{ "id": "b92af3be-3e03-4dc9-9080-3c5875f2dfaf", "created_at": "2026-04-06T00:09:03.647931Z", "updated_at": "2026-04-10T03:36:59.235822Z", "deleted_at": null, "sha1_hash": "c391d488a06c542b5cb84978f553e15532424a3e", "title": "TURLA’s new phishing-based reconnaissance campaign in Eastern Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 246033, "plain_text": "TURLA’s new phishing-based reconnaissance campaign in Eastern\r\nEurope\r\nBy Guillaume C.,\u0026nbsp;Maxime A.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-05-23 · Archived: 2026-04-05 17:43:08 UTC\r\nTable of contents\r\nExecutive Summary\r\nAnalysis\r\nDocument technical analysis\r\nIOCs \u0026 Technical Details\r\nThis blog post on TURLA was originally published as a FLINT report (SEKOIA.IO Flash Intelligence) sent to our\r\nclients on May 11, 2022.\r\nExecutive Summary\r\nSEKOIA.IO Threat \u0026 Detection Research (TDR) Team have expanded the search on Russian-linked TURLA’s\r\ninfrastructures from a Google’s TAG blog post. It exposes a reconnaissance and espionage campaign from the\r\nTurla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in\r\ngovernment decision-making such as economic sanctions and NATO’s eLearning platform JDAL (Joint\r\nAdvanced Distributed Learning) pointing Russian Intelligence interest for defense sector in Eastern Europe and\r\nfor topics related to the economic sanctions against the Russian Federation.\r\nAnalysis\r\nOn May 3rd 2022, Google’s Threat Analysis Group (TAG) published a report “Update on cyber activity in Eastern\r\nEurope” exposing ongoing campaigns targeting Eastern Europe from various APT, Russian-linked APT28,\r\nTURLA, Callisto, Belarus-linked Ghostwriter and Curious Gorge, a group TAG attributes to China’s People’s\r\nLiberation Army Strategic Support Force (which is the space, cyber, and electronic warfare force and the 5th\r\nbranch of Chinese Army).\r\nSekoia.io researchers have expanded TURLA’s infrastructures investigation through the domains in the TAG\r\nreport:\r\nwkoinfo.webredirect[.]org\r\njadlactnato.webredirect[.]org\r\nTURLA (aka Uroburos, Snake, Venomous Bear) is an historical Russian-speaking cyber\r\nespionage group widely believed to be operated by the Federal Security Service of the\r\nRussian Federation (FSB). The group is mainly known for targeting Ministries of Foreign\r\nhttps://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\r\nPage 1 of 5\n\nAffairs and Defense organizations.\r\nActive since at least 1996, this intrusion set is suspected to have breached many US\r\nsensitive networks during a campaign dubbed “Moonlight Maze” from 1996 to 1999. In\r\n2008 Turla is suspected to have used a USB worm dubbed “Agent.BTZ” to breach the US\r\nDepartment of Defense most sensitive networks.\r\nTweet this!\r\nBoth domains resolve the IP 79.110.52[.]218 which does not allow more investigation, but the first domain\r\nexposed 45.153.241[.]162 which can be link through Shodan services to a new\r\ndomain baltdefcol.webredirect[.]org typosquatting www.baltdefcol.org, Baltic Defense College’s website.\r\nIn every directory discovered, we found the same word document “War Bulletin April 27, 19:00 CET” which\r\nappeared to be legitimate but contained the inclusion of an external PNG file dubbed logo.png which was not\r\nreachable during the investigation.\r\nFigure 1. Directory listing on the Turla’s server showing a document.\r\nThe Baltic Defence College (BALTDEFCOL) is a center for strategic research established by Estonia, Latvia and\r\nLithuania in 1999. It provides military education and conferences to high-rank officers from the founding\r\nstates as well as allies like NATO, EU and other European countries including Ukraine. The BALTDEFCOL\r\nhas published studies about the Russian invasion of Ukraine and has tweeted about an US Air Force War College\r\ndelegation hosted during their European study trip on march 17. Later, on April 19, Chiefs of Defense from\r\nEstonia and Latvia, Lieutenant-General Herem and Lieutenant-General Kalniņš visited the Baltic Defense\r\nCollege. They both provided an overview of national defense concepts, highlighting priorities when preparing\r\narmed forces to face any threat for national sovereignty. These visits, and the strategic role BALTDEFCOL\r\nmay have in Baltic military strategy against Russia, could be reasons for Turla targeting this institution for\r\nespionage purposes. \r\nWe focused also on wkoinfo.webredirect[.]org which typosquatts wko.at, the official website of the Austrian\r\nFederal Economic Chamber (Wirtschaftskammer Österreich, WKO). The malicious domains and subdomains\r\ndirectories investigated exposed the same word document: “23.03.2022 : Neue USA Exportkontrollen und\r\nSanktionen: Fokus Russland – Was müssen österreichische Unternehmen jetzt beachten? – WKO.at”.