{ "id": "09157bae-9867-49e4-adce-d6d0e1ce47d3", "created_at": "2026-04-06T00:06:53.817284Z", "updated_at": "2026-04-10T03:35:48.593757Z", "deleted_at": null, "sha1_hash": "bb38ec9e943645f3568e94c0b66ec04218dd65f2", "title": "To the Moon and back(doors): Lunar landing in diplomatic missions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531769, "plain_text": "To the Moon and back(doors): Lunar landing in diplomatic missions\r\nBy Filip Jurčacko\r\nArchived: 2026-04-05 12:55:22 UTC\r\nESET researchers discovered two previously unknown backdoors – which we named LunarWeb and LunarMail –\r\ncompromising a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. We believe that the Lunar\r\ntoolset has been used since at least 2020 and, given the similarities between the tools’ tactics, techniques, and procedures\r\n(TTPs) and past activities, we attribute these compromises to the infamous Russia-aligned cyberespionage group Turla, with\r\nmedium confidence. We recently presented our insights from this research at this year’s ESET World conference and provide\r\nmore details about our findings in this blogpost.\r\nKey points of the blogpost:\r\nESET Research discovered two previously unknown backdoors – LunarWeb and LunarMail – used in the\r\ncompromise of a European MFA and its diplomatic missions.\r\nLunarWeb, deployed on servers, uses HTTP(S) for its C\u0026C communications and mimics legitimate\r\nrequests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email\r\nmessages for its C\u0026C communications.\r\nBoth backdoors employ the technique of steganography, hiding commands in images to avoid detection.\r\nBoth backdoors utilize a loader that uses the DNS domain name for decryption of the payload, share\r\nportions of their codebases, and have the unusual capability of being able to execute Lua scripts.\r\nThe loader can have various forms, including trojanized open-source software, demonstrating the advanced\r\ntechniques used by the attackers.\r\nTurla, also known as Snake, has been active since at least 2004, possibly even dating back to the late 1990s. Believed to be\r\npart of the Russian FSB, Turla mainly targets high-profile entities such as governments and diplomatic organizations in\r\nEurope, Central Asia, and the Middle East. The group is notorious for breaching major organizations, including the US\r\nDepartment of Defense in 2008 and the Swiss defense company RUAG in 2014. Over the past few years, we have\r\ndocumented a large part of Turla’s arsenal on WeLiveSecurity.\r\nOur current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an\r\nunidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb.\r\nSubsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably,\r\nthe attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and\r\ncontrol (C\u0026C) communications.\r\nDuring another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of\r\nthis MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain\r\ncontroller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.\r\nFurther examination uncovered additional pieces of the puzzle, including components utilized in the initial stage of the\r\ncompromise and a limited number of commands issued by the attacker. The timestamps in the oldest samples and the\r\nversions of the libraries used suggest that this toolset has been operational since at least 2020, possibly earlier. Our technical\r\nanalysis focuses on the techniques these backdoors employ, such as steganography, and communication methods.\r\nVictimology\r\nAccording to ESET telemetry, the compromised machines that we managed to identify belong to a European MFA and are\r\nprimarily related to its diplomatic missions in the Middle East.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 1 of 23\n\nTechnical analysis\r\nInitial access\r\nWe don’t know exactly how initial access was gained in any of the compromises. However, recovered installation-related\r\ncomponents and attacker activity suggest possible spearphishing and abuse of misconfigured network and application\r\nmonitoring software Zabbix. Potential Zabbix abuse is suggested by a LunarWeb installation component imitating Zabbix\r\nlogs, and a recovered backdoor command used to get the Zabbix agent configuration. Additionally, evidence of\r\nspearphishing includes a Word document installing a LunarMail backdoor via a malicious macro.\r\nBelow, we provide details of the installation-related components and initial attacker activity.\r\nStage 0 – LunarWeb initial server compromise\r\nWhile we don’t have the full picture of the initial compromise, we found an installation-related component in one of the\r\nserver compromises – a compiled version of an ASP.NET web page originating from following source files:\r\n\u003cIIS_web_root\u003e\\aspnet_client\\system_web.aspx\r\n\u003cIIS_web_root\u003e\\aspnet_client\\system_web.cs\r\nThe system_web.aspx filename is a known IoC of Hafnium, a China-aligned APT known for exploiting vulnerabilities in\r\nMicrosoft Exchange Server software. However, we believe this is either a coincidence or a false flag.\r\nWhen the system_web.aspx page is requested, it responds with a benign-looking Zabbix agent log. However, the page\r\ncovertly expects a password in a cookie named SMSKey. If provided, the password (combined with the salt\r\nMicrosoft.SCCM.Update.Manager) is used to derive an AES-256 key and IV for decrypting two embedded blobs, which are\r\nthen dropped to two temporary files in a directory excluded from scanning.\r\nWhile we don’t know the password, the file sizes match further stages in the compromise chain – the Stage 1 loader and\r\nStage 2 blob – containing the LunarWeb backdoor. Lastly, either the attacker or an unknown component renames and moves\r\nthe two temporary files to their final destinations, and sets up persistence.