{ "id": "739e9456-9484-4fdc-8fd3-1582eb4fef52", "created_at": "2026-04-06T00:18:03.624589Z", "updated_at": "2026-04-10T03:32:26.541418Z", "deleted_at": null, "sha1_hash": "db7824ffc792fb6c445b61feef225c2f10f511e7", "title": "Turkish espionage campaigns in the Netherlands", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102732, "plain_text": "Turkish espionage campaigns in the Netherlands\r\nBy Hunt \u0026 Hackett Research Team\r\nPublished: 2024-01-05 · Archived: 2026-04-05 14:28:52 UTC\r\nIn the past year, Hunt \u0026 Hackett has observed cyberattacks in the Netherlands, which are believed to have been\r\norchestrated by a cyber threat actor operating in alignment with Turkish interests, signalling an escalation in Turkey's\r\npursuit of objectives within Western nations. Hunt \u0026 Hackett has started tracking this group known by aliases such as\r\nSea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf.  This blog aims to contribute to the current\r\nexisting knowledge base by aligning our observations with the known modus operandi of this threat actor. The\r\ninformation is intended to help (security) organizations better prepare for and safeguard against the methods and tools\r\nused by this APT group. \r\nBackground, Motivations \u0026 Targets \r\nHunt \u0026 Hackett believes that Sea Turtle is a Turkey based Advanced Persistent Threat (APT) actor that is motivated\r\nby espionage by means of information theft that targets public and private entities. From 2017 to 2019, this actor has\r\nbeen mainly known for DNS hijacking[1] to achieve their ultimate objectives. The threat actor has since continued to\r\ntarget similar sectors but has altered its capabilities in a likely attempt to evade detection. Since then, the public\r\ninformation on this threat actor has remained limited. In October 2021, Microsoft[2] shed light on SILICON, also\r\nrecognized as Sea Turtle[3], revealing their pursuit of intelligence gathering aligned with strategic Turkish interests.\r\nOther organizations such as the Greek National CERT[4] have observed this actor as well and shared a number of\r\nIndicators of Compromise (IOCs) related to this group and their modus operandi in 2022. Other than that, the flow of\r\ninformation has remained limited, and this actor seemed to be operating primarily under the radar. The limited public\r\nknowledge base was recently enriched with the PwC threat intelligence report[5] ‘The Tortoise and The Malwahare’,\r\nand a  blogpost by StrikeReady[6], detailing this threat actor’s methods.   \r\nWhat is known to date is that the Sea Turtle group focuses primarily on targeting organizations in Europe and the\r\nMiddle East. Research suggests this threat actor primarily focuses on governmental bodies, Kurdish (political) groups\r\nsuch as PKK, NGOs, telecommunication entities, ISPs, IT service providers, and Media \u0026 Entertainment\r\norganisations, mainly aiming at repositories housing valuable and sensitive data. As noted by PwC, telecommunication\r\ncompanies safeguard customer information such as metadata pertaining to website connections and call logs.\r\nAdditionally, companies providing technological services such as ISP hosting, IT, and cybersecurity are susceptible to\r\nattacks directly or through supply chains and island-hopping strategies. When successful, the stolen information is\r\nthen most likely utilized for surveillance or gathering intelligence on specific targets. The modus operandi of Sea\r\nTurtle involves intercepting internet traffic directed at victimized websites, potentially allowing unauthorized access to\r\ngovernment networks and other organizational systems. This targeting approach aids in associating actions with the\r\nthreat actor and provides valuable insights for organizations operating within similar geographic zones or sectors.\r\nTheir use of a reverse shell mechanism in operations streamlines the collection and extraction of sensitive data,\r\nfurthering their agenda. An in-depth analysis of victimology reveals the specific types of data sought by this threat\r\nactor. \r\nThreat Actor Highlights\r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 1 of 9\n\nThreat Actor Group:  Sea Turtle is also known under the aliases; Teal Kurma, Marbled Dust, SILICON and\r\nCosmic Wolf; \r\nMotivation: primarily focused on acquiring economic and political intelligence through espionage and\r\ninformation theft that targets public and private entities; \r\nTargeted Sectors: Government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO and Media \u0026 Entertainment sectors; \r\nGeographical Focus: focuses primarily