{ "id": "e21d03e6-02f2-40c1-b6d0-173d7e2f82da", "created_at": "2026-04-06T00:06:25.346903Z", "updated_at": "2026-04-10T13:12:40.290366Z", "deleted_at": null, "sha1_hash": "b9d62f0534c5ae25f0aa4030433111a07e4bf6fa", "title": "Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 697206, "plain_text": "Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)\r\nPublished: 2024-02-19 · Archived: 2026-04-05 16:01:37 UTC\r\nTurla is an APT group allegedly linked to the intelligence service FSB (Federal Security Service) from the Russian\r\nFederation. This threat actor is specifically in the Center 16 unit, which carries out the collection of radio-electronic\r\nintelligence on communications facilities. Moreover, the Center 16 is in charge of intercepting, decrypting and processing\r\nthe electronic message and the technical operation of compromising foreign targets.  \r\nTurla’s activity dates back as far as 2004. This actor often carries out exploitation campaigns against organizations from\r\nthe former Soviet Union countries. Turla usually targets organizations from several sectors as: governments, research\r\ncenters, embassies, energy, telecommunications and pharmaceutical among other sectors. \r\nThis research has resulted in a set of samples which have been found in VirusTotal during early 2024. Below is a timeline\r\nof the publicly known samples.\r\nSamples timeline\r\nIn particular, in this article, one of the samples used in one of the latest campaigns (sample #6). This investigation reveals\r\nhow Turla is using a new wrapper of Kazuar as part of their infection chain. The most prominent aspects of the\r\nanalysis leading to the extraction of Kazuar and the peculiarities of the identified sample compared to others previously\r\nseen in the field are detailed below. \r\nInfection Chain\r\nAs will be detailed later, the attack is quite targeted, so it is possible that the actors have deposited this piece of malware\r\non the computer after a previous infection. \r\nIn order to hide the malware, the actors make use of the Sideload DLL technique, spoofing legitimate libraries related to\r\n“SkyTel“, “NVIDIA GeForce Experience“, “vncutil” or “ASUS“. \r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 1 of 12\n\nPelmeni Wrapper’s structure\r\nAs a result, when the legitimate application is executed, the malicious Dll (We’ve dubbed it Pelmeni Wrapper) is loaded \r\nand the infection continues. The resulting infection chain would be as follows :\r\nInfection chain\r\nFor the analysis we will use the most recent sample we have found in public sources, where it has up to 39 detections.\r\nLaunchGFExperienceLOC.dll 15f5e4808549ff67a79f84e23659da912ebbc1dc7c7b100c12b72384a27e412a\r\nPelmeni Wrapper’s detections\r\nThe DLL does not provide much information since most of its content is encrypted. The most interesting thing is the name\r\nof its exported functions  that appear to be randomly generated.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 2 of 12\n\nPelmeni Wrapper’s exports\r\nThrough the analysis of LaunchGFExperienceLOC.dll, we see at the EntryPoint, 3 main functions that will guide the\r\nprogram. \r\nPelmeni Wrapper’s entry point\r\nThe first function “PrintLog” is in charge of creating a file in the %TEMP% folder that prints what it is doing. This file\r\nhas a random name and extension, decoded using an XOR algorithm. \r\nXOR decryption function\r\nAt this point it would print “DLL_PROCESS_ATTACH” because the executable has  loaded the DLL. \r\nPelmeni Wrapper’s log file\r\nThe next EntryPoint function is “LoadFunction” which is responsible for executing one of the exported DLL functions. \r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 3 of 12\n\n“LoadFunction” function\r\nTo decrypt the function name, the malware uses a hash generated by the victim’s “ComputerName” xored by a constant.