\r\nDuring our investigation, we found that the attacker already had network access, used stolen credentials for lateral\r\nmovement, and took careful steps to compromise the server without raising suspicion. The attacker’s steps included copying\r\ntwo log files over the network; these files were deliberately named to mimic Zabbix agent logs. The attacker moved them to\r\nthe IIS web directory as the system_web page, and sent a HEAD request to the page with a password, which resulted in the\r\ncreation of two files with .tmp filename extensions. The system_web page files were then deleted, and the dropped .tmp files\r\ncontaining Stages 1 and 2 were moved to the following locations:\r\nC:\\Windows\\System32\\en-US\\winnet.dll.mui\r\nC:\\Windows\\System32\\DynamicAuth.bin\r\nFinally, to maintain access and execute their code, the attacker set up a Group Policy extension in the registry using the\r\nRemote Registry service.\r\nStage 0 – LunarMail initial user compromise\r\nIn another compromise, we found an older malicious Word document, likely from a spearphishing email. Despite being a\r\nDOC file, it’s actually in DOCX format, which is a ZIP archive that can hold extra content. This document has unusual\r\ncomponents: 32- and 64-bit versions of a Stage 1 loader, and a Stage 2 blob containing the LunarMail backdoor.\r\nThey are installed using a VBA macro, executed on document opening, that does the following:\r\n1. Calculates a victim ID from the computer name and informs its C\u0026C server by pinging a specific URL with the ID in\r\nits subdomain.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 2 of 23\n\n2. Creates the directory %USERPROFILE%\\Gpg4win and extracts the appropriate files from the extra content in the\r\nZIP/DOCX – Stage 1 loader to gpgol.dll and Stage 2 blob to tempkeys.dat.\r\n3. Sets up persistence via Outlook add-in registry settings and pings another URL containing the ID.\r\nWe did not obtain the whole document, but it probably contains a lure that is enticing enough, since it can't be accessed\r\notherwise, to convince the victim to enable macros.\r\nThe paths and names used mimic Gpg4win’s Outlook add-in, GpgOL. Once deployed, the Stage 1 loader appears in Outlook\r\nAdd-Ins, as shown in Figure 1.\r\nFigure 1. Malicious Outlook add-in\r\nLunar toolset\r\nFollowing our analysis of the installers introduced in the previous section, we examine the loaders and finish with analysis\r\nof their payloads – two previously unknown backdoors. Figure 2 outlines the components in the two observed compromise\r\nchains.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 3 of 23\n\nFigure 2. The two observed Lunar toolset compromise chains\r\nStage 1 – LunarLoader\r\nThe execution chain begins with a loader that we have named LunarLoader. It uses RC4, a symmetric key cipher, to decrypt\r\nthe path to the Stage 2 blob and reads an encrypted payload from it. To ensure that only one loader instance is active, it\r\nattempts to open and then create a mailslot with a unique name, instead of a common synchronization object such as mutex\r\nor event. It also creates a decryption key, derived from the MD5 hash of the computer’s DNS domain name, which it\r\nverifies. The payload is then decrypted using AES-256, resulting in a PE file. LunarLoader allocates memory for the PE\r\nimage and decrypts the name of an exported function in the PE file, which is then run in a new thread. This function contains\r\na reflective loader.\r\nUsing the DNS domain name for payload decryption serves as an execution guardrail. The loader correctly executes only in\r\nthe targeted organization, which may hinder analysis if the domain name is not known.\r\nLunarLoader can have a standalone form or be a part of trojanized open-source software. We observed one case of the latter,\r\nwith a trojanized AdmPwd, which is a part of Windows Local Administrator Password Solution (LAPS).\r\nWe observed that LunarLoader uses three different persistence methods and several file paths, as shown in Table 1.\r\nTable 1. Variants of LunarLoader\r\nPersistence\r\nmethod\r\nLoader path(s) Host process Note\r\nGroup policy\r\nextension\r\nC:\\Windows\\System32\\en-US\\winnet.dll.mui\r\nC:\\Program\r\nFiles\\LAPS\\CSE\\AdmPwd.dll*\r\nsvchost.exe -\r\nk GPSvcGroup\r\nThe AdmPwd dll is a known\r\nlegitimate file path of\r\nMicrosoft LAPS.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 4 of 23\n\nPersistence\r\nmethod\r\nLoader path(s) Host process Note\r\nSystem DLL\r\nreplacement\r\nC:\\Windows\\System32\\tapiperf.dll wmiprvse.exe\r\nReplacing a legitimate\r\nWindows DLL.\r\nOutlook add‑in %USERPROFILE%\\Gpg4win\\gpgol.dll outlook.exe N/A\r\nStage 2 blob – payload container\r\nThe blob used in Stage 2 consists of four entries – including two unused strings, where the value of one is the base64-\r\nencoded version of the string freedom or death or freedom or death (yeah,we are alive), as shown in Figure 3, and 32-bit and\r\n64-bit versions of the payload.\r\nFigure 3. Decoded version of the string, which contains a message\r\nWhile the purpose of the freedom or death string in the given context isn’t explicitly explained, it’s common for malware\r\nauthors to include such strings for a variety of possible reasons, such as tracking different versions of their malware, to serve\r\nas a distraction or false lead for analysts, or simply as a form of signature or calling card. In some cases, we found strings\r\ninstead of a 32-bit payload – such as the string shit happens.\r\nWe observed two different backdoors used as payloads. The backdoors seem to use the following DLL names in the export\r\ndirectory, with these suspected meanings:\r\nmswt[e].dll – web transport (LunarWeb)\r\nmsmt[e].dll – mail transport (LunarMail)\r\nThe e suffix is used for the 64-bit versions. The observed file paths for the blob are listed in the IoCs section.\r\nStage 2 payload #1 – LunarWeb backdoor\r\nLunarWeb, the first payload we discovered, is a backdoor that communicates with its C\u0026C server using HTTP(S) and\r\nexecutes commands it receives. We observed that LunarWeb was deployed only on servers, not user workstations.