on targeting organizations in Europe, Middle East and North Africa; \r\nModus Operandi: is based on redirecting user traffic, obtaining valid encryption certificates, performing man-in-the-middle attacks to harvest credentials and achieve initial access in to targeted organization’s network; \r\nSophistication: although some techniques are more technical in nature, the threat actor is considered moderate\r\nin sophistication. They primarily focus on using public vulnerabilities to get initial access to an organization\r\nand from an operational security perspective their hygiene can be considered sloppy. \r\nInformation Acquisition: The use of a reverse shell in their operations assists the threat actor in achieving\r\ntheir goal of collecting and exfiltrating sensitive data.\r\nSea Turtle campaigns in the Netherlands\r\nHunt \u0026 Hackett observed Sea Turtle conducting multiple campaigns in the Netherlands. The modus operandi used in\r\nthese attacks is largely consistent with the modus operandi and information published in the earlier mentioned threat\r\nintelligence reports.   \r\nOur investigation into one of their attacks indicated that this group exhibits characteristics of a state-supported cyber\r\nespionage group, primarily focused on acquiring economic and political intelligence through espionage with the aim\r\nof advancing Turkey’s interests. Hunt \u0026 Hackett has started tracking this group and has observed more campaigns\r\nfrom this threat actor targeting specific organizations in the Netherlands. These cyberattacks are believed to be\r\norchestrated by Sea Turtle operating in alignment with Turkish interests, signalling an escalation in Turkey's pursuit of\r\nobjectives within the Netherlands.   \r\nThe campaigns observed in the Netherlands appear to focus on telecommunication, media, ISPs and IT-service\r\nproviders and more specifically Kurdish websites (among others PKK affiliated). The infrastructure of the targets was\r\nsusceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated\r\ninformation such as personal information on minority groups and potential political dissents. The stolen information is\r\nlikely to be exploited for surveillance or intelligence gathering on specific groups and or individuals. This appears to\r\nbe consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the\r\nidentities and locations of the victims, which included governments of countries that are geopolitically significant to\r\nTurkey[7].   \r\nHunt \u0026 Hackett has observed the threat actor executing defense evasion techniques to avoid being detected, and the\r\nthreat actor has also been observed collecting potentially sensitive data such as email archives. Their modus operandi\r\nincludes intercepting internet traffic to victim websites, and potentially granting unauthorized access to government\r\nnetworks and other organizations. \r\nKey Observations\r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 2 of 9\n\nBefore diving into the nitty gritty details, Hunt \u0026 Hackett would like to provide a summary of key observations. These\r\nkey points of the overall analysis were specific for the campaigns observed in the Netherlands: \r\nHunt \u0026 Hackett has observed campaigns from the threat actor between 2021 and 2023, where during one of the\r\nmost recent campaigns in 2023, a reverse TCP shell named SnappyTCP for Linux/Unix with basic command-and-control capabilities has been used to establishing persistence on systems; \r\nHunt \u0026 Hackett has observed the threat actor to use code from a publicly accessible GitHub account, assess\r\nwith high probability that this account is controlled by the threat actor. Upon request a copy of this GitHub\r\naccount can be provided, since the repository has been taken down either by GitHub, or the user; \r\nHunt \u0026 Hackett has observed the threat actor compromising cPanel accounts and using SSH to achieve initial\r\naccess to the IT-environment of an organization; \r\nHunt \u0026 Hackett has observed the threat actor executing defense evasion techniques to avoid being detected,\r\nand; \r\nHunt \u0026 Hackett has observed the threat actor collecting at least one e-mail archive, of one of the multiple\r\nvictim organizations. \r\nModus Operandi\r\nMITRE ATT\u0026CK is a framework of adversary tactics and techniques based on real-world observations. Leveraging\r\nthis framework helps to understand and document the attack path per phase, as shown in Table 1. The first column\r\ndescribes the tactical goal, the reason for performing an action by the threat actor. Next to which the corresponding\r\nfindings