{ "id": "a7d20d12-19c3-4e65-8436-4f065518c657", "created_at": "2026-04-06T03:36:18.135424Z", "updated_at": "2026-04-10T03:33:36.247353Z", "deleted_at": null, "sha1_hash": "e89cbdd8e7b6c3854fd2467cbf54fc88f7320e0e", "title": "Threat Group Assessment: Turla (aka Pensive Ursa)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1188844, "plain_text": "Threat Group Assessment: Turla (aka Pensive Ursa)\r\nBy Unit 42\r\nPublished: 2023-09-15 · Archived: 2026-04-06 02:50:45 UTC\r\nExecutive Summary\r\nTurla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is\r\nlinked to the Russian Federal Security Service (FSB). In this article, we will cover the top 10 most recently active\r\ntypes of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus,\r\nCrutch, ComRAT, Carbon, HyperStack and TinyTurla.\r\nPensive Ursa was chosen to be the main focus for the 2023 MITRE ATT\u0026CK evaluation. MITRE has described\r\nTurla as being “known for their targeted intrusions and innovative stealth.” The results of this evaluation,\r\nincluding Palo Alto Networks scoring, will be published in late September 2023.\r\nIn addition to describing each type of malware’s functionality and history, we will present their execution through\r\nthe lens of the Palo Alto Networks Cortex XDR product. We will show how Cortex protects against such malware,\r\nand the MITRE ATT\u0026CK mapping of such threats as shown in the Cortex XDR platform.\r\nPalo Alto Networks customers receive protections from Pensive Ursa’s arsenal and the techniques discussed in\r\nthis blog through Cortex XDR, which provides a multilayer defense that includes behavioral threat protection and\r\nexploit protection.\r\nThe Advanced WildFire cloud-delivered malware analysis service accurately identifies samples related to Pensive\r\nUrsa as malicious. Cloud-Delivered Security Services, including Advanced URL Filtering and DNS Security,\r\nidentify domains associated with this group as malicious.\r\nRelated Unit 42\r\nTopics\r\nAPT, Malware\r\nPensive Ursa Alternative names: Turla, Snake, Uroburos, Venomous Bear, Waterbug, Iron Hunter\r\nMalware discussed\r\nCapibar, Kazuar, Snake, QUIETCANARY, Kopiluwak, Crutch, ComRAT, Carbon,\r\nHyperStack, TinyTurla\r\nPensive Ursa (aka Turla) Overview\r\nOver the years, Pensive Ursa has become known as an advanced and elusive adversary. The group has\r\ndemonstrated a high level of technical expertise, while orchestrating targeted and stealthy attacks.\r\nAs described by MITRE, Pensive Ursa targeted victims in over 45 countries as well as a wide range of sectors,\r\nincluding government entities, embassies, and military organizations, as well as education, research and\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 1 of 21\n\npharmaceutical companies. In addition, this threat group had an active part in the Russian-Ukraine conflict that\r\nstarted in February 2022. According to the Ukraine CERT, Pensive Ursa leveraged espionage attacks against\r\nUkrainian targets, specifically against their defense sector.\r\nWhile Pensive Ursa mainly used their espionage arsenal to target Windows machines, the group also has tools that\r\ncan attack macOS and Linux machines.\r\nMITRE ATT\u0026CK Evaluation\r\nFor the 2023 MITRE ATT\u0026CK evaluation, Pensive Ursa was chosen to be the main focus. According to MITRE,\r\nthis threat group is particularly relevant as their actions have global impact.\r\nBelow are the top 10 most recently active types of malware in the team’s arsenal. For each type of malware, we\r\nprovided a short description and analysis, as well as how Cortex XDR detects and prevents the threat.\r\nRecent Pensive Ursa Arsenal Technical Analysis\r\nMalware: Capibar\r\nAliases: DeliveryCheck, GAMEDAY\r\nMalware Type: Backdoor\r\nFirst Seen: 2022\r\nDescription: Capibar (aka DeliveryCheck, GAMEDAY) is a Pensive Ursa backdoor that was first observed in\r\n2022, and used for the purpose of espionage against defense forces in Ukraine. They distributed it via email as\r\ndocuments with malicious macros.\r\nCapibar persists via a scheduled task that downloads and launches the payload in memory. The threat group\r\ninstalled Capibar on compromised MS Exchange servers as a Managed Object Format (MOF) file, granting the\r\nattacker full control of the server. Figure 1a below shows a snippet of the code responsible for loading XML\r\nreceived from its command and control (C2), and Figure 1b shows the alert triggered.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 2 of 21\n\nFigure 1a. Capibar code snippet loading XML received from its C2.