\r\nDuring its initialization, LunarWeb attempts to locate or create its state file, which contains entries related to its execution.\r\nThen it decrypts strings, mostly related to communication, using RC4 with the static key C1 82 A7 04 21 B6 40 C8 9A C3\r\n79 AD F5 5F 72 86. It also collects victim identification data and uses it to calculate a victim ID, which is used in\r\ncommunications with the C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 5 of 23\n\nAfter conducting safety checks, the backdoor waits for a few hours before entering its communication loop. This delay is\r\nskipped on the backdoor’s first run. The security checks include a limit of initial contact attempts with the C\u0026C server,\r\nassessing the backdoor’s lifespan, and checking C\u0026C server accessibility. If any of the safety conditions fail, LunarWeb\r\nself-removes, deleting its files, including the Stage 1 loader and Stage 2 blob. However, the persistence method for the Stage\r\n1 loader is left, potentially leaving detectable traces.\r\nConfiguration and state\r\nLunarWeb’s configuration is hardcoded into the binary, likely from manual source code changes. The configuration varies\r\nbetween samples, including the C\u0026C servers, their unreachability threshold, the communication format, and the backdoor\r\nlifespan.\r\nThe backdoor maintains a 512-byte state structure, updated during execution and stored in a file. This file contains three\r\nstate slots, accessed by index 0, 1, or 2 as shown in Figure 4. The first two slots are modifiable, but unused by this backdoor;\r\nonly the third slot is used. State slots are encrypted using RC4 with key 99 53 EA 6A AB 29 44 EF BE 36 12 9E F2 3B 5E\r\nC9.\r\nFigure 4. Hex-Rays decompilation showing state retrieval\r\nThe observed locations of the state files are listed in the IoCs section.\r\nInformation collection\r\nLunarWeb collects the following information about its host computer:\r\nunique victim identification obtained via WMI queries:\r\noperating system version with serial number,\r\nBIOS version with serial number, and\r\ndomain name.\r\nfurther system information obtained via shell commands:\r\ncomputer and operating system information (output of systeminfo.exe),\r\nenvironment variables,\r\nnetwork adapters,\r\nlist of running processes,\r\nlist of services, and\r\nlist of installed security products.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 6 of 23\n\nThe information is sent to the C\u0026C server on first contact.\r\nCommunication\r\nAfter initialization, LunarWeb communicates with its C\u0026C server using HTTP(S), underneath which is a custom binary\r\nprotocol with encrypted content.\r\nLunarWeb employs three URLs (containing IP addresses instead of domains) for different purposes. One URL is used for\r\nfirst contact, uploading information about the host computer as described in the previous section. The two remaining URLs\r\nare used for getting commands, each being on a different server. We refer to these URLs below as command URLs.\r\nTo hide its C\u0026C communications, LunarWeb impersonates legitimate-looking traffic, spoofing HTTP headers with genuine\r\ndomains and commonly used attributes. It can also receive commands hidden in images. Impersonated attributes from each\r\nobserved LunarWeb sample are shown in Table 2.\r\nTable 2. Impersonated attributes\r\nHost User-Agent Request-URI / Filename\r\nwin8.ipv6.microsoft.com\r\nMozilla/5.0 (Windows NT 10.0;\r\nWin64; x64; rv:80.0) Gecko/20100101\r\nFirefox/80.0\r\n(Non-impersonating URIs)\r\ni1.c1.eset.com\r\nHost: EES Update (Windows; U; 64bit;\r\nBPC 9.0.2047.0; OS: 10.0.16299 SP\r\n0.0 NT; TDB 57524; TPCAT 0; CL\r\n1.0.0; x64c; APP ees; ASP 0.0; FW\r\n32.0; PX 1; CD 1; RA 1; UBR 2166;\r\nHVCI 0; SHA256 1; WU 3; HWF:\r\nDA7506AC-AB57-4C28-BC32-\r\nE6D90B48B66F; PLOC en_us;\r\nPCODE 111.0.0; PAR 0; ATH -1; DC\r\n0; PLID 375-GTM-VO6; SEAT\r\n62f587f1; RET 5004)\r\n[sic]\r\nupdate.ver.signed\r\nlivegrid\r\n\u003cMFA_country_news_site\u003e\r\nMozilla/5.0 (Windows NT 10.0;\r\nWin64; x64; rv:73.0) Gecko/20100101\r\nFirefox/73.0\r\n(Non-impersonating URIs)\r\nctldl.windowsupdate.com Microsoft-CryptoAPI/6.1\r\n/msdownload/update/v3/static/trustedr/en/authrootstl.cab\r\n/msdownload/update/v3/static/trustedr/en/disallowedcertst\r\n/msupload/update/v3/static/trustedr/stats\r\nctldl.windowsupdate.com Microsoft-CryptoAPI/6.1 /msdownload/update/v3/static/trustedr/en/authrootstl.cab\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 7 of 23\n\nHost User-Agent Request-URI / Filename\r\n/msdownload/update/v3/static/trustedr/stats\r\nNotable examples of impersonation include Windows services (Teredo, Windows Update) and updates of ESET products. In\r\ncases of ESET impersonation, the attackers copied the User-Agent (where they slipped in a Host header) and other headers\r\nused by updates of our product. Strangely, they spoofed a nonexistent domain in the Host header.\r\nVictim identification is included in HTTP requests, either in a cookie or a URL query parameter. The first method uses\r\nrandomly generated cookies with a 16-byte identifier (possibly a campaign ID) and a victim ID. The second method appends\r\nthe victim ID twice to the URL. The suspected campaign ID is present in samples using the second method but is not used.\r\nLunarWeb can also use an HTTP proxy server for C\u0026C communications, if needed.\r\nReceiving commands\r\nLunarWeb collects commands from the C\u0026C server via a GET request to the command URL. The request and response\r\nformat vary across five supported formats, with a hardcoded value determining which to use. Table 3 provides an overview\r\nof these formats. We observed usage of formats 2, 3, and 4.\r\nTable 3. Communication formats for getting commands\r\nFormat\r\nCommand request filename\r\nexample\r\nResponse,\r\nextraction,\r\ndecoding\r\nResponse\r\ndecryption,\r\ndecompression\r\nNote\r\n0 N/A Base64 RSA\r\nShort commands only\r\n(RSA-4096 512‑byte\r\nlimit).