{ "id": "f2d4f035-e732-4672-bcb7-438291e5b799", "created_at": "2026-04-06T00:19:24.756014Z", "updated_at": "2026-04-10T03:37:50.277768Z", "deleted_at": null, "sha1_hash": "b70fa29bd9b02be4bc5d8658bdca40751f0cf90a", "title": "Introducing WhiteBear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 247398, "plain_text": "Introducing WhiteBear\r\nBy GReAT\r\nPublished: 2017-08-30 · Archived: 2026-04-05 13:31:29 UTC\r\nAs a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are\r\nreproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity\r\ndocumented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016.\r\nLike previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for\r\ncommand and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other\r\nTurla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload\r\nfrom Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as\r\nwell as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts.\r\nHowever, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with\r\na separate focus. We note that this observation of delineated target focus, tooling, and project context is an\r\ninteresting one that also can be repeated across broadly labeled Turla and Sofacy activity.\r\nFrom February to September 2016, WhiteBear activity was narrowly focused on embassies and consular\r\noperations around the world. All of these early WhiteBear targets were related to embassies and\r\ndiplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related\r\norganizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively\r\nrare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the\r\nWhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate\r\ndevelopment efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack\r\nFirefox extension installer payloads, and contain several new components signed with a new code signing digital\r\ncertificate, unlike WhiteAtlas incidents and modules.\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 1 of 12\n\nThe exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion\r\nthe group spearphished targets with malicious pdf files. The decoy pdf document above was likely stolen from a\r\ntarget or partner. And, although WhiteBear components have been consistently identified on a subset of systems\r\npreviously targeted with the WhiteAtlas framework, and maintain components within the same filepaths and can\r\nmaintain identical filenames, we were unable to firmly tie delivery to any specific WhiteAtlas component.\r\nWhiteBear focused on various embassies and diplomatic entities around the world in early 2016 – tellingly,\r\nattempts were made to drop and display decoy pdf’s with full diplomatic headers and content alongside executable\r\ndroppers on target systems.\r\nTechnical Details\r\nThe WhiteBear platform implements an elaborate set of messaging and injection components to support full\r\npresence on victim hosts. A diagram helps to visualize the reach of injected components on the system.\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 2 of 12\n\nWhiteBear Binary loader\r\nSample MD5: b099b82acb860d9a9a571515024b35f0\r\nType PE EXE\r\nCompilation timestamp 2002.02.05 17:36:10 (GMT)\r\nLinker version 10.0 (MSVC 2010)\r\nSignature “Solid Loop Ldt” UTCTime 15/10/2015 00:00:00 GMT – UTCTime 14/10/2016 23:59:59 GMT\r\nThe WhiteBear binary loader maintains several features including two injection methods for its (oddly named)\r\n“KernelInjector” subsystem, also named by its developer\r\n– Standart\r\n– WindowInject (includes an unusual technique for remotely placing code into memory for subsequent thread\r\nexecution)\r\nThe loader also maintains two methods for privilege and DEP process protection handling:\r\n– GETSID_METHOD_1\r\n– GETSID_METHOD_2\r\nThe binary contains two resources:\r\n– BINARY 201\r\n– File size: 128 bytes\r\n– Contains the string, “explorer.exe”\r\n– BINARY 202\r\n– File size: 403456 bytes\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 3 of 12\n\n– File Type: PE file (this is