are described to validate the modus operandi and compared the observations of the recent threat report of\r\nPwC and StrikeReady with the observations of Hunt \u0026 Hackett to validate the modus operandi of Sea Turtle. \r\nTactic Technique Finding\r\nObserved\r\nby Hunt \u0026\r\nHackett\r\nObserved\r\nby PwC\r\nReconnaissance  \r\nThe threat actor is\r\ntrying to gather\r\ninformation they can\r\nuse to plan future\r\noperations \r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 3 of 9\n\nTactic Technique Finding\r\nObserved\r\nby Hunt \u0026\r\nHackett\r\nObserved\r\nby PwC\r\nResource\r\ndevelopment  \r\nThe threat actor is\r\ntrying to establish\r\nresources they can\r\nuse to support\r\noperations \r\nT1588.001 \r\nSea Turtle used the malware\r\nSnappyTCP from which the source\r\ncode is available on GitHub.  \r\nInitial access \r\nThe threat actor is\r\ntrying to obtain\r\naccess to your\r\nnetwork. \r\nT1133 \r\nT1078.004\r\nSea Turtle compromised cPanel\r\naccounts and used SSH to get into the\r\nIT-infrastructure.  \r\n \r\nExecution\r\nThe threat actor is\r\ntrying to run\r\nmalicious code. \r\nT1059.004 \r\nSea Turtle used the Unix shell Bash to\r\nexecute malicious commands and the\r\nmalware SnappyTCP. \r\nPersistence  \r\nThe threat actor is\r\ntrying to maintain\r\ntheir foothold.\r\nT1505.003\r\nSea Turtle executed SnappyTCP using\r\nthe tool NoHup, which keeps the\r\nmalware running on a system after\r\nexiting the shell or terminal, and\r\ninstalled Adminer in the public web\r\ndirectory of  a cPanel account. \r\nPrivilege Escalation  \r\nThe threat actor is\r\ntrying to gain\r\nhigher-level\r\npermissions.\r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 4 of 9\n\nTactic Technique Finding\r\nObserved\r\nby Hunt \u0026\r\nHackett\r\nObserved\r\nby PwC\r\nDefense Evasion  \r\nThe threat actor is\r\ntrying to avoid being\r\ndetected.\r\nT1070.003 \r\nT1070.002 \r\nSea Turtle unsets the command (Bash)\r\nand MySQL history file and has\r\noverwritten Linux system logs. \r\n \r\nCredential Access  \r\nThe threat actor is\r\ntrying to steal\r\naccount names and\r\npasswords. \r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nDiscovery  \r\nThe threat actor is\r\ntrying to figure out\r\nyour environment.\r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nLateral Movement  \r\nThe threat actor is\r\ntrying to move\r\nthrough your\r\nenvironment.\r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nCollection\r\nThe threat actor is\r\ntrying to gather data\r\nof interest to their\r\ngoal. \r\nT1114.001\r\nSea Turtle created a copy of the e-mail\r\narchive of a compromised cPanel\r\naccount in the public web directory of\r\na website that was accessible from the\r\ninternet.\r\n \r\nCommand and\r\nControl\r\nT1071.001 \r\nT1095 \r\nSea Turtle configured SnappyTCP to\r\nestablish a command-and-control\r\nchannel to the domain name\r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 5 of 9\n\nTactic Technique Finding\r\nObserved\r\nby Hunt \u0026\r\nHackett\r\nObserved\r\nby PwC\r\nThe threat actor is\r\ntrying to\r\ncommunicate with\r\ncompromised\r\nsystems to control\r\nthem.  \r\nforward.boord[.]info on port 443 using\r\nthe protocols TCP and HTTP.\r\nExfiltration \r\nThe threat actor is\r\ntrying to steal data. \r\nT1567\r\nSea Turtle created a copy of the e-mail\r\narchive of a compromised cPanel\r\naccount in the public web directory of\r\na website that was accessible from the\r\ninternet. It is highly likely that Sea\r\nTurtle exfiltrated the e-mail archive by\r\ndownloading the file from the website.\r\n \r\nImpact \r\nThe threat actor is\r\ntrying to manipulate,\r\ninterrupt or destroy\r\nyour systems and\r\ndata \r\nThere are no\r\nfindings\r\nrelated to this\r\nphase of the\r\nattack. \r\n     \r\nTable 1 - Overview of the attacker activity mapped to the MITRE ATT\u0026CK framework and compared with the\r\nobservations of PwC \r\nTechnical Campaign Details\r\nWhile researching this actor, the most recent campaigns observed by Hunt \u0026 Hackett, were initiated early 2023 when\r\nthe threat actor targeted multiple organizations. During one of the attacks, the threat actor logged on to cPanel, a web\r\nhosting control panel used by multiple organizations world-wide, from an IP address[8] that belonged to the range of a\r\nVPN provider. This was a legitimate cPanel account, compromised by the attacker. Unfortunately, it is unclear how\r\nthey obtained access to the cPanel credentials. Days later a cPanel WebMail session was created for that same cPanel\r\naccount, when it logged on from an IP address[9] belonging to