\r\n1 N/A None RSA\r\nShort commands only\r\n(RSA-4096 512‑byte\r\nlimit).\r\n2\r\nupdate.ver.signed\r\ndisallowedcertstl.cab\r\n(impersonation specific)\r\nBase64 or none RSA, AES, zlib\r\nDecoding is skipped in\r\ninstances where this\r\nformat is actually used.\r\n3 \u003crandom_5_alnum\u003e.jpg JPG RSA, AES, zlib\r\nThe data is inside a JPG\r\ncomment.\r\n4 \u003crandom_5_alnum\u003e.gif GIF RSA, AES, zlib\r\nThe data is inside GIF\r\ndata blocks.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 8 of 23\n\nDepending on the communication format, the data received from the C\u0026C server might need decoding using the base64\r\nalgorithm or extraction from an image. JPGs are scanned for the comment marker FF FE, while GIFs are parsed using the\r\ngiflib library. In both cases, the interesting data is embedded in the structures of the image format and not hidden in\r\nindividual pixels of an image, as in LSB steganography for example.\r\nCommunication formats 0 and 1, though not observed, simply decrypt resulting data using RSA-4096. Formats 2, 3, and 4\r\nare more complex. The resulting data starts with an encrypted AES seed, decrypted with RSA-4096 and used to derive a\r\nsession key. This session key is then used to decrypt the rest of the data using AES-256, followed by zlib decompression.\r\nAfter decryption and, if needed, decompression, the received data results in a command package. This package, possessing a\r\nunique ID, is compared to the last processed ID, stored in the backdoor’s state. If they are different, the backdoor processes\r\nthe package and updates the last ID. The package may hold multiple commands. Each command is executed, and its output\r\nsent to the C\u0026C server in a single format, with no steganography, as described in the ensuing Exfiltrating data section.\r\nTo perform cryptographic operations, LunarWeb utilizes a statically linked Mbed TLS library. It has two embedded RSA-4096 keys: one for decrypting incoming data and one for encrypting outgoing data. Both use standard parameters and are\r\noutlined in our GitHub repository.\r\nExfiltrating data\r\nFirst, data is zlib-compressed and encrypted using AES-256, with a session key and IV derived from the data’s size, also\r\nproducing a hash-based message authentication code (HMAC).\r\nFor AES encryption, a random 32-byte AES seed is generated and encrypted using RSA-4096. The seed is used to derive a\r\nsession key in a PBKDF-like manner, SHA-256 hashing the seed and an IV 8,192 times. The same key derivation happens\r\nwhen decrypting received data. The derivation algorithm and encryption code was copied from an older Mbed TLS sample\r\nprogram that was removed from the library in 2021.\r\nFinally, the encrypted data, along with decryption and integrity metadata, is sent. If output data exceeds 1.33 MB after\r\ncompression, it is split into multiple parts of random size (384–512 KB).\r\nPOST requests to the C\u0026C server include impersonation headers and victim identification, and their sending is delayed by a\r\nsleep of 34 to 40 seconds. Interestingly, each command package received contains an output URL, which is where to send\r\nthe result. This could be a different URI on the same C\u0026C server, or a completely different server. In the limited number of\r\ncommand packages that we observed, the output URL was the same as the command URL.\r\nCommands\r\nLunarWeb supports common backdoor capabilities, including file and process operations, and running shell commands,\r\nincluding ones via PowerShell. One of the commands stands out, with the rather uncommon capability of being able to run\r\nLua code.\r\nThe full list of supported commands, with additional details, is shown in Table 4.\r\nTable 4. Overview of LunarWeb commands\r\nType Command Details\r\n0\r\nRun shell commands via a BAT file\r\nand get output \r\nRuns specified shell commands via a temporary BAT file %TEMP%\\\r\n\u003crandom_9_alnum_chars\u003e.bat. The output is retrieved via a pipe (also\r\napplies to the next four commands).\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 9 of 23\n\nType Command Details\r\n1\r\nRun shell commands and get\r\nUnicode output\r\nRuns the shell commands on the command line via cmd.exe /c and /U\r\noption for Unicode output.\r\n2 Run shell commands and get output Runs the shell commands on the command line via cmd.exe /c.\r\n3\r\nRun PowerShell commands via a\r\nPS1 file and get output\r\nRuns specified PowerShell commands via a temporary script file\r\n%TEMP%\\\u003crandom_12_alnum_chars\u003e.ps1.\r\n4\r\nRun PowerShell commands and get\r\noutput\r\nRuns specified PowerShell commands via powershell.exe -command.\r\n5 Run Lua code\r\nLua code is executed using the statically linked LuaCOM library and\r\nthe Lua library, version 5.1.5. These libraries, along with the command,\r\nwere not present in the single 32-bit version of the LunarWeb backdoor\r\nthat we observed.\r\n6 Write file Specifies the file path and content to write.\r\n7 Read file\r\nUses file mapping to access content instead of the regular ReadFile\r\nAPI.\r\n8 Get victim identification via WMI\r\nObtains victim identification information using WMI queries, the same\r\ninformation as described in the Information collection section.\r\n9 No operation N/A\r\n10 Update state entry in third slot\r\nUpdates an entry in the state used by the backdoor (index 2), adjusting\r\nbreak duration before communication loop and after C\u0026C contact\r\nfailure..\r\n11 Set state content in first slot\r\nSets the content of the state in the first slot (index 0), but its purpose is\r\nunknown.\r\n12 Set state content in second slot\r\nSets the content of the state in the second slot (index 1), but its purpose\r\nis unknown.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 10 of 23\n\nType Command Details\r\n13 Create process and get output\r\nCreates an arbitrary process with a specified command line and\r\nretrieves its output via a pipe.