\r\nThe algorithm used to hash the computer name is Jenkins’ one_at_a_time. This hash will be used as a seed in the\r\npseudorandom number generator algorithm ranqd1. The generated values will be used to decrypt the function name. \r\nJenkin’s one_at_a_time algorithm\r\nThe execution continues with the “Wvoouo” method that goes through all the threads of the running process and suspends\r\nthem, except for the current thread. After this, Pelmeni prints “After CSPT” in the log, which could be a reference to\r\n“Check Suspend Threads”. \r\n“Wvoouo” function managing threads\r\nAfter this the program executes “LoadFunctions” which loads and executes 3 functions as before.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 4 of 12\n\nLoad 3 new functions\r\nIn the first function “Gcqiprj” we can see how, by means of CreateThread(), it creates a thread that will continue with the\r\nexecution of the wrapper.  \r\n“Gcqiprj” function creating thread\r\nHowever, instead of executing that part of the code, it saves its address (0x703C1785) to later redirect the execution flow\r\nto it.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 5 of 12\n\n“Gcqiprj” function saving execution address\r\nThe next function ”Urjhmeuo” accesses the contents of that address (0x703C1785) and copies the entire contents to\r\nanother memory space, which it will execute. In addition, it adds the instruction “push eax” (0x50 x56) at the beginning\r\nto keep the state of the stack correctly. of the stack. \r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 6 of 12\n\n“Urjhmeuo” function copying memory to make it executable\r\nThe last function “Rgdpeyg” traces the execution stack to find the “LoadLibrary” function and load the new address, to\r\ncompletely change the execution flow. Finally, Pelmeni prints in the log file “After EFD” which could stand for\r\n“Execution Flow Deviation”. \r\n“Rgdpeyg” function redirecting the execution flow\r\nAt this point, the malware will execute the thread it had previously prepared. This thread will decrypt a .NET assembly\r\nand execute it from memory. Additionally, while Pelmeni runs .NET in the background, it checks the connection by\r\nmaking requests to Google.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 7 of 12\n\ndotNET binary execution thread\r\nAs seen the attack is totally targeted, as if the malware is executed on an other machine, it will not be able to continue the\r\ninfection. Fortunately, the algorithm used to to decrypt the payload and the one used to decrypt the exports is the same,\r\nwhich makes it vulnerable to brute force attacks.\r\nThe following section describes the analysis of the .NET binary extracted.\r\nKazuar (DotNET)\r\nAnalyzing the code, we observe that it is obfuscated and encrypted. The algorithm used is a substitution algorithm\r\nreminiscent of the one used by Kazuar (Turla backdoor). The hypothesis is confirmed when comparing our sample with\r\nthe sample analyzed in the Unit42 article.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 8 of 12\n\nCaesarCipher implementation\r\nKazuar is a mutiplatform trojan used by Turla and discovered in 2017, it is often seen in infections targeting specific\r\nobjectives, with the sample tailored to the targeted entity.\r\nConsidering the Unit42 article, in this case the backdoor shows two differences detailed bellow:\r\nNew protocol used for exfiltration\r\nDifferent log’s folder\r\nExfiltration methods\r\nUp to now, it was publicly known that Kazuar supports 5 protocols for exfiltration. The version of Kazuar described here\r\nallows the exfiltration of data using socket.\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 9 of 12\n\nExfiltration protocols\r\nSocket protocol\r\nBased on this, it wouldn’t be unreasonable to think that other variations of this sample might also include additional\r\nprotocols.