\r\nhttps://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\r\nPage 2 of 5\n\nThe Austrian Federal Economic Chamber has an expanded function compared to other economic chambers in\r\ndifferent countries which have a consultation purpose. By law, Austrian governments must consult with Chambers\r\non legislative projects and important regulation, including economic sanctions. This involvement in decision-making and administrative procedures may be the reason for Russian espionage operations through Turla’s\r\nphishing campaign, especially in a European country reputed to be a diplomatic bridge between occidental\r\nand russian side. Indeed, if Vienna officially supports Kiev, Austria wants to keep its neutral state, voted to reject\r\nsanctions against Russian oil and gas, and did not send weapons to Ukraine. Thus any change in the Austrian\r\nposition could have an important effect on occidental unity facing Russian invasion of Ukraine, motivating an\r\nclose monitoring from Moscow. \r\nLast we noted that jadlactnato.webredirect[.]org is a typosquatting of NATO Joint Advanced Distributed\r\nLearning, an e-learning platform hosted on https://jadl.act.nato[.]int which was established to research and\r\nprovide education and training to NATO-military and governmental or NATO official.\r\nDocument technical analysis\r\nThese documents request the PNG file thanks to a remote file inclusion defined in the\r\nfile /word/_rels/document.rels.xml. It is quite interesting that the request to the file is performed via the HTTP\r\nprotocol and not an SMB inclusion. Therefore, this campaign does not leverage any malicious code but has\r\nbeen used for reconnaissance purposes only. \r\nThanks to the HTTP request done by the document to its own controlled server, the attacker can get the version\r\nand the type of Word application used by the victim – which can be an interesting info to send a tailored exploit\r\nfor the specific Microsoft Word version. \r\nMoreover, the attacker can grab the IP address of the victim which can be also an interesting selector to monitor\r\nthe victim’s communications via TURLA’s SIGINT capabilities. \r\nIOCs \u0026 Technical Details\r\nYara rules\r\nrule apt_TURLA_ExternalPNGDocument_strings {\r\n meta:\r\n id = \"51413d41-d0f4-4e1a-9f12-322921e48977\"\r\n version = \"1.0\"\r\n intrusion_set = \"TURLA\"\r\n description = \"Detects external logo embedded in DOCX documents\"\r\n source = \"SEKOIA\"\r\n creation_date = \"2022-05-05\"\r\n modification_date = \"2022-05-05\"\r\n classification = \"TLP:GREEN\"\r\n strings:\r\n $s1 = \"/relationships/image\"\r\nhttps://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\r\nPage 3 of 5\n\n$s2 = /[0-9]{3,10}\\/logo\\.png/\n $s3 = \"TargetMode=\\\"External\\\"/\u003e\u003c\"\n condition:\n $s1 in (filesize-400..filesize) and\n $s2 in (filesize-400..filesize) and\n $s3 in (filesize-400..filesize)\n}\nInfrastructure\n45.153.241[.]162\n79.110.52[.]218\n149.154.157[.]11\nbaltdefcol.webredirect[.]org\nwkoinfo.webredirect[.]org\njadlactnato.webredirect[.]org\nDocument hashes\nf6e755e2af0231a614975d64ea3c8116\nf223e046dd4e3f98bfeb1263a78ff080\nTTPs (ATTACK)\nSpearphishing Link (T1598.003)\nGather Victim Network Information IP Addresses (T1590.005)\nGather Victim Host Information Software (T1592.002)\nChat with our team!\nWould you like to know more about our solutions?\nDo you want to discover our XDR and CTI products?\nDo you have a cybersecurity project in your organization?\nMake an appointment and meet us!\nRead also:\nDiscover our:\nCTI platform\nXDR platform\nSOC platform\nhttps://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\nPage 4 of 5\n\nTools for SOC analyst\r\nSIEM solution\r\nAPT CTI\r\nShare this post:\r\nSource: https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\r\nhttps://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/" ], "report_names": [ "turla-new-phishing-campaign-eastern-europe" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "648e7c31-30eb-4ff2-8685-01ba3766192b", "created_at": "2023-01-06T13:46:39.355652Z", "updated_at": "2026-04-10T02:00:03.29804Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [ "UNC3742" ], "source_name": "MISPGALAXY:Curious Gorge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "affb8b7a-fd2b-4764-8c61-f85b04284302", "created_at": "2022-10-25T16:07:23.508429Z", "updated_at": "2026-04-10T02:00:04.633991Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [], "source_name": "ETDA:Curious Gorge", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434143, "ts_updated_at": 1775792219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c391d488a06c542b5cb84978f553e15532424a3e.pdf", "text": "https://archive.orkl.eu/c391d488a06c542b5cb84978f553e15532424a3e.txt", "img": "https://archive.orkl.eu/c391d488a06c542b5cb84978f553e15532424a3e.jpg" } }