the actual payload and is not encrypted)\r\n– This PE file resource stores the “main orchestrator” .dll file\r\nLoader runtime flow\r\nThe loader creates the mutex “{531511FA-190D-5D85-8A4A-279F2F592CC7}”, and waits up to two minutes if it\r\nis already present while logging the message “IsLoaderAlreadyWork +”. The loader creates the mutex\r\n“{531511FA-190D-5D85-8A4A-279F2F592CC7}”, and waits up to two minutes. If it is already present while\r\nlogging the message “IsLoaderAlreadyWork +”, it extracts the resource BINARY 201. This resource contains a\r\nwide string name of processes to inject into (i.e. “explorer.exe”).\r\nThe loader makes a pipe named: \\.pipeWinsock2CatalogChangeListener-%03x%01x-%01x\r\nWhere the “%x” parameter is replaced with the values 0xFFFFFFFF 0xEEEEEEEE 0xDDDDDDDD, or if it has\r\nsuccessfully obtained the user’s SID:\r\n\\.pipeWinsock2CatalogChangeListener-%02x%02x-%01x\r\nWith “%x” parameters replaced with numbers calculated from the current date and a munged user SID.\r\nThe pipe is used to communicate with the target process and the transport module; the running code also reads its\r\nown image body and writes it to the pipe. The loader then obtains the payload body from resource BINARY 202.\r\nIt finds the running process that matches the target name, copies the buffer containing the payload into the\r\nprocess, then starts its copy in the target process.\r\nThere are some interesting, juvenile, and non-native English-speaker debug messages compiled into the code:\r\n– i cunt waiting anymore #%d\r\n– lights aint turnt off with #%d\r\n– Not find process\r\n– CMessageProcessingSystem::Receive_NO_CONNECT_TO_GAYZER\r\n– CMessageProcessingSystem::Receive_TAKE_LAST_CONNECTION\r\n– CMessageProcessingSystem::Send_TAKE_FIN\r\nWhiteBear Main module/orchestrator\r\nSample MD5: 06bd89448a10aa5c2f4ca46b4709a879\r\nType, size: PE DLL, 394 kb\r\nCompilation timestamp: 2002.02.05 17:31:28 (GMT)\r\nLinker version: 10.0 (MSVC 2010)\r\nUnsigned Code\r\nThe main module has no exports, only a DllMain entry which spawns one thread and returns. The main module\r\nmaintains multiple BINARY resources that include executable, configurations, and encryption data:\r\n101 – RSA private (!) key\r\n102 – RSA public key\r\n103 – empty\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 4 of 12\n\n104 – 16 encrypted bytes\r\n105 – location (“%HOMEPATH%ntuser.dat.LOG3”)\r\n106 – process names (e.g. “iexplore.exe, firefox.exe, chrome.exe, outlook.exe, safari.exe, opera.exe”) to inject into\r\n107 – Transport module for interaction with C\u0026C\r\n108 – C2 configuration\r\n109 – Registry location (“HKCUSOFTWAREMicrosoftWindowsNTCurrentVersionExplorerScreen Saver”)\r\n110 – no information\r\n111 – 8 zero bytes\r\nValues 104 – 111 are encrypted with the RSA private key (resource 101) and compressed with bzip2.4. The RSA\r\nkey is stored with header stripped in a format similar to Microsoft’s PVK; the RSA PRIVATE KEY header is\r\nappended by the loader before reading the keys into the encryption code. Resource 109 points to a registry\r\nlocation called “external storage”, built-in resources are called “PE Storage”.\r\nIn addition to storing code, crypto resources, and configuration data in PE resources, WhiteBear copies much of\r\nthis data to the victim host’s registry. Registry storage is located in the following keys. Subkeys and stored values\r\nlisted below:\r\n[HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerScreenSaver]\r\n[HKCUSOFTWAREMicrosoftWindows NTCurrentVersionExplorerScreenSaver]\r\nRegistry subkeys:\r\n{629336E3-58D6-633B-5182-576588CF702A} Contains the RSA private key used to encrypt/decrypt other\r\nresources / resource 101\r\n{3CDC155D-398A-646E-1021-23047D9B4366} Resource 105 – current file location\r\n{81A03BF8-60AA-4A56-253C-449121D61CAF} Resource 106 – process names\r\n{31AC34A1-2DE2-36AC-1F6E-86F43772841F} Contains the internet C\u0026C transport module / resource 107\r\n{8E9810C5-3014-4678-27EE-3B7A7AC346AF} Resource 108 – C\u0026C