Threat Group Assessment: Turla (aka Pensive Ursa)
By Unit 42
Published: 2023-09-15 · Archived: 2026-04-06 02:50:45 UTC
Executive Summary
Turla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is
linked to the Russian Federal Security Service (FSB). In this article, we will cover the top 10 most recently active
types of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus,
Crutch, ComRAT, Carbon, HyperStack and TinyTurla.
Pensive Ursa was chosen to be the main focus for the 2023 MITRE ATT&CK evaluation. MITRE has described
Turla as being “known for their targeted intrusions and innovative stealth.” The results of this evaluation,
including Palo Alto Networks scoring, will be published in late September 2023.
In addition to describing each type of malware’s functionality and history, we will present their execution through
the lens of the Palo Alto Networks Cortex XDR product. We will show how Cortex protects against such malware,
and the MITRE ATT&CK mapping of such threats as shown in the Cortex XDR platform.
Palo Alto Networks customers receive protections from Pensive Ursa’s arsenal and the techniques discussed in
this blog through Cortex XDR, which provides a multilayer defense that includes behavioral threat protection and
exploit protection.
The Advanced WildFire cloud-delivered malware analysis service accurately identifies samples related to Pensive
Ursa as malicious. Cloud-Delivered Security Services, including Advanced URL Filtering and DNS Security,
identify domains associated with this group as malicious.
Related Unit 42
Topics
APT, Malware
Pensive Ursa Alternative names: Turla, Snake, Uroburos, Venomous Bear, Waterbug, Iron Hunter
Malware discussed
Capibar, Kazuar, Snake, QUIETCANARY, Kopiluwak, Crutch, ComRAT, Carbon,
HyperStack, TinyTurla
Pensive Ursa (aka Turla) Overview
Over the years, Pensive Ursa has become known as an advanced and elusive adversary. The group has
demonstrated a high level of technical expertise, while orchestrating targeted and stealthy attacks.
As described by MITRE, Pensive Ursa targeted victims in over 45 countries as well as a wide range of sectors,
including government entities, embassies, and military organizations, as well as education, research and
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 1 of 21

pharmaceutical companies. In addition, this threat group had an active part in the Russian-Ukraine conflict that
started in February 2022. According to the Ukraine CERT, Pensive Ursa leveraged espionage attacks against
Ukrainian targets, specifically against their defense sector.
While Pensive Ursa mainly used their espionage arsenal to target Windows machines, the group also has tools that
can attack macOS and Linux machines.
MITRE ATT&CK Evaluation
For the 2023 MITRE ATT&CK evaluation, Pensive Ursa was chosen to be the main focus. According to MITRE,
this threat group is particularly relevant as their actions have global impact.
Below are the top 10 most recently active types of malware in the team’s arsenal. For each type of malware, we
provided a short description and analysis, as well as how Cortex XDR detects and prevents the threat.
Recent Pensive Ursa Arsenal Technical Analysis
Malware: Capibar
Aliases: DeliveryCheck, GAMEDAY
Malware Type: Backdoor
First Seen: 2022
Description: Capibar (aka DeliveryCheck, GAMEDAY) is a Pensive Ursa backdoor that was first observed in
2022, and used for the purpose of espionage against defense forces in Ukraine. They distributed it via email as
documents with malicious macros.
Capibar persists via a scheduled task that downloads and launches the payload in memory. The threat group
installed Capibar on compromised MS Exchange servers as a Managed Object Format (MOF) file, granting the
attacker full control of the server. Figure 1a below shows a snippet of the code responsible for loading XML
received from its command and control (C2), and Figure 1b shows the alert triggered.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 2 of 21

Figure 1a. Capibar code snippet loading XML received from its C2.
Figure 1b. The alert triggered in Cortex XDR.
Malware: Kazuar
Malware Type: Backdoor
First Seen:  2017
Description: Kazuar is a .NET backdoor that was discovered in 2017. Kazuar provides full access to the
compromised systems targeted by its operator. Kazuar comes with a powerful command set that includes the
ability to remotely load additional plugins to enhance the backdoor’s capabilities.
In 2021, researchers found interesting code overlaps and similarities between Kazuar and the notorious
SUNBURST backdoor that a Russian threat group used in the SolarWinds Operation. In July 2023, the Ukrainian
CERT uncovered an espionage operation where Pensive Ursa used Kazuar as one of the main backdoors. Figure 2
shows Cortex XDR preventing a Kazuar DLL from being injected into the explorer.exe process, and Figure 3
shows an alert being triggered for Kazuar prevention.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 3 of 21

Figure 2. Kazuar injected into explorer.exe and prevented by Cortex XDR.
Figure 3. Kazuar execution prevention alert by Cortex XDR.
Malware: Snake
Malware Type: Modular backdoor
First Seen: 2003
Description: The infamous Snake malware is the most complex tool in Pensive Ursa’s tool set, as described by
CISA in May 2023. The primary purpose of this tool is to achieve persistence for considerable periods of time and
exfiltrate data from dedicated targets. It was in active development for 20 years, since 2003.
Snake was detected operating in more than 50 countries worldwide. The United States Department of Justice
published a statement in which they announced Operation MEDUSA, where they disrupted the Snake malware
activity and peer to peer (P2P) network. They did so by using a tool developed by the FBI dubbed PERSEUS,
which they used as a kill switch for the Snake malware.
Based on previous analysis, the Snake malware implemented a maintainable code design, which showed that its
authors had a high level of software development capability.
Snake implements features such as the following:
A custom implementation of communication protocols over HTTP and TCP
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 4 of 21