\r\nFigure 1b. The alert triggered in Cortex XDR.\r\nMalware: Kazuar\r\nMalware Type: Backdoor\r\nFirst Seen:  2017\r\nDescription: Kazuar is a .NET backdoor that was discovered in 2017. Kazuar provides full access to the\r\ncompromised systems targeted by its operator. Kazuar comes with a powerful command set that includes the\r\nability to remotely load additional plugins to enhance the backdoor’s capabilities.\r\nIn 2021, researchers found interesting code overlaps and similarities between Kazuar and the notorious\r\nSUNBURST backdoor that a Russian threat group used in the SolarWinds Operation. In July 2023, the Ukrainian\r\nCERT uncovered an espionage operation where Pensive Ursa used Kazuar as one of the main backdoors. Figure 2\r\nshows Cortex XDR preventing a Kazuar DLL from being injected into the explorer.exe process, and Figure 3\r\nshows an alert being triggered for Kazuar prevention.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 3 of 21\n\nFigure 2. Kazuar injected into explorer.exe and prevented by Cortex XDR.\r\nFigure 3. Kazuar execution prevention alert by Cortex XDR.\r\nMalware: Snake\r\nMalware Type: Modular backdoor\r\nFirst Seen: 2003\r\nDescription: The infamous Snake malware is the most complex tool in Pensive Ursa’s tool set, as described by\r\nCISA in May 2023. The primary purpose of this tool is to achieve persistence for considerable periods of time and\r\nexfiltrate data from dedicated targets. It was in active development for 20 years, since 2003.\r\nSnake was detected operating in more than 50 countries worldwide. The United States Department of Justice\r\npublished a statement in which they announced Operation MEDUSA, where they disrupted the Snake malware\r\nactivity and peer to peer (P2P) network. They did so by using a tool developed by the FBI dubbed PERSEUS,\r\nwhich they used as a kill switch for the Snake malware.\r\nBased on previous analysis, the Snake malware implemented a maintainable code design, which showed that its\r\nauthors had a high level of software development capability.\r\nSnake implements features such as the following:\r\nA custom implementation of communication protocols over HTTP and TCP\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 4 of 21\n\nA kernel module for stealth\r\nKey logger functionality\r\nMore recent variants of Snake include an infection chain similar to the one depicted below.\r\nExample of Snake Malware Delivery\r\nUpon execution, Snake loads and executes Pensive Ursa’s PNG Dropper malware from its resources and creates a\r\nhard-coded mutex {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C, as shown in Figure 4.\r\nFigure 4. Snake loader’s resources.\r\nThe PNG dropper then decodes and loads a vulnerable VM driver that is used for privilege escalation in order to\r\nwrite the main Snake payload to disk, and register it as a service.\r\nThe Snake loader variant shown in Figure 5 detects the multiple stages in the infection chain that lead to the\r\ndeployment, service registration and execution of the main Snake payload. Figure 6 shows the execution\r\nprevention alert pop-up in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 5 of 21\n\nFigure 5. Snake execution detection shown in Cortex XDR in detect mode.\r\nFigure 6. Snake execution prevention alert shown in Cortex XDR.\r\nMalware: QUIETCANARY\r\nAliases: Tunnus\r\nMalware Type: Backdoor\r\nFirst Seen: 2017\r\nDescription: Pensive Ursa has been observed using QUIETCANARY since 2019, and the Tomiris group has used\r\nthis backdoor even earlier. Pensive Ursa deployed QUIETCANARY against targets in Ukraine in September 2022,\r\ntogether with the Kopiluwak malware. QUIETCANARY is a lightweight backdoor written in .NET, which is\r\ncapable of executing various commands received from its C2 server, including downloading additional payloads\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 6 of 21\n\nand executing arbitrary commands. It also implements RC4 encryption to protect its C2 communication. Figure 7\r\nshows QUIETCANARY’s different classes that reveal its backdoor capabilities.\r\nFigure 7. Code snippet of the different classes in QUIETCANARY’s code.\r\nFigure 8 shows the Cortex XDR multilayered protection-based alerts that QUIETCANARY triggered. Figure 9\r\nshows the execution prevention alert.\r\nFigure 8. QUIETCANARY’s alerts shown in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 7 of 21\n\nFigure 9. QUIETCANARY/Tunnus execution prevention alert shown in Cortex XDR.