config\r\n{28E74BDA-4327-31B0-17B9-56A66A818C1D} Resource 110 “plugins”\r\n{4A3130BD-2608-730F-31A7-86D16CE66100} Resource 111\r\n{119D263D-68FC-1942-3CA3-46B23FA652A0} Unique Guid (“ObjectID”)\r\n{1DC12691-2B24-2265-435D-735D3B118A70} “Task Queue”\r\n{6CEE6FE1-10A2-4C33-7E7F-855A51733C77} “Result Queue”\r\n{56594FEA-5774-746D-4496-6361266C40D0}  unknown\r\n{831511FA-190D-5D85-8A4A-279F2F592CC7}  unknown\r\nFinally, if the main WhiteBear module fails to use registry storage, it uses “FS Storage” in file\r\n%TEMP%KB943729.log. The module reads all of its data and binary components from one of the storages and\r\nthen verifies the integrity of data (RSA+bzip2 compression+signature).\r\nThe module maintains functionality which is divided into a set of subsystems that are loosely named by the\r\ndevelopers:\r\n• result queue\r\n• task queue\r\n• message processing system\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 5 of 12\n\n• autorun manager\r\n• execution subsystem\r\n• inject manager\r\n• PEStorage\r\n• local transport manager/internal transport channel\r\nIt creates the following temporary files:\r\n%TEMP%CVRG72B5.tmp.cvr\r\n%TEMP%CVRG1A6B.tmp.cvr\r\n%TEMP%CVRG38D9.tmp.cvr\r\n%TEMP%~DF1E05.tmp contains the updated body of the loader during an update.\r\nEvery day (as specified by local time) the main module restarts the transport subsystem which includes:\r\n• message processing\r\n• named pipe transport (“NPTransport”)\r\nIf the registry/file storage is empty, the module performs a ‘migration’ of hardcoded modules and settings to the\r\nstorage location. This data is encrypted with a new RSA key (which is also stored in the registry).\r\nThe data in the registry is prepended with a 0xC byte header. The maximum size of each registry item is 921,600\r\nbytes; if the maximum size is exceeded, it is split into several items. The format of the header is shown below:\r\n[4:service DWORD][4:chunk index][4:chunk size including header]\r\nEvery time the orchestrator module is loaded it validates that the storage area contains the appropriate data and\r\nthat all of the components can be decrypted and validated. If these checks fail the module reinstalls a\r\nconfiguration from the resource “REINSTALL”.\r\nPipe Transport\r\nThe module generates the pipe name (with the same prefix as the loader); waits for incoming connections;\r\nreceives data and pushes it to the ‘message processing system’. The module generates the pipe name (with the\r\nsame prefix as the loader); waits for incoming connections; receives data and pushes it to the ‘message processing\r\nsystem’. Every packet is expected to be at least 6 bytes and contain the following header:      [4:ID][2:command]\r\nList of commands:\r\n1 : new task\r\n2 : update the loader + orchestrator file\r\n4 : send task result\r\n5 : send settings\r\n6 : write results to registry/file storage\r\n7 : enable / disable c2 transport / update status\r\n8 : uninstall\r\n9 : nop\r\n10 : “CMessageProcessingSystem::Receive_NO_CONNECT_TO_GAYZER”; write results to registry\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 6 of 12\n\n11: write the last connection data ‘{56594FEA-5774-746D-4496-6361266C40D0}’ aka “last connection” storage\r\nvalue\r\n12: “give cache” – write cached commands from the C\u0026C\r\n13: “take cache” – append C\u0026C commands to the cache\r\nDepending on the command, the module returns the results from previously run tasks, the configuration of the\r\nmodule, or a confirmation message.\r\nAn example of these tasks is shown below:\r\n• write a file and execute it with CreateProcess() capturing all of the standard output\r\n• update C\u0026C configuration, plugin storage, etc\r\n• update autoruns\r\n• write arbitrary files to the filesystem (“File Upload”)\r\n• read arbitrary files from the filesystem (“File Download”)\r\n• update itself\r\n• uninstall\r\n• push task results to C2 servers\r\nThe “LocalTransport manager” handles named pipe communication and identifies if the packet received is\r\ndesignated to the current instance or to someone else (down the route). In the latter scenario the LocalTansport\r\nmanager re-encrypts the packet, serializes it (again), and pushes the packet via a named pipe on the local network\r\nto another hop, (NullSessionPipes). This effectively makes each infected node a packet router.