\r\nLog’s folder\r\nAnother variation in this sample compared to previous reports is the directory used for logs, as shown in the following\r\nimage.\r\nKazuar’s log file\r\nHowever, this should be considered a minor variation that could be seen in other samples.\r\nConclusions\r\nThis article analyzes a new sample used in Turla campaigns. The sample employs a wrapper that we’ve nicknamed\r\nPelmeni, and deploys the Kazuar malware, with some peculiarities different from those seen in previous articles about this\r\ntype of sample.\r\nThere are samples of the malware available in public sources, although their content is encrypted, which can hinder\r\nidentification. In the case at hand, the differences of this new threat are shown, and indicators of compromise are provided\r\nto aid in its possible detection.\r\nAdditionally, in the IOCs summary, the IOCs values highlighted during this post are included. But, also, the hashes for the\r\nsamples used in the “samples timeline” are provided.\r\nIOCs\r\nSample #6 [13/02/2024]\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 10 of 12\n\nLaunchGFExperienceLOC.dll\r\n(Pelmeni Wrapper)\r\n15f5e4808549ff67a79f84e23659da912ebbc1dc7c7b100c12b72384a27e412a   \r\nRelapsed.exe\r\n(Kazuar)\r\n7ae9768b79a6b75f814a1b7afaf841b1a4b7ba803b3d806823e81d24a84fd078   \r\nPelmeni Wrapper’s log file %TEMP%\\dbtesdnni.wic \r\nKazuar folders\r\nC:\\\\ProgramData\\\\utils\\\\drivers\\\\data\r\nC:\\\\ProgramData\\\\inp\\\\test\r\nSample #5 [28/01/2024]\r\nasio.dll (Pelmeni\r\nWrapper)\r\ncccd6327dd5beee19cc3744b40f954c84ab016564b896c257f6871043a21cf0a \r\nSobroutine.exe\r\n(Kazuar)\r\n6559d6cb2976334776ded3e7f8ce781c0e6fbaa69edbb0f16b902d06b5d8d8d9 \r\nPelmeni Wrapper’s log file %TEMP%\\iiuiajmujrca.zso \r\nSample #4 [27/01/2024]\r\nvncutilLOC.dll\r\n(Pelmeni Wrapper)\r\n2164d54c415b48e906ad972a14d45c82af7cab814c6cf11729a994249690ed97  \r\nHumanity.exe\r\n(Kazuar)\r\n564b2a3083e55933e4ce68b87c5e268c88d58f7ab41839e5a6e0c728a58e9cf2   \r\nPelmeni Wrapper’s log file %TEMP%\\ktynlijyog.dyg \r\nSample #3 [27/01/2024]\r\nSkyTelLOC.dll\r\n(Pelmeni Wrapper)\r\n00256c7fd9a36c6a4805c467b15b3a72dbac2e6dbd12abe7d768f20ce6c8f09f  \r\nInroad.exe (Kazuar) 1a3cc19345737bc76bcf61005ad6afeeea78540bddc627db052cede7a4c0d8e5  \r\nPelmeni Wrapper’s log file %TEMP%\\oayvonjwivaq.vjg \r\nSample #2 [27/01/2024]\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 11 of 12\n\nvncutilLOC.dll\r\n(Pelmeni Wrapper)\r\nebf10222bdd19bd8f14b7e94694c1534d4fe1d1047034aee7ffe9492cad4a92f \r\nDenigrating.exe\r\n(Kazuar)\r\nc91891c297971f46c470ea3b1934e5fb76f683776ba3edcdc1afe4f5398fc016 \r\nPelmeni Wrapper’s log file %TEMP%\\jecvxqyvdbri.olc \r\nSample #1 [23/01/2024]\r\nvncutilLOC.dll\r\n(Pelmeni Wrapper)\r\n9b97e740b65bc609210f095cd9407c990a9f71f580f001ea07300228c5256d62 \r\nArches.exe (Kazuar) 0e8cedf69e0708f77b8d8c7c9b96bf9386f0ec66c48b973bfa9718915ed260e9 \r\nPelmeni Wrapper’s log file %TEMP%\\wcijgmcpyn.ctl \r\nC2\r\nhxxps://altavista[.]rs/wp-includes/ID3/PerceptionSimulation/ \r\nhxxps://m6front.sam-maintenance[.]com/wp-includes/customize/assembly/ \r\nhxxps://bibliotecaunicef[.]uy/catalog/notices/tags/ \r\nwss://127.0.0.1:20089/Test\r\nSource: https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nhttps://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/?ref=news.risky.biz" ], "report_names": [ "?ref=news.risky.biz" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433985, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9d62f0534c5ae25f0aa4030433111a07e4bf6fa.pdf", "text": "https://archive.orkl.eu/b9d62f0534c5ae25f0aa4030433111a07e4bf6fa.txt", "img": "https://archive.orkl.eu/b9d62f0534c5ae25f0aa4030433111a07e4bf6fa.jpg" } }