\r\nMalware: Kopiluwak\r\nMalware Type: Spreader/Downloader\r\nFirst Seen: 2016\r\nDescription: Kopiluwak malware was discovered in late 2016, and it was delivered as a multilayered JavaScript\r\npayload by various types of droppers.\r\nPensive Ursa dropped the Kopiluwak malware using an MSIL dropper in 2017 in a G20-themed attack, and as an\r\nSFX executable in late 2022.\r\nKopiluwak’s JavaScript file is depicted in Figure 10 and the code snippet below, dropped under the\r\nC:\\Windows\\Temp\\ path. Its purpose is gathering valuable initial profiling information on the infected machine,\r\nsuch as the following:\r\nListing files in strategic locations\r\nRetrieving the current running processes\r\nDisplaying active network connections\r\nThe threat actor accomplished this activity by running reconnaissance commands such as systeminfo, tasklist, net,\r\nipconfig, and dir. The results are saved in a file named result2.dat.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 8 of 21\n\nFigure 10. Kopiluwak execution detection as shown in Cortex XDR in detect mode.\r\nListed in Figure 11 are the reconnaissance commands executed by Kopiluwak, and detected by Cortex XDR.\r\nFigure 11. Kopiluwak’s reconnaissance commands.\r\nFigure 12 shows Cortex XDR raising an execution prevention alert for Kopiluwak.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 9 of 21\n\nFigure 12. Kopiluwak execution prevention alert as shown in Cortex XDR.\r\nIn 2019, Pensive Ursa began to deliver Kopiluwak using the Topinambour dropper. The group bundled\r\nTopinambour into a legitimate software installer.\r\nUpon installation, Topinambour is dropped as a small .NET file in the %localappdata% folder and written as a\r\nscheduled task, as shown in Figure 13. The malware then communicates with its hard-coded C2 virtual private\r\nserver (VPS) to deliver the Kopiluwak malware.\r\nFigure 13. Topinambour execution detection shown in Cortex XDR in detect mode.\r\nFigure 14 shows the prevention alert pop-up raised by Cortex XDR.\r\nFigure 14. Topinambour execution prevention alert shown in Cortex XDR.\r\nMalware: Crutch\r\nMalware Type: Backdoor\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 10 of 21\n\nFirst Seen: 2015\r\nDescription: In December 2020, ESET researchers discovered the Crutch backdoor. In line with Pensive Ursa’s\r\ntactics, techniques and procedures (TTPs), the threat actor used the backdoor to attack a handful of targets in\r\nEurope, including the Ministry of Foreign Affairs of an EU member.\r\nThe main purpose of this backdoor was to eventually steal sensitive files and exfiltrate the data to a Dropbox\r\naccount controlled by Pensive Ursa operators. Using commercial services such as Dropbox for C2 communication\r\nis a known (yet effective) technique due to it being a legitimate service, and blending in with other network\r\ncommunication.\r\nThis backdoor was attributed to Pensive Ursa due to strong similarities in code and TTPs with another backdoor\r\nfrom Pensive Ursa’s arsenal called Gazer. Crutch is considered to be a second-stage backdoor, and its persistence\r\nis achieved using DLL hijacking.\r\nFigures 15 and 16 show the detection and prevention of Crutch respectively, in Cortex XDR.\r\nFigure 15. Crutch execution detection shown in Cortex XDR in detect mode.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 11 of 21\n\nFigure 16. Crutch execution prevention alert shown in Cortex XDR.\r\nMalware: ComRAT\r\nAliases: Agent.btz\r\nMalware Type: Backdoor\r\nFirst Seen: 2007\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 12 of 21\n\nFigure 17. PowerShell dropper drops ComRAT to disk shown in Cortex XDR in detect mode.\r\nDescription: ComRAT is one of Pensive Ursa’s oldest backdoors, which they named Agent.btz in earlier\r\niterations of the malware. ComRAT was reportedly first discovered in 2007. Since then it has had many upgrades.\r\nAs of 2020, the latest iteration of ComRAT is version 4. This threat is developed in C++ and the threat actor has\r\ndeployed it using PowerShell implants, such as PowerStallion. Figure 17 shows the PowerShell dropper\r\nmechanism. The threat actor’s main purpose of operations when using ComRAT was to steal and exfiltrate\r\nconfidential documents from high value targets.\r\nFigure 18a. ComRAT PowerShell dropper execution prevention alert shown in Cortex XDR.\r\nFigures 18a and 18b depict the PowerShell and DLL executions preventions respectively, in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 13 of 21\n\nFigure 18b. ComRAT DLL execution prevention alerts shown in Cortex XDR.