\r\nThe Autorun manager subsystem is responsible for tracking the way that the malicious module starts in the system\r\nand it maintains several different methods for starting automatically (shown below):\r\nLinkAutorun The subsystem searches for a LNK file in the target directory, changes the path to “cmd.exe” and\r\nthe description to ‘ /q /c start “” “%s” \u0026\u0026 start “” “%s” ‘\r\nTaskScheduler20Autorun The subsystem creates the ITaskService (works only on Windows Vista+) and uses the\r\nITaskService interface to create a new task with a logon trigger\r\nStartupAutorun The subsystem creates a LNK file in %STARTUP%\r\nScreenSaverAutorun The subsystem installs as a current screensaver with a hidden window\r\nHiddenTaskAutorun The subsystem creates the task ITaskScheduler (works only on pre-Vista NT). The task\r\ntrigger start date is set to the creation date of the Windows directory\r\nShellAutorun Winlogon registry [HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon]\r\nShell=”explorer.exe, …”\r\nFile Uninstallation is done in a discreet manner. The file is filled with zeroes, then renamed to a temporary\r\nfilename before being deleted\r\nWhiteBear Transport library (aka “Internet Relations”, “Pipe Relations”)\r\nSample MD5: 19ce5c912768958aa3ee7bc19b2b032c\r\nType: PE DLL\r\nLinker timestamp: 2002.02.05 17:58:22 (GMT)\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 7 of 12\n\nLinker version: 10.0\r\nSignature “Solid Loop Ldt” UTCTime 15/10/2015 00:00:00 GMT – UTCTime 14/10/2016 23:59:59 GMT\r\nThis transport library does not appear on disk in its PE format. It is maintained as encrypted resource 107 in the\r\norchestrator module, then decrypted and loaded by the orchestrator directly into the memory of the target process.\r\nThis C2 interaction module is independent, once started, it interacts with the orchestrator using its local named\r\npipe.\r\nTo communicate with its C2 server, the transport library uses the system user agent or default “Mozilla/4.0\r\n(compatible; MSIE 6.0)”.\r\nBefore attempting a connection with its configured C2 server, the module checks if the victim system is connected\r\nto Internet by sending HTTP 1.1 GET / requests to the following servers (this process stops after the first\r\nsuccessful connection):\r\n• update.microsoft.com\r\n• microsoft.com\r\n• windowsupdate.microsoft.com\r\n• yahoo.com\r\n• google.com\r\nIf there is no Internet connection available, the module changes state to, “CANNOT_WORK” and notifies the\r\npeer by sending command “7” over the local pipe.\r\nThe C2 configuration is obtained from the main module with the command “5”. This checks whether the module\r\ncomplies with the schedule specified in the C2 settings (which includes inactivity time and the interval between\r\nconnections). The C2 interaction stages have interesting function names and an odd misspelling, indicating that\r\nthe developer may not be a native English speaker (or may have learned the English language in a British setting):\r\n“InternetRelations::GetInetConnectToGazer”\r\n“InternetRelations::ReceiveMessageFromCentre”\r\n“InternetRelations::SendMessageToCentre”\r\n“PipeRelations::CommunicationTpansportPipe”\r\nThe module writes the encrypted log to %TEMP%CVRG38D9.tmp.cvr The module sends a HTTP 1.0 GET\r\nrequest through a randomly generated path to the C2 server. The server’s reply is expected to have its MD5\r\nchecksum appended to the packet. If C2 interaction fails, the module sends the command “10”\r\n(“NO_CONNECT_TO_GAYZER”) to the orchestrator.\r\nUnusual WhiteBear Encryption\r\nThe encryption implemented in the WhiteBear orchestrator is particularly interesting. We note that the resource\r\nsection is encrypted/decrypted and packed/decompressed with RSA+3DES+BZIP2. This implementation is\r\nunique and includes the format of the private key as stored in the resource section. 