the range of a hosting provider. In addition, the account\r\nwas used to perform an SSH logon from that same IP-address. Following these logons, source codes files of a reverse\r\nshell written in the programming language ‘C’ were downloaded from that .245 IP-address. These source code files\r\nwere then compiled using GCC. Analysis of the source code files revealed that they contained specific code identical\r\nto a reverse shell[10] that was stored in a publicly accessible GitHub repository[11] that is believed to be used by the\r\nSea Turtle attack group. Independent from Hunt \u0026 Hackett, PwC recently observed usage of this reverse shell named\r\nSnappyTCP and similarly attributed this to the threat actor Sea Turtle.  \r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 6 of 9\n\nBefore executing SnappyTCP using the tool NoHup, the domain name forward.boord[.]info and port 443 was written\r\nto a configuration file, with which it connected over TCP using HTTP to establish a command-and-control (C\u0026C)\r\nchannel. NoHup ensured SnappyTCP remained running on the system even after the shell or terminal was exited. At\r\nthe end of the SSH session anti-forensics was performed by unsetting the command history (Bash) and MySQL\r\nhistory file, and overwriting Linux system logs.  \r\nWeeks later, the cPanel Web Disk Feature accepted another connection. This was an indication that the threat actor\r\nwas still using this cPanel feature. Based on the actions following the connection, combined with the source being an\r\nunfamiliar VPN connection, this activity was classified as malicious. Shortly after, the tool Adminer[12] was installed\r\nin the public web directory of one of the compromised cPanel accounts. Adminer is a publicly available database\r\nmanagement tool that can be used to remotely logon to the MySQL service of a system. The earlier identified Github\r\nrepository stores the source code of SnappyTCP, as well as the tool Adminer which indicated that the threat actor was\r\nusing the software hosted in the earlier mentioned GitHub repository.   \r\nSeveral weeks after the second cPanel Web Disk connection, the threat actor logged on to cPanel from the VPN\r\nprovider M247 (82.102.19[.]88), which can be interpreted as the compromise of a second cPanel account.\r\nSubsequently, a logon was performed on the same cPanel account and a WebMail session was created for that cPanel\r\naccount.  \r\nFinally, using SnappyTCP the threat actor sent commands to the system to create a copy of an e-mail archive created\r\nwith the tool tar, in the public web directory of the website that was accessible from the internet. It is highly likely that\r\nthe threat actor exfiltrated the e-mail archive by downloading the file directly from the web directory.   \r\nCommand \u0026 Control \r\nHunt \u0026 Hackett was able to download the source code of the SnappyTCP from one of the servers used by Sea Turtle\r\n(http[://]193.34.167[.]245/c00n/connn.c) alongside other files. As previously described, the SnappyTCP malware reads\r\na config file that contains a domain name and port number. Depending on the version of the malware and whether the\r\nconnection must be encrypted or not, the malware does an HTTP GET with the request URI ‘sy.php’. If the header ‘X-Auth-43245-S-20’ is returned by the server, SnappyTCP then checks if output has sufficient size and if the first\r\ncharacter does not start with an ‘@’. If this is the case, a reverse shell is spawned using the IP and port returned by the\r\nserver. Otherwise, the whole sequence will restart after a short amount of sleep.   \r\nThe command-and-control (C\u0026C) channel is setup with what Hunt \u0026 Hackett believes is a form of Socat, as detected\r\nby the THOR APT Scanner on Virustotal[13]. This also collaborates with the fact that Socat shares the same\r\ncommandline characteristics and the fact that Socat was also found on the same server\r\n(http[://]193.34.167.245/c00n/socat). Running the tool Socat (or a modified version of it) targeting known C\u0026C\r\nservers of Sea Turtle resulted mostly in the HTTP response ‘@8.8.8.8:443’. Since the code checks if the start of the\r\nstring starts with ‘@’, this output is ignored. As shown in Table 2, the C\u0026C servers of Sea Turtle returned the IP-addresses and a domain name related to DNS services of Google, during the time of writing. \r\nHost Request URI Response\r\n93.115.22[.]212  sy.php  @8.8.8.8:443 \r\n95.179.176[.]250 sy.php  @8.8.8.8:443 \r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 7 of 9\n\nlo0.systemctl[.]network  ssl.php  https[://]dns.google/ssl.php \r\nTable 2 - The response returned by command-and-control servers used by Sea Turtle\r\nAt the time of writing it’s unknown if these C\u0026C servers are used to setup C\u0026C channels for a long period by\r\nchanging from C\u0026C server when necessary of if they serve use in other campaigns.