\r\n14 Zip specified path(s)\r\nCreates a ZIP archive with specified files and directories, via the\r\nstatically linked Zipper library.\r\nSome of the commands can output an error message referring to the commands as tasks – Format of the task is incorrect.\r\nWe were able to recover a command package that contained multiple shell commands used for reconnaissance executed via\r\ncommand 1, collecting the following: system and OS Information, user information, network configuration and connections,\r\nenvironment variables, scheduled tasks, installed programs and security products, firewall settings, directory listings,\r\nKerberos tickets and sessions, shared resources, Group Policy, and local group memberships. Additionally, a read file\r\ncommand (7) was used to retrieve Zabbix configuration from a specified file path.\r\nStage 2 payload #2 – LunarMail backdoor\r\nThe second backdoor, which we call LunarMail, shares many similarities with LunarWeb. The main difference is the\r\ncommunication method – LunarMail uses email for communication with its C\u0026C server.\r\nThis backdoor is designed to be deployed on user workstations, not servers – because it is persisted and intended to run as an\r\nOutlook add-in. A high-level overview of how LunarMail operates is shown in Figure 5.\r\nFigure 5. LunarMail operation\r\nLunarMail shares ideas of its operation with LightNeuron, another Turla backdoor that uses email messages for C\u0026C\r\npurposes. Although both use a similar exfiltration method, we did not find any code similarities between the two backdoors.\r\nOther Turla backdoors with similar operation include Outlook backdoor.\r\nInitialization\r\nDuring its initialization, the backdoor decrypts a string used to initialize a regex object that is used as a filter to search for\r\nthe email profile to use for C\u0026C purposes, which we describe later. The regex expression, and other strings in the backdoor,\r\nare encrypted using RC4 with the static key E3 7C 9E B0 DF D1 46 48 B4 AE 8A 5F 2A A1 78 7B.\r\nTo interact with Outlook, the backdoor dynamically resolves the necessary Outlook Messaging API (MAPI) functions.\r\nOn each run, the backdoor creates a directory in the path %TEMP%\\{\u003crandom_guid\u003e}, used as a staging directory for data\r\nexfiltration.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 11 of 23\n\nConfiguration and state\r\nSimilar to LunarWeb, LunarMail’s configuration entries are hardcoded in the binary. It also maintains a state file, with a\r\nsingle state (unlike LunarWeb, which has multiple state slots).\r\nThe configuration likely consists of conditions to find an Outlook profile for C\u0026C communications, default exfiltration\r\nconfiguration, and the backdoor’s lifespan limit.\r\nThe state is persisted in the file %LOCALAPPDATA%\\Microsoft\\Outlook\\outlk.share with a 668-byte structure, updated\r\nduring execution. It stores, among others, a timestamp of the last executed command and current staging directory. On\r\nsubsequent runs, the previous staging directory is deleted and replaced with a new one.\r\nInformation collection\r\nOn first run, the LunarMail backdoor collects the following information:\r\nenvironment variables, and\r\nrecipients of all sent email messages (email addresses).\r\nAdditionally, a batch file with shell commands to obtain further system information is decrypted but never executed.\r\nIn certain error cases, such as failure to collect the aforementioned information, the email addresses of available Outlook\r\nprofiles are collected.\r\nCommunication and commands\r\nRunning inside Outlook, the LunarMail backdoor communicates with its C\u0026C server – receiving commands and exfiltrating\r\ndata – using email messages, via the Outlook Messaging API (MAPI).\r\nProfile search\r\nTo communicate, LunarMail first searches for suitable Outlook profiles provided by Microsoft Exchange. The profile\r\nconditions include having only four default folders (Inbox, Sent, Deleted, and Outbox), containing the domain of the\r\ntargeted institution in the email address, and not matching a regex pattern for various legitimate institutional emails.\r\nThe first matching profile sends initial information. For further communication, the inboxes of profile candidates are\r\nsearched for command-containing emails. This approach avoids hardcoding profiles and makes identification harder.\r\nAdditionally, commands can set a specific profile to use, which is persisted in the backdoor’s state.\r\nReceiving commands\r\nLunarMail identifies a profile with commands by searching email messages and attempting to parse their attachments. The\r\nattachment must be a single PNG image with the .png extension, with the size of less than or equal to 10 MB. It then\r\nattempts to parse IDAT chunks of the PNG file, looking for an AES seed, an exfiltration configuration, and commands\r\nchunks. All these components are zlib-compressed and encrypted, the first using RSA-4096 and the latter two using AES.\r\nInterestingly, the chunks must adhere to the PNG format with verified CRCs, resulting in a valid, but noisy-looking image\r\ndue to encrypted, compressed content.\r\nLunarMail uses the same cryptography as LunarWeb, including the Mbed TLS library, two RSA-4096 keys (listed in our\r\nGitHub repository), and usage of AES-256 with the same key derivation algorithm. The decompressed chunk with AES-encrypted content has a similar structure to that seen in LunarWeb.\r\nThe decrypted, decompressed exfiltration configuration has a specific structure including configuration ID, email address,\r\nsubject, body, and attachment name and extension.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 12 of 23\n\nThe exfiltration configuration structure mirrors LunarWeb’s command package metadata, specifying the command outputs’\r\ndestination and an ID to avoid duplicate commands, stored in state. Once decrypted and decompressed, LunarMail\r\ncommands have a structure identical to LunarWeb’s. Each parsed command is executed, storing output in the staging\r\ndirectory for exfiltration.