3DES is present in Sofacy and\r\nDuqu2 components, however they are missing in this Microsoft-centric RSA encryption technique. The private\r\nkey format used in this schema and RSA crypto combination with 3DES is (currently) unique to this threat actor.\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 8 of 12\n\nThe private key itself is stored as a raw binary blob, in a format similar to the one Microsoft code uses in PVK\r\nformat. This format is not officially documented, but its structures and handling are coded into OpenSSL. This\r\nprivate key value is stored in the orchestrator resources without valid headers. The orchestrator code prepends\r\nvalid headers and passes the results to OpenSSL functions that parse the blob.\r\nDigital Code-Signing Certificate – Fictional Corporation or Assumed Identity?\r\nMost WhiteBear samples are signed with a valid code signing certificate issued for “Solid Loop Ltd”, a once-registered British organization. Solid Loop is likely a phony front organization or a defunct organization and\r\nactors assumed its identity to abuse the name and trust, in order to attain deceptive code-signing digital\r\ncertificates.\r\nWhiteBear Command and Control\r\nThe WhiteBear C2 servers are consistent with long standing Turla infrastructure management practices, so the\r\nbackdoors callback to a mix of compromised servers and hijacked destination satellite IP hosts. For example,\r\ndirect, hardcoded Turla satellite IP C2 addresses are shown below:\r\nC2 IP Address               Geolocation                            IP Space Owner\r\n169.255.137[.]203         South Sudan                           IPTEC, VSAT\r\n217.171.86[.]137           Congo                                     Global Broadband Solution, Kinshasa VSAT\r\n66.178.107[.]140           Unknown – Likely Africa          SES/New Skies Satellites\r\nTargeting and Victims\r\nWhiteBear targets over the course of a couple years are related to government foreign affairs, international\r\norganizations, and later, defense organizations. The geolocation of the incidents are below:\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 9 of 12\n\nEurope\r\nSouth Asia\r\nCentral Asia\r\nEast Asia\r\nSouth America\r\nConclusions\r\nWhiteBear activity reliant on this toolset seems to have diminished in June 2017. But Turla efforts continue to be\r\nrun as multiple subgroups and campaigns. This one started targeting diplomatic entities and later included defense\r\nrelated organizations. Infrastructure overlap with other Turla campaigns, code artifacts, and targeting are\r\nconsistent with past Turla efforts. With this subset of 2016-2017 WhiteBear activity, Turla continues to be one of\r\nthe most prolific, longstanding, and advanced APT we have researched, and continues to be the subject of much of\r\nour research. Links to publicly reported research are below.\r\nReference Set\r\nFull IOC and powerful YARA rules delivered with private report subscription\r\nMd5\r\nb099b82acb860d9a9a571515024b35f0\r\n19ce5c912768958aa3ee7bc19b2b032c\r\n06bd89448a10aa5c2f4ca46b4709a879\r\nIP\r\n169.255.137[.]203\r\n217.171.86[.]137\r\n66.178.107[.]140\r\nDomain(s)\r\nsoligro[.]com – interesting because the domain is used in another Turla operation (KopiLuwak), and is the C2\r\nserver for the WhiteBear transport library\r\nmydreamhoroscope[.]com\r\nExample log upon successful injection\r\n|01:58:10:216|.[0208|WinMain ]..\r\n|01:58:14:982|.[0209|WinMain\r\n].******************************************************************************************\r\n|01:58:15:826|.[0212|WinMain ].DATE: 01.01.2017\r\n|01:58:21:716|.[0215|WinMain ].PID=2344.TID=1433.Heaps=3\r\n|01:58:22:701|.[0238|WinMain ].CreateMutex = {521555FA-170C-4AA7-8B2D-159C2F491AA4}\r\n|01:58:25:513|.[0286|GetCurrentUserSID ]._GETSID_METHOD_1_\r\n|01:58:26:388|.