{ "id": "bfc0b3d4-abb8-498b-9222-9f4b9cae9b08", "created_at": "2026-04-06T00:09:58.092509Z", "updated_at": "2026-04-10T03:33:35.788858Z", "deleted_at": null, "sha1_hash": "d4cf7043f86b775aafdf91a4758f8e8e4fb2ebbf", "title": "The J-Magic show: Magic packets and where to find them", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 101595, "plain_text": "The J-Magic show: Magic packets and where to find them\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 18:15:16 UTC\r\nExecutive summary\r\nThe Black Lotus Labs team at Lumen has been tracking the use of a backdoor attack tailored for use against\r\nenterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a\r\n“magic packet,” sent by the attacker in TCP traffic. We have dubbed this campaign J-magic, it is a recent operation\r\nwith the earliest sample uploaded to VirusTotal in September 2023. At present, we are unable to determine the\r\ninitial access method, however once in place it installs the agent, a variant of cd00r,which passively scans for five\r\ndifferent predefined parameters before activating. If any of these parameters or “magic packets” are received, the\r\nagent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on\r\nthe local file system, allowing the operators to control the device, steal data, or deploy malicious software.\r\nWe believe enterprise-grade routers present an attractive target as they do not normally have many, if any, host-based monitoring tools in place. Typically, these devices are rarely power-cycled; malware tailored for routers is\r\ndesigned to take advantage of long uptime and live exclusively in-memory, allowing for low-detection and long-term access compared to malware that burrows into the firmware. Routers on the edge of the corporate network or\r\nserving as the VPN gateway, as many did in this campaign, are the richest targets. This placement represents a\r\ncrossroads, opening avenues to the rest of a corporate network. Our telemetry indicates the J-magic campaign was\r\nactive from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy,\r\nmanufacturing, and IT verticals among others.\r\nElements of this activity cluster share some technical indicators with a subset of prior reporting on a malware\r\nfamily named SeaSpy2, however we do not have enough data points to link these two campaigns with high\r\nconfidence. SeaSpy was a backdoor that targeted another FreeBSD-based system, the Barracuda mail server, with\r\na variant of cd00r. While some cd00r functions share the same non-standard names, this latest sample contains an\r\nembedded certificate that presents a “challenge” which was not present in previous examples found in VirusTotal,\r\nindicating an evolution in operational security and tradecraft. Though there have been numerous public reports of\r\nadvanced actors targeting networking equipment, Black Lotus Labs tracks the J-magic campaign as unaffiliated\r\nwith other more prominent clusters recently appearing in the public eye.\r\nTechnical details\r\nIntroduction\r\nBlack Lotus Labs has routinely published research on router-orientated malware, the majority of which has\r\nfocused on devices in the consumer or small office/home office (SOHO) space. There are scattered reports of\r\nmalware designed for enterprise grade routers (such as Jaguar Tooth and more recently Canary/BlackTech’s\r\nunnamed router malware), and the vast majority of attacks have come against Cisco IOS systems given their share\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 1 of 8\n\nin the market. The J-magic campaign marks the rare occasion of malware designed specifically for JunoOS, which\r\nserves a similar market but relies on a different operating system, a variant of FreeBSD.\r\nOur telemetry indicates that roughly 50% of the targeted devices appear to be configured as a virtual private\r\nnetwork (VPN) gateway for their organizations. In these instances, a victim device could be used for remote\r\naccess to the Juniper router/VPN gateway and exploited for credentials or to serve as an access vector into the\r\norganization.\r\nOnce established on a device, the actor appears to favor the use of open-source malware. Our  malware sample\r\nappears to fit that trend as a custom variant of cd00r. An open-source project originally released on Packet Storm\r\nin 2000, cd00r was designed to explore the idea of an “invisible” backdoor, or one that presents a number of\r\ndetection challenges for systems admins and network engineers. Upon installation, it performed the following\r\nactions\r\n1. The agent was executed via a command line argument, specifying an interface, and listening port.\r\n2. The agent started a pcap listener through an eBPF extension on that interface.\r\n3. If a magic packet is detected, it spawned a reverse shell to the IP address and port specified by the magic\r\npacket.\r\n4. The reverse shell then issues a “challenge” by sending a string encrypted via hard-coded certificate. If the\r\nremote user passes that string back, it would be given a command shell, if the string was not received it\r\nwould close the remote connection.\r\nWhile this is not the first discovery of magic packet malware, there have only been a handful of campaigns in\r\nrecent years. The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive\r\nlistening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation.\r\nMalware analysis – J-magic\r\nOur investigation into this campaign began with the discovery of an interesting malware sample uploaded to\r\nVirusTotal. The file had a name of “JunoscriptService” which mimics the Junos automation scripting service.\r\nGiven that we identified the sample on a public repository, we do not have insight into the initial access vector.\r\nOnce the file is uploaded on to the infected router, it expects an interface and port to be provided from the\r\ncommand line when executed. If these are supplied, the malware will rename itself as “[nfsiod 0]” to masquerade\r\nas the local NFS asynchronous I/O server, then hide its tracks by overwriting the previous command line\r\narguments. Once it renamed its process, it calls the function start_pcap_listener().\r\nThe start_pcap_listener function creates an eBPF filter on the supplied interface and port, then enters a loop to\r\nprocess any packets hit by the filter.\r\nThe loop first checks if the packet is from the infected machine by comparing the host IP and the remote IP, if they\r\nare the same the packet is ignored. If the packet comes from a remote IP, then various fields/offsets are checked\r\nfor magic bytes. There are five checks for various fields in the packet and if any of these checks are passed, a\r\nfunction called reverse_shell is called with IP and port to open a reverse shell to the specific tuple in the magic\r\npacket. The first predefined conditions are found below:\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 2 of 8\n\nMagic packet conditions\r\nThe passive agent is embedded in a position to observe all TCP traffic inbound to the device, discreetly filtering\r\nfor a specific set of information, or “conditions,” inserted by the attacker.\r\nCondition 1:\r\nat offset 0x02 from the start of the TCP options shows the following two-byte sequence: “1366”\r\nthe TCP options must be at least 4-bytes in size\r\nthe attacker IP address will be in the “Sequence Number” field of the TCP header\r\nthe destination port number equals 443\r\nCondition 2:\r\nthe source port of the TCP header must contain the following two-byte sequence “36429”\r\nthe attacker IP address will be in the Sequence Number field of the TCP header\r\nthe destination port number equals 443\r\nCondition 3:\r\nthe payload data following the IP and TCP headers starts with the four-byte string: Z4vE\r\nthe attacker IP address will immediately follow the four-byte string: 0x04\r\nthe attacker port number will immediately follow the IP address at offset 0x08\r\nCondition 4:\r\nat offset 0x08 within the TCP header, the option field starts the following two-byte sequence “59020”\r\nat offset 0xA within the TCP options starts the attacker IP address\r\nthe destination port number equals 443\r\nCondition 5:\r\noffset 0x08 within the TCP options starts the following two-byte sequence “59022”\r\noffset 0xA within the TCP options starts the attacker IP address\r\nthe attacker port number will follow the attacker IP at offset 0x0E from the start of the TCP option\r\nIf any of the remote IP addresses match on one of the five predefined conditions above, it moves to spawn a\r\nreverse shell. The reverse_shell function forks, creating a child process and renames it to [nfsiod 1]. Next it enters\r\na loop that will connect back to the IP and port retrieved from the packet filter, using SSL. It creates a random\r\nalphanumeric string that is five characters long. This random string is encrypted using a hardcoded public RSA\r\nkey.\r\nIt sends the encrypted five-character string as a challenge to the supplied IP/port combo. The response from the IP\r\nis compared to the previously created random string. If they are not equal, the connection is closed. If the strings\r\nare equal, then a shell is created with the command prompt “\u003e\u003e” until it receives the exit command. This would\r\nallow them to run arbitrary commands on the impacted device.\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 3 of 8\n\nWe suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the\r\ninternet with magic packets to enumerate victims and then simply repurposing the J-Magic agents for their own\r\npurposes, as other nation-state actors are known for exhibiting that parasitic tradecraft such as Turla.\r\nThe intersection of cd00r, SeaSpy, and J-magic\r\nOnce established on a device, the actor favors the use of open-source malware, our sample being a custom variant\r\nof cd00r. Originally released on Packet Storm in 2000 to explore the idea of an “invisible” backdoor. The project\r\nwas later improved upon in 2015 then uploaded to Github; this iteration afforded more modularity such as\r\nselecting the listening port, adding a port-knock, and updating the shell to a pseudo-terminal. One of the key\r\ndifferences is that neither SeaSpy nor J-magic contain the port-knocking sequence from the Github version.\r\nOne other similarity between SeaSpy and J-magic is that they have five magic packet conditions, however those\r\nconditions were different across the two samples. We also observed some of the function name overlap between\r\nSeaSpy and J-magic such as “reverse_shell” and “\u003e\u003e” denoting a command terminal session; unfortunately, these\r\nnames were common, so we assigned a low level of correlation based upon the technical overlap. The last\r\ndifference is that the J-magic sample included a certificate, which was used in the challenge component referenced\r\nabove; we did not observe that function or any embedded certificates in the sample that was publicly available.