\r\nNotably, email messages that fail parsing for commands have their IDs cached to avoid repeated parsing, although the cache\r\nis not persisted and it is recreated on each backdoor execution. Emails successfully parsed for commands are deleted after\r\nprocessing.\r\nCommands\r\nIn terms of command capabilities, LunarMail is simpler and features a subset of the commands found in LunarWeb. It can\r\nwrite a file, create a new process, and uniquely, take a screenshot and modify the C\u0026C communication email address. While\r\nLunarMail lacks separate commands for running shell or PowerShell commands, it does support Lua scripts. When\r\nexecuted, commands write their output to files in the staging directory.\r\nThe full list of supported commands is shown in Table 5.\r\nTable 5. Overview of LunarMail commands\r\nType Command Details\r\n0 No operation N/A\r\n1 Write file Specifies the file path and content to write.\r\n2\r\nSet the email address used for\r\nC\u0026C communications\r\nSets a specific Outlook profile to use for C\u0026C communications. The profile\r\nis specified by an email address, which is then persisted in the backdoor’s\r\nstate.\r\n3 Create process and get output\r\nCreates an arbitrary process with a specified command line, redirecting its\r\noutput to the staging directory.\r\n4 Take a screenshot Utilizes GDI+ API to capture the entire screen and produce a JPG file.\r\n5 Run Lua code\r\nJust as in LunarWeb, Lua code is executed using the statically linked\r\nlibraries LuaCOM and Lua.\r\nExfiltrating data – preparation\r\nLunarMail searches its staging directory for output files produced by the backdoor, preparing them for exfiltration by\r\nembedding them in a PNG image or PDF document (depending on the attachment extension in the exfiltration\r\nconfiguration). Both PNG and PDF files are created using a valid content template.\r\nFor PNG files, a template matching the compromised institution’s logo is used, indicating prior knowledge and preparation\r\nof the backdoor. To create a PNG that contains output files, LunarMail first generates a random 32-byte AES seed, used for\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 13 of 23\n\nencryption. Then it creates IDAT chunks with data and appends them to the PNG template. The chunks are similar to\r\nreceived commands, containing the following:\r\nChunk with AES seed – RSA-4096 encrypted, zlib compressed.\r\nChunk(s) with filename and content – AES-256 encrypted, zlib compressed.\r\nBefore compression and encryption, the output file name and content are wrapped into a structure that also contains a magic\r\nstring 001035 that could be the backdoor version. Just like in received command PNGs, the created chunks follow the PNG\r\nspecification and have their CRC checksum calculated, ensuring a valid image. To finalize the image, the IEND footer\r\nchunk is appended.\r\nThe second method, producing a PDF file, uses an encrypted template from the file %TEMP%\\l4_mgrT.tmp. We have not\r\nobserved this data file and the template’s content is unknown, but probably it is a benign, unsuspicious document.\r\nThe output files with metadata are inserted at the end of the last stream in the PDF template, before the terminating\r\nendstream keyword. They are inserted in the following format and order:\r\n1. Output files – variable sized, zlib compressed, AES-256 encrypted.\r\n2. Metadata – fixed size (512 bytes), RSA-4096 encrypted.\r\nThe output filename and content are wrapped into the same structure as with the PNG, including the magic string, which is\r\nthen compressed and encrypted.\r\nThe metadata contains information necessary for parsing and decrypting the structures of output files, including AES seed\r\nand output file positions in the PDF file.\r\nAfter processing and embedding in the PNG or PDF file, files staged for exfiltration are deleted. The created file temporarily\r\nresides in the staging directory until exfiltration.\r\nExfiltrating data – transmission\r\nPrepared PNG images or PDF documents containing output files are transmitted as attachments in emails to an attacker-controlled inbox, as per the exfiltration configuration. The default LunarMail setup includes a specific recipient email,\r\nsubject header, message body, and attachment filename. The email content, although in the language of the compromised\r\nEuropean MFA, appears machine translated due to its unnatural phrasing.\r\nAn exfiltration configuration from a received command overrides the default one. We have not recovered any commands so\r\ndon’t know if different email recipients, subjects, bodies, or attachment name or types are used across multiple commands.\r\nIf supported, the email body uses HTML format. The PNG is embedded as an image in the body, unlike the PDF. Figure 6\r\nshows an illustration of an exfiltration email based on the default configuration. The email was translated, redacted, and the\r\nlogo was changed by ESET Research, to not reveal the compromised institution.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 14 of 23\n\nFigure 6. Illustration of an exfiltration email with data hidden in the image\r\nExfiltration email messages are sent with the PR_DELETE_AFTER_SUBMIT flag. In addition, any sent messages to the\r\nexfiltration address are deleted.\r\nConclusion\r\nWe have described two previously unknown backdoors used in compromises of a European government’s institutions, which\r\nwe attribute with medium confidence to the Russia-aligned APT group Turla.\r\nThe backdoors share a loader, bear code overlaps, and support similar commands, but they adopt different C\u0026C\r\ncommunication methods. The first backdoor – LunarWeb – uses HTTP(S) and attempts to blend in by mimicking the traffic\r\nof legitimate services such as Windows Update. The second backdoor – LunarMail – piggybacks on Outlook and\r\ncommunicates via email messages, using either PNG images or PDF documents to exfiltrate data.