\r\nMalware: Carbon\r\nMalware Type: Backdoor\r\nFirst Seen: 2014\r\nDescription: Carbon is a modular backdoor framework that has been used by Pensive Ursa for several years. The\r\nCarbon framework includes an installer, an orchestrator component, a communication module and a configuration\r\nfile.\r\nCarbon also has P2P communication capabilities, which the threat actor uses to send commands to other infected\r\nmachines on an affected network. Carbon receives commands from the C2 through the use of legitimate web\r\nservices providers like Pastebin.\r\nFigure 19 and Figure 20 show Carbon’s execution detection and prevention in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 14 of 21\n\nFigure 19. Carbon creates a service that loads the additional components, which is shown in Cortex\r\nXDR in detect mode.\r\nFigure 20. Carbon execution prevention alert shown in Cortex XDR.\r\nMalware: HyperStack\r\nMalware Type: Backdoor\r\nFirst Seen: 2018\r\nDescription: HyperStack (aka SilentMoo, BigBoss) is an RPC backdoor that was first observed in 2018, which\r\nthe threat actor used in operations targeting government entities in Europe. HyperStack operates with a controller\r\nthat uses named pipes to communicate over RPC with other machines in a compromised environment that are\r\ninfected with HyperStack. This communication method enables the attacker to control machines on a local\r\nnetwork.\r\nHyperStack shows several similarities with Pensive Ursa’s Carbon backdoor, such as the encryption scheme,\r\nconfiguration file format and logging convention.\r\nFigure 21 and Figure 22 show HyperStack’s detection and prevention respectively, in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 15 of 21\n\nFigure 21. HyperStack creates a service for persistence shown in Cortex XDR in detect mode.\r\nFigure 22. HyperStack execution prevention alert shown in Cortex XDR.\r\nMalware: TinyTurla\r\nMalware Type: Backdoor\r\nFirst Seen: 2021\r\nDescription: The TinyTurla malware was first discovered by Talos in 2021. They assumed it was a second stage\r\nbackdoor, and it has been seen on targets in the US, EU and later in Asia.\r\nTinyTurla’s main features include the following:\r\nDownloading additional payloads\r\nUploading files to the attacker's C2 server\r\nExecuting other processes\r\nAs shown in Figure 23, threat actors install the backdoor via a batch script as a service called Windows Time\r\nService. The batch script is also in charge of writing the C2 server’s data to the registry. Once the backdoor is\r\nexecuted, it reads these values to communicate with its C2. It masquerades as a DLL called w64time.dll, under the\r\nsystem32 folder.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 16 of 21\n\nFigure 23. Content of the batch script described above.\r\nAlthough w32time.dll is a legitimate DLL, and other legitimate DLLs do have both 32- and 64-bit variants, a\r\nlegitimate w64time.dll does not exist. This naming convention is intended to further distract victims from\r\nsuspecting anything is amiss.\r\nFigure 24 and Figure 25 show Cortex XDR detecting the writing and execution of the batch script, the W64Time\r\nservice and the TinyTurla DLL execution.\r\nFigure 24. TinyTurla prevention shown in Cortex XDR in detect mode.\r\nFigure 25. TinyTurla execution prevention alert shown in Cortex XDR.\r\nTactics, Techniques and Procedures (TTPs)\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 17 of 21\n\nCortex XDR alerts are mapped to the MITRE ATT\u0026CK framework and present information about the tactic and\r\nthe technique associated with the threat, as shown in Figure 26 below.\r\nFigure 26. Mitre ATT\u0026CK mapping in Cortex XDR.\r\nPensive Ursa-related activities and arsenal raised multiple alerts in Cortex XDR, which were mapped to the\r\nMITRE ATT\u0026CK tactics and techniques referenced in Table 1.\r\nMITRE\r\nATT\u0026CK\r\ntactic\r\nMITRE ATT\u0026CK technique\r\nResource\r\nDevelopment\r\nAcquire Infrastructure, Compromise Infrastructure, Develop Capabilities, Obtain\r\nCapabilities\r\nExecution Command and Scripting Interpreter, Native API, User Execution\r\nInitial Access Drive-by Compromise, Phishing, Valid Accounts\r\nPersistence Boot or Logon Autostart Execution, Event Triggered Execution, Valid Accounts\r\nPrivilege\r\nEscalation\r\nAccess Token Manipulation, Boot or Logon Autostart Execution, Event Triggered\r\nExecution, Exploitation for Privilege Escalation, Process Injection, Valid Accounts\r\nDefense\r\nEvasion\r\nAccess Token Manipulation, Deobfuscate/Decode Files or Information, Impair Defenses,\r\nModify Registry, Obfuscated Files or Information, Process Injection, Subvert Trust\r\nControls, Valid