\r\nSo, while we can associate this malware family with high confidence as a variant of cd00r, we have low\r\nconfidence in the correlation to the SeaSpy family based upon the information that was released publicly.\r\nGlobal telemetry\r\nAnalysis of the malware and the five conditions to execute J-magic revealed some network-based features, used to\r\ncreate analytics in our netflow-based telemetry. We queried our telemetry for those conditions then enriched the\r\ndestination IP address with public scan data to ensure it was identified as a Juniper router, based upon available\r\nbanners. If the destination IP address was not a Juniper router, it was dropped as a likely false positive.\r\nWe first deployed this analytic in mid-March 2024 and ran it through September 1, 2024, it fired on less than .01%\r\nof analyzed netflow during that time. The yield was an incredibly small dataset of potential true positives\r\ncorresponding to 36 unique IP addresses representing organizations across the globe.\r\nPotentially impacted IP addresses were grouped into two clusters; the first cluster, which made up the lion’s share,\r\nwas comprised of impacted IP addresses that have self-signed X.509 certificates – indicating that these devices\r\nwere acting as a VPN gateway. The remaining cluster was made up of those with an exposed NETCONF port,\r\nwhich is used to help automate the pulling of router configuration information and management. This second set\r\nof routers were not associated with consumer environments but rather were managed as part of a larger fleet of\r\nrouters in the network communications space.\r\nJuniper routers acting as VPN gateways\r\nOnce we started to identify Juniper routers that received one of the magic packet conditions, we noticed most of\r\nthem were associated with customer premise equipment (CPE), which indicated these routers were acting as a\r\nVPN gateway for several organizations around the world. We split the VPN gateway victims into two subsets; the\r\nfirst is for organizations that received more than one magic packet and the second, for organizations that only\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 4 of 8\n\nreceived one packet. Once we had the list of potentially impacted organizations from their IP address, we enriched\r\nthem again to see which IP addresses were associated with VPN gateways and computed the number of magic\r\npackets the victim IP address received.\r\nHeavy machinery: Norway\r\n3 Magic Packets (May 12 – July 29, 2024)\r\nFiber: Russia\r\n2 Magic Packets (May 26 – 27, 2024)\r\nElectric panels: Norway\r\n7 Magic Packets (June 5 – August 23, 2024)\r\nIT: United Kingdom\r\n3 Magic Packets (June 6 – August 25, 2024)\r\nUnknown vertical: United Kingdom\r\n2 Magic Packets (June 11 – July 27, 2024)\r\nBioengineering: Norway\r\n2 Magic Packets (June 13 – July 27, 2024)\r\nMarine manufacturing: Norway\r\n2 Magic Packets (June 16 – August 12, 2024)\r\nConstruction: United Kingdom\r\n4 Magic Packets (July 3 – August 3, 2024)\r\nTwo of the more potentially interesting victims include a fiber optics/luminescence firm, and a maker of solar\r\npanels. The other two victims appeared to be in the manufacturing vertical, including two who build or lease\r\nheavy machinery.\r\nThe second list of IP addresses in the following verticals and countries only received a single packet on the dates\r\nshown that matched our signatured conditions; therefore, this group was more prone to false positives.\r\nSemiconductors\r\nArmenia (April 1, 2024)\r\nInsurance\r\nUnited States (May 2, 2024)\r\nIT services\r\nBrazil (May 21, 2024)\r\nNetherlands (June 6, 2024)\r\nBrazil (June 24, 2024)\r\nNorway (July 11, 2024)\r\nColombia (August 5, 2024)\r\nUnited States (August 8, 2024)\r\nNorway (August 18, 2024)\r\nWhile there was some overlap in targeting of the energy sector, we also saw targeting of the technology sector,\r\nand one semiconductor manufacturer. There were also victims in the expected verticals such as manufacturing\r\nfirms, in this case one that makes ferries and boats. One interesting data point is that many of the source IP\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 5 of 8\n\naddresses that sent out magic packets were listed as public VPN and Proxy services. We suspect the attacker chose\r\nthese public services to better hide in the noise. And though they sent the magic packet from a public proxy, they\r\ncould redirect the reverse shell to a different IP address where they had more control.\r\nNetwork configuration devices: NETCONF\r\nWhile the majority of the results were identified as Juniper routers acting as VPN gateways, there was a second set\r\nof limited IP addresses that had an exposed NETCONF port, which is used to help automate router configuration\r\ninformation and management. We have identified some of the routers that had HTML banners displaying a “Phone\r\nhome” client, which is used to remotely retrieve software or configuration files. These remote management\r\nservices suggest that the routers are likely managed as part of a larger fleet, such those in a network service\r\nprovider, rather than used as CPE.