\r\nWe observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised\r\nserver to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the\r\nscope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and\r\noperation of these tools.\r\nAlthough the described compromises are more recent, our findings show that these backdoors evaded detection for a more\r\nextended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.\r\nIoCs\r\nA comprehensive list of IoCs and samples can be found in our GitHub repository.\r\nFiles\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 15 of 23\n\nSHA-1 Filename Detection Description\r\nDE83C2C3FE68CB1BF961\r\n73E9EE3EA6161DCFB24A\r\nApp_Web_0bm4blbr.dll MSIL/Agent.ERT\r\nCompiled version of\r\nASP.NET web page that\r\ninstalls LunarWeb.\r\n9CEC3972FA35C88DE87B\r\nD66950E18B3E0A6DF77C\r\nN/A\r\nVBA/TrojanDownloader.\r\nAgent.ZJC\r\nMalicious Word macro that\r\ninstalls LunarMail.\r\n2ED792E39F7D56DE52BD\r\nF4AED96AFC898478BFDF\r\ngpgol.dll Win64/LunarLoader.B\r\nLunarLoader (x64) used to\r\nload LunarMail.\r\nF09E36553E48EBD42E60\r\nD9B25A390C0F57FF8DE0\r\ngpgol.dll Win32/LunarLoader.A\r\nLunarLoader (x86) used to\r\nload LunarMail.\r\n94A4CE9C75BC847E7BE5\r\n9B96C4133D677D909414\r\ntapiperf.dll Win64/LunarLoader.C\r\nLunarLoader (x64) used to\r\nload LunarWeb.\r\n00006B30806F91591134\r\n9D82BEEB1AEB9025ADB4\r\nadmpwd.dll Win64/LunarLoader.A\r\nLunarLoader (x64); a\r\ntrojanized AdmPwd, used to\r\nload LunarWeb.\r\n19D86CF2ED82EAE23E01\r\n9706FAE8DAFC60552E85\r\nAdmPwd.dll Win64/LunarLoader.A\r\nLunarLoader (x64); a\r\ntrojanized AdmPwd, used to\r\nload LunarWeb.\r\n795C4127D42FE8DFAF45\r\n10B406B52BA5BEDE8D3A\r\nwinnet.dll.mui Win64/LunarLoader.B\r\nLunarLoader (x64) used to\r\nload LunarWeb.\r\n754FB657156643FD09A6\r\n8EC9FC124528578CAB0C\r\nN/A Win32/LunarWeb.A LunarWeb backdoor (x86).\r\nFCAE66F6D95C78DC8296\r\n88CC0F4C39BB5A57828B\r\nN/A Win64/LunarMail.A LunarMail backdoor (x64).\r\n67C6AEC8D129E610378E\r\nF52F8BF934886587932F\r\nN/A Win32/LunarMail.A LunarMail backdoor (x86).\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 16 of 23\n\nSHA-1 Filename Detection Description\r\n4C84110F1B10DF5FDD61\r\n2759E210E44B0F0505EF\r\nN/A Win64/LunarWeb.A LunarWeb backdoor (x64).\r\n5D3975E57BDCB630A00F\r\nEBE5D405EEFB6D119D86\r\nN/A Win64/LunarWeb.A LunarWeb backdoor (x64).\r\n5EF771AFC96C24371D36\r\n7448627609CFACB34A57\r\nN/A Win64/LunarWeb.A LunarWeb backdoor (x64).\r\n512E4FA7D6119270FF44\r\nA3B2A2359EE8825392EF\r\nN/A Win64/LunarWeb.A LunarWeb backdoor (x64).\r\nFile paths\r\nStage 2 blob\r\nC:\\Windows\\System32\\DynamicAuth.bin\r\nC:\\Program Files\\LAPS\\CSE\\admpwd.cache\r\nC:\\ProgramData\\Microsoft\\WinThumb\\adcache.clb\r\nC:\\Windows\\System32\\perfcache.dat\r\n%USERPROFILE%\\Gpg4win\\tempkeys.dat\r\nLunarWeb state file\r\nC:\\ProgramData\\Microsoft\\Windows\\Templates\\content.tpl\r\nC:\\ProgramData\\Microsoft\\WinThumb\\thumb.clb\r\nC:\\ProgramData\\Microsoft\\WinThumb\\cfcache.clb\r\nC:\\Windows\\System32\\perfconfm.dat\r\nLunarMail state file\r\n%LOCALAPPDATA%\\Microsoft\\Outlook\\outlk.share\r\nNetwork\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 17 of 23\n\nIP Domain Hosting provider First seen Details\r\nN/A\r\nthedarktower.av.\r\nmaster.dns-cloud[.]netN/A 2020‑02‑01\r\nDomain (Free DNS) pinged by\r\nmalicious Word macro.\r\n45.33.24[.]145 N/A\r\nAkamai Connected\r\nCloud\r\n2020‑05‑20\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n45.79.93[.]87 N/A\r\nAkamai Connected\r\nCloud\r\n2020‑05‑20\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n65.109.179[.]67 N/A\r\nHetzner Online\r\nGmbH\r\n2023‑10‑29\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n74.50.80[.]35 N/A\r\nHost Department\r\nNJ, LLC\r\n2023‑10‑29 C\u0026C server of LunarWeb.\r\n82.165.158[.]86 N/A IONOS SE 2022‑08‑03\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n82.223.55[.]220 N/A IONOS SE 2022‑08‑03\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n139.162.23[.]113 N/A\r\nAkamai Connected\r\nCloud\r\n2023‑06‑15\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n158.220.102[.]80 N/A Contabo GmbH 2023‑10‑29 C\u0026C server of LunarWeb.\r\n161.97.74[.]237 N/A Contabo GmbH 2023‑06‑15 C\u0026C server of LunarWeb.\r\n176.57.150[.]252 N/A Contabo GmbH 2023‑06‑15 C\u0026C server of LunarWeb.\r\n212.57.35[.]174 N/A Webglobe, a.s. 2023‑06‑02\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\n212.57.35[.]176 N/A Webglobe, a.s. 2023‑06‑02\r\nC\u0026C server of LunarWeb\r\n(compromised VPS).\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 18 of 23\n\nRegistry keys\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{3115036B-547E-4673-8479-EE54CD001B9D}\\\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance T1591\r\nGather Victim Org\r\nInformation\r\nLunarMail’s communication method indicates prior\r\nknowledge about compromised institutions.\r\nResource\r\nDevelopment\r\nT1583.002\r\nAcquire Infrastructure:\r\nDNS Server\r\nStage 0 macro pings a domain from free DNS\r\nhosting provided by ClouDNS.\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nTurla has used VPS hosting providers for C\u0026C\r\nservers.\r\nT1584.003\r\nCompromise Infrastructure:\r\nVirtual Private Server\r\nTurla has used compromised VPSes for C\u0026C\r\npurposes.\r\nT1586.002\r\nCompromise Accounts:\r\nEmail Accounts\r\nTurla has used likely compromised email accounts\r\nfor communication with the LunarMail backdoor.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nTurla has developed custom malware, including\r\nloaders and backdoors.\r\nExecution\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nLunarWeb obtains system information by using\r\nWMI queries.\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nLunarWeb and LunarMail can execute Lua scripts.