\r\nRecommendations\r\nDuring analysis of the campaigns by Sea Turtle, multiple observations were made. These observations all introduced\r\ncyber security risks, or directly contribute possibility of conducting similar attacks. Therefore Hunt \u0026 Hackett\r\nrecommends organizations such as telecommunication providers, ISPs and managed service provider within the IT\r\ndomain, to address the following recommendations to reduce both the attack surface as well as the likelihood of\r\nbecoming a victim of this threat actor.  \r\nDeploy EDR and monitor systems for network connections executed processes, file\r\ncreation/modification/deletion and account activity, and store logfiles in a central location. Ensure sufficient\r\nstorage capacity for historic forensic investigation purposes. \r\nCreate and enforce a password policy with adequate complexity requirements for specific accounts. \r\nStore passwords in a secrets management system, that can also be used by development environments. \r\nLimit logon attempts on accounts to reduce the chance of successful brute force attacks. \r\nEnable 2FA on all externally exposed accounts. \r\nKeep software up to date to reduce number of vulnerabilities in externally exposed systems. \r\nReduce the number of systems that can be reached over internet using SSH. Where this is still necessary, it is\r\nrecommended to implement an SSH-logon rate-limit. \r\nImplement egress network filtering to prevent malicious processes such as reverse shells to successfully sent\r\nnetwork traffic to not-allowed IP-addresses. \r\nAppendix 1: Indicators of Compromise\r\nThis appendix provides an overview of the indicators of compromise that have been observed by Hunt \u0026 Hackett\r\nwhile tracking the threat actor Sea Turtle, in addition to indicators published by PwC[5] and StrikeReady[6]. \r\nIndicator Type Description\r\n82.102.19[.]88 \r\nIP-address\r\nThe IP-address is of M247 Europe SRL located in\r\nBelgium and was used as VPN by Sea Turtle to\r\nlogon to a cPanel account.\r\n62.115.255[.]163 \r\nIP-address\r\nThe IP-address is of Arelion and located in\r\nDenmark and was used as VPN by Sea Turtle to\r\nlogon on to a cPanel account.\r\n193.34.167[.]245  IP-addressThe IP-address is of Snel.com and located in the\r\nNetherlands. The IP-address was used to logon to a\r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 8 of 9\n\ncPanel account and to download the source code of\r\nthe malware SnappyTCP. \r\nforward.boord[.]info \r\nDomain\r\nname\r\nThe malware SnappyTCP was used by Sea Turtle\r\nto establish a command-and-control channel with\r\nthe domain name. \r\nf1a4abd70f8e56711863f9e7ed0a4a865267ec7 SHA-1\r\nA modified version of the tool Socat used by Sea\r\nTurtle to setup a command-and-control channel. \r\nTable 3 - Indicators of compromise of the threat actor Sea Turtle \r\nReferences\r\n[1] DNS Hijacking Abuses Trust In Core Internet Service - Cisco Talos (talosintelligence.com)\r\n[2] Microsoft Digital Defense Report (2021)\r\n[3] How Microsoft Names Threat Actors (microsoft.com)\r\n[4] Η Εθνική Αρτή Ανηιμεηώπιζης Ηλεκηρονικών Επιθέζεων μας ενημέρωζε για ηα παρακάηω\r\n[5] The Tortoise and The Malwahare - PwC (pwc.com)\r\n[6] Pivoting through a Sea of indicators to spot Turtles - Strike Ready (blog.strikeready.com)\r\n[7] Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks - Reuters\r\n[8] 62.115.255[.]163\r\n[9]  193.34.167[.]245 \r\n[10]\r\nhttps://www.virustotal.com/gui/file/293703318fab4ad56124d37e6c93d1aecbce4c656782c40fce5d67f3b4149558/details\r\n[11] https[://]github.com/jacksp7/webtest/ \r\n[12] https://www.adminer.org/\r\n[13]\r\nhttps://www.virustotal.com/gui/file/71c81cb46dd1903f12f3aef844b0fc559f31e2f613a8ae91ffb5630bc7011ef5/community\r\nQuestions, concerns or feedback?\r\nSource: https://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nhttps://www.huntandhackett.com/blog/turkish-espionage-campaigns\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.huntandhackett.com/blog/turkish-espionage-campaigns" ], "report_names": [ "turkish-espionage-campaigns" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db7824ffc792fb6c445b61feef225c2f10f511e7.pdf", "text": "https://archive.orkl.eu/db7824ffc792fb6c445b61feef225c2f10f511e7.txt", "img": "https://archive.orkl.eu/db7824ffc792fb6c445b61feef225c2f10f511e7.jpg" } }