\r\nWe suspect these devices were targeted for their central role in the routing ecosystem. As routers that are\r\nconfigured with network filters, settings, policies, tracking, and controls, they are valuable as targets for attackers\r\nwho may want to pivot or persist within an ecosystem. We identified two IP addresses that received multiple\r\npackets, while most of them only received one packet. Due to the limited number of results and the potential for\r\nfalse positives, we did not want to assign too much weight to these matches.\r\nUnknown vertical: United States\r\n3 Magic Packets: May 25, 2024 (18:58:34) – August 7, 2024 (03:06)\r\nTelecommunications: Colombia\r\n2 Magic Packets: August 1, 2024 (10:21:49) – August 5, 2024 (13:07:39)\r\nThe following IP addresses in various verticals and countries received a single packet on the dates and times\r\nshown and were not identified as a VPN gateway:\r\nGovernment\r\nIndonesia – March 29, 2024 (09:01:43)\r\nInternet service provider\r\nUnited States – April 23, 2024 (10:05:13)\r\nIT services\r\nColombia – August 2, 2024 (16:12:06)\r\nTelecommunications\r\nColombia – March 27, 2024 (08:05:16)\r\nBrazil – August 2, 2024 (06:12:30)\r\nArgentina – August 9, 2024 (21:31:23)\r\nPeru – August 10, 2024 (11:21:33)\r\nVenezuela – August 10, 2024 (19:40:49)\r\nUnited States – August 21, 2024 (20:01:28)\r\nVertical unknown\r\nUnited States – May 25, 2024 (18:58:34)\r\nChile – July 11, 2024 (14:02:51)\r\nColombia – August 2, 2024 (23:26:33)\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 6 of 8\n\nArgentina – August 5, 2024 (19:29:23)\r\nChile – August 8, 2024 (03:36:12)\r\nColombia – August 8, 2024 (20:09:06)\r\nColombia – August 10, 2024 (07:12:28)\r\nUnited Kingdom – August 22, 2024 (08:57:27)\r\nOne interesting correlation was that many of these remotely administered routers were physically located in South\r\nAmerica, while most of the VPN gateways were in Europe. This could indicate that the actors are still in more of a\r\nplanning/reconnaissance phase in South America. Conversely, they have placed a greater emphasis on Internet\r\nService Provider and telecommunications firms in this part of the world.\r\nDedicated command and control servers\r\nWhile the magic packets could have been sent from anywhere on the internet, the trigger packet contained a\r\ncallback IP address. This is where the malware would send the challenge and if passed, spawn a remote shell to\r\ninteract with the file system.  Like in the prior campaign, the actor favors procured VPSs with a self-signed\r\ncertificate. The certificate fingerprint can be found in the indicators of compromise on our Github page. The\r\nfingerprint was observed on the same IP address, 198.46.158[.]172, at the same time from January 3 – April 21,\r\n2024.\r\nConclusion\r\nOne of the most notable aspects of the campaign is the focus on Juniper routers. While we have seen heavy\r\ntargeting of other networking equipment, this campaign demonstrates that attackers can find success expanding to\r\nother device types such as enterprise grade routers. We find it noteworthy that the Magic Packet malware is\r\nbecoming an increasing trend in use against perimeter devices, first with BPFdoor, and Symbiote. We suspect this\r\nwill only increase, as greater difficulty in detection creates more trouble for defenders and what reporting exists is\r\nsolely the result of greater awareness surrounding this technique. While there is some weak association with the\r\nactors behind the SeaSpy malware campaign, we do not have any overlap between this campaign and other\r\nfamilies mentioned in industry reports, nor with those who have previously used BPF-based backdoors. While\r\nseveral newsworthy groups have lately been shown to be proficient in the use of passive agents and targeting\r\nnetworking equipment; we have not seen any tooling overlap, victimology trends, or operational infrastructure. As\r\nwe develop additional research, we will keep the community apprised of our findings and weight given to those\r\ndata points.\r\nFor users of enterprise-grade routers seeking to improve detection for this activity, we recommend the following\r\nhunt guides focused on BPF based malware: Trusted Sec’s blog on memory injection, SandFly Security blog as\r\nwell as Elastic’s blog with OSquery syntax.\r\nWe also suggest this detection blog for cd00r, and lastly we recommend:\r\nSearching your environment for all IoC’s provided in this report\r\nReviewing network logs for signs of data exfiltration and lateral movement\r\nChecking for common persistence mechanisms\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 7 of 8\n\nAnalysis of the J-magic campaign was performed by Danny Adamitis and Steve Rudd. Technical editing by Ryan\r\nEnglish.\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nIf you would like to collaborate on similar research, please contact us on social media @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use\r\nof this information is at the end user’s own risk.\r\nSource: https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nhttps://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/" ], "report_names": [ "the-j-magic-show-magic-packets-and-where-to-find-them" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434198, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4cf7043f86b775aafdf91a4758f8e8e4fb2ebbf.pdf", "text": "https://archive.orkl.eu/d4cf7043f86b775aafdf91a4758f8e8e4fb2ebbf.txt", "img": "https://archive.orkl.eu/d4cf7043f86b775aafdf91a4758f8e8e4fb2ebbf.jpg" } }