\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nLunarWeb can execute PowerShell commands.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nLunarWeb can execute shell commands via\r\ncmd.exe.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 19 of 23\n\nTactic ID Name Description\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nStage 0 Word document contains a VBA macro.\r\nT1106 Native API\r\nLunarWeb and LunarMail use various Windows\r\nAPIs.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nStage 0 Word document with malicious macro must\r\nbe opened by victim.\r\nPersistence\r\nT1137.006\r\nOffice Application Startup:\r\nAdd-ins\r\nLunarMail loader is persisted as an Outlook add-in.\r\nT1547\r\nBoot or Logon Autostart\r\nExecution\r\nA LunarWeb loader is persisted as a Group Policy\r\nextension.\r\nT1574 Hijack Execution Flow\r\nA LunarWeb loader is persisted by replacing the\r\nsystem DLL tapiperf.dll.\r\nDefense Evasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nLunarWeb and LunarMail are AES-256 encrypted\r\non disk.\r\nT1027.003\r\nObfuscated Files or\r\nInformation:\r\nSteganography\r\nLunarMail stages exfiltration data into a PNG image\r\nor PDF document.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\nLunarMail dynamically resolves MAPI functions.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nLunarMail installer has payloads embedded in a\r\nDOCX format document.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nFilenames used by LunarWeb and LunarMail\r\nloading chains mimic legitimate files.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 20 of 23\n\nTactic ID Name Description\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nLunarWeb and LunarMail can uninstall themselves\r\nby deleting their loading chain.\r\nT1070.008\r\nIndicator Removal: Clear\r\nMailbox Data\r\nLunarMail deletes email messages used for C\u0026C\r\ncommunications.\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nLunarWeb and LunarMail decrypt their strings using\r\nRC4.\r\nT1480.001\r\nExecution Guardrails:\r\nEnvironmental Keying\r\nLunarLoader decrypts its payload using a key\r\nderived from the DNS domain name.\r\nT1620 Reflective Code Loading\r\nLunarWeb and LunarMail are executed using a\r\nreflective loader.\r\nDiscovery\r\nT1007 System Service Discovery LunarWeb retrieves a list of services.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nLunarWeb retrieves network adapter information.\r\nT1057 Process Discovery LunarWeb retrieves a list of running processes.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nLunarWeb retrieves system information such as OS\r\nversion, BIOS version, domain name, and\r\nenvironment variables.\r\nLunarMail retrieves environment variables.\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nLunarWeb discovers installed security solutions via\r\nthe WMI query wmic\r\n/Namespace:\\\\root\\SecurityCenter2 Path\r\nAntiVirusProduct Get *.\r\nCollection\r\nT1005 Data from Local System\r\nLunarWeb and LunarMail can upload files from the\r\ncompromised machine.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 21 of 23\n\nTactic ID Name Description\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nLunarMail stages data in a directory in %TEMP%.\r\nT1113 Screen Capture LunarMail can capture screenshots.\r\nT1114.001\r\nEmail Collection: Local\r\nEmail Collection\r\nLunarMail collects recipients of sent email\r\nmessages and can collect email addresses of\r\nOutlook profiles.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nLunarWeb and LunarMail use a statically linked zlib\r\nlibrary for compression of collected data.\r\nCommand and\r\nControl\r\nT1001.002\r\nData Obfuscation:\r\nSteganography\r\nLunarWeb can receive commands hidden in JPG or\r\nGIF images.\r\nLunarMail receives commands hidden in PNG\r\nimages and exfiltrates data hidden in PNG images or\r\nPDF documents.\r\nT1001.003\r\nData Obfuscation: Protocol\r\nImpersonation\r\nLunarWeb impersonates legitimate domains in C\u0026C\r\ncommunications by using a fake Host header and\r\nknown URIs.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nLunarWeb uses HTTP for C\u0026C communications.\r\nT1071.003\r\nApplication Layer\r\nProtocol: Mail Protocols\r\nLunarMail uses email messages for C\u0026C\r\ncommunications.\r\nT1090.001 Proxy: Internal Proxy\r\nLunarWeb can use an HTTP proxy for C\u0026C\r\ncommunications.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nStage 0 macro pings the C\u0026C server, utilizing ICMP\r\nprotocol.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nLunarWeb may receive base64-encoded data from\r\nthe C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 22 of 23\n\nTactic ID Name Description\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nLunarWeb and LunarMail encrypt C\u0026C\r\ncommunications using AES-256.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nLunarWeb and LunarMail encrypt the AES key used\r\nin C\u0026C communications using RSA-4096.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nLunarWeb and LunarMail automatically exfiltrate\r\ncollected data to the C\u0026C server.\r\nT1030 Data Transfer Size Limits\r\nLunarWeb splits exfiltrated data above 1.33 MB into\r\nmultiple smaller chunks.\r\nLunarMail limits the size of email attachments\r\ncontaining exfiltrated data.\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nLunarWeb and LunarMail exfiltrate data over the\r\nC\u0026C channel.\r\nSource: https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" ], "report_names": [ "moon-backdoors-lunar-landing-diplomatic-missions" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434013, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb38ec9e943645f3568e94c0b66ec04218dd65f2.pdf", "text": "https://archive.orkl.eu/bb38ec9e943645f3568e94c0b66ec04218dd65f2.txt", "img": "https://archive.orkl.eu/bb38ec9e943645f3568e94c0b66ec04218dd65f2.jpg" } }