known to use all of these techniques, making it a very versatile, dynamic and flexible cyber-espionage operation.\r\nLastly, it should be noted that Turla is not the only APT group that has used satellite-based Internet links.\r\nHackingTeam C\u0026Cs were seen on satellite IPs before, as well as C\u0026Cs from the Xumuxu group and, more\r\nrecently the Rocket Kitten APT group.\r\nIf this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious\r\nproblem for the IT security and counter-intelligence communities.\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 10 of 13\n\n* A full paper on the Turla group’s use of satellite-based Internet links is available to the customers of Kaspersky\r\nIntelligence Services.\r\nIndicators of compromise:\r\nIPs:\r\n84.11.79.6\r\n41.190.233.29\r\n62.243.189.187\r\n62.243.189.215\r\n62.243.189.231\r\n77.246.71.10\r\n77.246.76.19\r\n77.73.187.223\r\n82.146.166.56\r\n82.146.166.62\r\n82.146.174.58\r\n83.229.75.141\r\n92.62.218.99\r\n92.62.219.172\r\n92.62.220.170\r\n92.62.221.30\r\n92.62.221.38\r\n209.239.79.121\r\n209.239.79.125\r\n209.239.79.15\r\n209.239.79.152\r\n209.239.79.33\r\n209.239.79.35\r\n209.239.79.47\r\n209.239.79.52\r\n209.239.79.55\r\n209.239.79.69\r\n209.239.82.7\r\n209.239.85.240\r\n209.239.89.100\r\n217.194.150.31\r\n217.20.242.22\r\n217.20.243.37\r\nHostnames:\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 11 of 13\n\naccessdest.strangled[.]net\r\nbookstore.strangled[.]net\r\nbug.ignorelist[.]com\r\ncars-online.zapto[.]org\r\nchinafood.chickenkiller[.]com\r\ncoldriver.strangled[.]net\r\ndeveloparea.mooo[.]com\r\ndowntown.crabdance[.]com\r\neasport-news.publicvm[.]com\r\neurovision.chickenkiller[.]com\r\nfifa-rules.25u[.]com\r\nforum.sytes[.]net\r\ngoldenroade.strangled[.]net\r\ngreateplan.ocry[.]com\r\nhealth-everyday.faqserv[.]com\r\nhighhills.ignorelist[.]com\r\nhockey-news.servehttp[.]com\r\nindustrywork.mooo[.]com\r\nleagueoflegends.servequake[.]com\r\nmarketplace.servehttp[.]com\r\nmediahistory.linkpc[.]net\r\nmusic-world.servemp3[.]com\r\nnew-book.linkpc[.]net\r\nnewgame.2waky[.]com\r\nnewutils.3utilities[.]com\r\nnhl-blog.servegame[.]com\r\nnightstreet.toh[.]info\r\nolympik-blog.4dq[.]com\r\nonlineshop.sellclassics[.]com\r\npressforum.serveblog[.]net\r\nradiobutton.mooo[.]com\r\nsealand.publicvm[.]com\r\nsecuresource.strangled[.]net\r\nsoftstream.strangled[.]net\r\nsportacademy.my03[.]com\r\nsportnewspaper.strangled[.]net\r\nsupercar.ignorelist[.]com\r\nsupernews.instanthq[.]com\r\nsupernews.sytes[.]net\r\ntelesport.mooo[.]com\r\ntiger.got-game[.]org\r\ntop-facts.sytes[.]net\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 12 of 13\n\ntrack.strangled[.]net\r\nwargame.ignorelist[.]com\r\nweather-online.hopto[.]org\r\nwintersport.mrbasic[.]com\r\nx-files.zapto[.]org\r\nMD5s:\r\n0328dedfce54e185ad395ac44aa4223c\r\n18da7eea4e8a862a19c8c4f10d7341c0\r\n2a7670aa9d1cc64e61fd50f9f64296f9\r\n49d6cf436aa7bc5314aa4e78608872d8\r\na44ee30f9f14e156ac0c2137af595cf7\r\nb0a1301bc25cfbe66afe596272f56475\r\nbcfee2fb5dbc111bfa892ff9e19e45c1\r\nd6211fec96c60114d41ec83874a1b31d\r\ne29a3cc864d943f0e3ede404a32f4189\r\nf5916f8f004ffb85e93b4d205576a247\r\n594cb9523e32a5bbf4eb1c491f06d4f9\r\nd5bd7211332d31dcead4bfb07b288473\r\nKaspersky Lab products detect the above Turla samples with the following verdicts:\r\nBackdoor.Win32.Turla.cd\r\nBackdoor.Win32.Turla.ce\r\nBackdoor.Win32.Turla.cl\r\nBackdoor.Win32.Turla.ch\r\nBackdoor.Win32.Turla.cj\r\nBackdoor.Win32.Turla.ck\r\nTrojan.Win32.Agent.dne\r\nReferences:\r\n1. 1 Agent.btz: a Source of Inspiration?\r\n2. 2 The Epic Turla operation\r\n3. 3 The ‘Penquin’ Turla\r\nSource: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nhttps://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/" ], "report_names": [ "satellite-turla-apt-command-and-control-in-the-sky" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b103b2519187e38b2c0dcb6abc6653bd640bed72.pdf", "text": "https://archive.orkl.eu/b103b2519187e38b2c0dcb6abc6653bd640bed72.txt", "img": "https://archive.orkl.eu/b103b2519187e38b2c0dcb6abc6653bd640bed72.jpg" } }