Accounts\r\nCredential\r\nAccess\r\nBrute Force, Credentials from Password Stores\r\nDiscovery Account Discovery, File and Directory Discovery, Group Policy Discovery, Password\r\nPolicy Discovery, Peripheral Device Discovery, Permission Groups Discovery, Process\r\nDiscovery, Query Registry, Remote System Discovery, Software Discovery, System\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 18 of 21\n\nInformation Discovery, System Network Configuration Discovery, System Network\r\nConnections Discovery, System Service Discovery\r\nLateral\r\nMovement\r\nLateral Tool Transfer, Remote Services\r\nCollection\r\nArchive Collected Data, Data from Information Repositories, Data from Local System,\r\nData from Removable Media\r\nCommand and\r\nControl\r\nApplication Layer Protocol, Ingress Tool Transfer, Proxy, Web Service\r\nExfiltration Exfiltration Over Web Service\r\nTable 1. MITRE ATT\u0026CK tactics and techniques.\r\nConclusion\r\nThe Pensive Ursa advanced persistent threat (APT) group is known to be a significant and persistent adversary.\r\nWith their advanced techniques, this Russian-FSB operated group has demonstrated an evasive modus operandi\r\nwhile targeting a wide range of sectors across the globe.\r\nWe explored the top 10 types of malware in Pensive Ursa’s arsenal and witnessed their execution through the lens\r\nof Palo Alto Networks Cortex XDR product. This demonstrated the importance of using a multilayered protection\r\nmodel against an advanced threat.\r\nThe potential damage of falling victim to a Pensive Ursa APT attack can be significant. The consequences extend\r\nbeyond financial losses and data breaches to the possibility of them reaching critical infrastructure, which could\r\nhave national security and geopolitical ramifications. Thus, every organization, regardless of its size or industry,\r\nmust prioritize comprehensive security strategies and invest in multilayer security measurements to safeguard\r\nagainst the growing threat of APT groups like Pensive Ursa.\r\nProtections and Mitigations\r\nPalo Alto Networks Cortex XDR and XSIAM customers receive protections against Pensive Ursa’s arsenal of\r\nmalware described in this blog post.\r\nPrevention and detection alerts were raised for each malware: Capibar, Kazua, Snake, Kopiluwak,\r\nQUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla.\r\nSmartScore is a unique ML-driven scoring engine that translates security investigation methods and their\r\nassociated data into a hybrid scoring system. It scored an incident involving a combination of known Pensive Ursa\r\ntools and techniques a 91 score, which is a very high level of risk, as shown below in Figure 26.\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 19 of 21\n\nFigure 27. SmartScore information about the incident.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nCortex XDR detects user and credential-based threats by analyzing user activity from multiple data sources\r\nincluding the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR builds behavioral profiles of user activity over time with machine learning. By comparing new\r\nactivity to past activity, peer activity and the expected behavior of the entity, Cortex XDR detects anomalous\r\nactivity indicative of credential-based attacks.\r\nIt also offers the following protections related to the attacks discussed in this post:\r\nPrevents the execution of known malicious malware and also prevents the execution of unknown malware\r\nusing Behavioral Threat Protection and machine learning based on the Local Analysis module\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 20 of 21\n\nProtects against credential gathering tools and techniques using the new Credential Gathering Protection\r\navailable from Cortex XDR 3.4\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the\r\nAnti-Exploitation modules as well as Behavioral Threat Protection\r\nCortex XDR Pro detects post-exploit activity, including credential-based attacks, with behavioral analytics\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nSource: https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nhttps://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/" ], "report_names": [ "turla-pensive-ursa-threat-assessment" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446578, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e89cbdd8e7b6c3854fd2467cbf54fc88f7320e0e.pdf", "text": "https://archive.orkl.eu/e89cbdd8e7b6c3854fd2467cbf54fc88f7320e0e.txt", "img": "https://archive.orkl.eu/e89cbdd8e7b6c3854fd2467cbf54fc88f7320e0e.jpg" } }