[0425|GetUserSidByName ].22 15 1284404594 111\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 10 of 12\n\n|01:58:27:404|.[0463|GetUserSidByName ].S-1-5-31-4261848827-3118844265-2233733001-1000\r\n|01:58:28:263|.[0471|GetUserSidByName ].\r\n|01:58:29:060|.[0165|GeneratePipeName ].\\.pipeWinsock2CatalogChangeListener-5623-b\r\n|01:58:29:763|.[0275|WinMain ].PipeName = \\.pipeWinsock2CatalogChangeListener-5623-b\r\n|01:58:30:701|.[0277|WinMain ].Checking for existence…\r\n|01:58:31:419|.[0308|WinMain ].— Pipe is not installed yet\r\n|01:58:32:044|.[0286|GetCurrentUserSID ]._GETSID_METHOD_1_\r\n|01:58:32:841|.[0425|GetUserSidByName ].22 15 1284404594 111\r\n|01:58:33:701|.[0463|GetUserSidByName ].S-1-5-31-4261848827-3118844265-2233733001-1000\r\n|01:58:34:419|.[0471|GetUserSidByName ].\r\n|01:58:35:201|.[0318|WinMain ].Loading…\r\n|01:58:35:763|.[0026|KernelInjector::KernelInjector ].Address of marker: 0x0025F96C and cProcName:\r\n0x0025F860\r\n|01:58:36:513|.[0031|KernelInjector::KernelInjector ].Value of marker = 0xFFFFFEF4\r\n|01:58:37:279|.[0088|KernelInjector::SetMethod ].m_bAntiDEPMethod = 1\r\n|01:58:38:419|.[0564|QueryProcessesInformation ].OK\r\n|01:58:41:169|.[0286|GetCurrentUserSID ]._GETSID_METHOD_1_\r\n|01:58:42:076|.[0425|GetUserSidByName ].22 15 1284404594 111\r\n|01:58:42:748|.[0463|GetUserSidByName ].S-1-5-31-4261848827-3118844265-2233733001-1000\r\n|01:58:43:169|.[0471|GetUserSidByName ].\r\n|01:58:43:701|.[0309|FindProcesses ].dwPID[0] = 1260\r\n|01:58:44:560|.[0345|WinMain ].try to load dll to process (pid=1260))\r\n|01:58:45:013|.[0088|KernelInjector::SetMethod ].m_bAntiDEPMethod = 1\r\n|01:58:45:873|.[0094|KernelInjector::LoadDllToProcess ].MethodToUse = 1\r\n|01:58:46:544|.[0171|KernelInjector::GetProcHandle ].pid = 1260\r\n|01:58:47:279|.[0314|KernelInjector::CopyDllFromBuffer ].Trying to allocate space at address 0x20020000\r\n|01:58:48:404|.[0332|KernelInjector::CopyDllFromBuffer ].IMAGEBASE = 0x20020000.ENTRYPOINT =\r\n0x2002168B\r\n|01:58:48:763|.[0342|KernelInjector::CopyDllFromBuffer ].ANTIDEP INJECT\r\n|01:58:49:419|.[0345|KernelInjector::CopyDllFromBuffer ].Writing memory to target process….\r\n|01:58:49:935|.[0353|KernelInjector::CopyDllFromBuffer ].Calling to entry point….\r\n|01:58:51:185|.[0598|KernelInjector::CallEntryPoint ].CODE = 0x01FA0000, ENTRY = 0x2002168B, CURR =\r\n0x77A465A5, TID = 1132\r\n|01:58:55:544|.[0786|KernelInjector::CallEntryPoint ]._FINISH_ = 1\r\n|01:58:56:654|.[0372|KernelInjector::CopyDllFromBuffer ].CTRLPROC = 0\r\n|01:58:57:607|.[0375|KernelInjector::CopyDllFromBuffer ].+ INJECTED +\r\n|01:58:58:419|.[0351|WinMain ].+++ Load in 1260\r\nReferences – past Turla research\r\nThe Epic Turla Operation\r\nSatellite Turla: APT Command and Control in the Sky\r\nAgent.btz: a Source of Inspiration?\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 11 of 12\n\nThe ‘Penquin’ Turla\r\nPenquin’s Moonlit Maze\r\nKopiLuwak: A New JavaScript Payload from Turla\r\nUroburos: the snake rootkit [pdf]\r\nThe Snake Campaign\r\nSource: https://securelist.com/introducing-whitebear/81638/\r\nhttps://securelist.com/introducing-whitebear/81638/\r\nPage 12 of 12\n\n|01:58:22:701|.[0238|WinMain |01:58:25:513|.[0286|GetCurrentUserSID ].CreateMutex ]._GETSID_METHOD_1_ = {521555FA-170C-4AA7-8B2D-159C2F491AA4} \n|01:58:26:388|.[0425|GetUserSidByName ].22 15 1284404594 111\n Page 10 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/introducing-whitebear/81638/" ], "report_names": [ "81638" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a370eef5-5d11-4fda-ad85-f9be60a28d05", "created_at": "2023-01-06T13:46:38.717707Z", "updated_at": "2026-04-10T02:00:03.077727Z", "deleted_at": null, "main_name": "White Bear", "aliases": [ "Skipper Turla" ], "source_name": "MISPGALAXY:White Bear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434764, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b70fa29bd9b02be4bc5d8658bdca40751f0cf90a.pdf", "text": "https://archive.orkl.eu/b70fa29bd9b02be4bc5d8658bdca40751f0cf90a.txt", "img": "https://archive.orkl.eu/b70fa29bd9b02be4bc5d8658bdca40751f0cf90a.jpg" } }