A kernel module for stealth
Key logger functionality
More recent variants of Snake include an infection chain similar to the one depicted below.
Example of Snake Malware Delivery
Upon execution, Snake loads and executes Pensive Ursa’s PNG Dropper malware from its resources and creates a
hard-coded mutex {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C, as shown in Figure 4.
Figure 4. Snake loader’s resources.
The PNG dropper then decodes and loads a vulnerable VM driver that is used for privilege escalation in order to
write the main Snake payload to disk, and register it as a service.
The Snake loader variant shown in Figure 5 detects the multiple stages in the infection chain that lead to the
deployment, service registration and execution of the main Snake payload. Figure 6 shows the execution
prevention alert pop-up in Cortex XDR.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 5 of 21

Figure 5. Snake execution detection shown in Cortex XDR in detect mode.
Figure 6. Snake execution prevention alert shown in Cortex XDR.
Malware: QUIETCANARY
Aliases: Tunnus
Malware Type: Backdoor
First Seen: 2017
Description: Pensive Ursa has been observed using QUIETCANARY since 2019, and the Tomiris group has used
this backdoor even earlier. Pensive Ursa deployed QUIETCANARY against targets in Ukraine in September 2022,
together with the Kopiluwak malware. QUIETCANARY is a lightweight backdoor written in .NET, which is
capable of executing various commands received from its C2 server, including downloading additional payloads
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 6 of 21

and executing arbitrary commands. It also implements RC4 encryption to protect its C2 communication. Figure 7
shows QUIETCANARY’s different classes that reveal its backdoor capabilities.
Figure 7. Code snippet of the different classes in QUIETCANARY’s code.
Figure 8 shows the Cortex XDR multilayered protection-based alerts that QUIETCANARY triggered. Figure 9
shows the execution prevention alert.
Figure 8. QUIETCANARY’s alerts shown in Cortex XDR.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 7 of 21

Figure 9. QUIETCANARY/Tunnus execution prevention alert shown in Cortex XDR.
Malware: Kopiluwak
Malware Type: Spreader/Downloader
First Seen: 2016
Description: Kopiluwak malware was discovered in late 2016, and it was delivered as a multilayered JavaScript
payload by various types of droppers.
Pensive Ursa dropped the Kopiluwak malware using an MSIL dropper in 2017 in a G20-themed attack, and as an
SFX executable in late 2022.
Kopiluwak’s JavaScript file is depicted in Figure 10 and the code snippet below, dropped under the
C:\Windows\Temp\ path. Its purpose is gathering valuable initial profiling information on the infected machine,
such as the following:
Listing files in strategic locations
Retrieving the current running processes
Displaying active network connections
The threat actor accomplished this activity by running reconnaissance commands such as systeminfo, tasklist, net,
ipconfig, and dir. The results are saved in a file named result2.dat.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 8 of 21

Figure 10. Kopiluwak execution detection as shown in Cortex XDR in detect mode.
Listed in Figure 11 are the reconnaissance commands executed by Kopiluwak, and detected by Cortex XDR.
Figure 11. Kopiluwak’s reconnaissance commands.
Figure 12 shows Cortex XDR raising an execution prevention alert for Kopiluwak.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 9 of 21

Figure 12. Kopiluwak execution prevention alert as shown in Cortex XDR.
In 2019, Pensive Ursa began to deliver Kopiluwak using the Topinambour dropper. The group bundled
Topinambour into a legitimate software installer.
Upon installation, Topinambour is dropped as a small .NET file in the %localappdata% folder and written as a
scheduled task, as shown in Figure 13. The malware then communicates with its hard-coded C2 virtual private
server (VPS) to deliver the Kopiluwak malware.
Figure 13. Topinambour execution detection shown in Cortex XDR in detect mode.
Figure 14 shows the prevention alert pop-up raised by Cortex XDR.
Figure 14. Topinambour execution prevention alert shown in Cortex XDR.
Malware: Crutch
Malware Type: Backdoor
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 10 of 21

First Seen: 2015
Description: In December 2020, ESET researchers discovered the Crutch backdoor. In line with Pensive Ursa’s
tactics, techniques and procedures (TTPs), the threat actor used the backdoor to attack a handful of targets in
Europe, including the Ministry of Foreign Affairs of an EU member.
The main purpose of this backdoor was to eventually steal sensitive files and exfiltrate the data to a Dropbox
account controlled by Pensive Ursa operators. Using commercial services such as Dropbox for C2 communication
is a known (yet effective) technique due to it being a legitimate service, and blending in with other network
communication.
This backdoor was attributed to Pensive Ursa due to strong similarities in code and TTPs with another backdoor
from Pensive Ursa’s arsenal called Gazer. Crutch is considered to be a second-stage backdoor, and its persistence
is achieved using DLL hijacking.
Figures 15 and 16 show the detection and prevention of Crutch respectively, in Cortex XDR.
Figure 15. Crutch execution detection shown in Cortex XDR in detect mode.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 11 of 21

Figure 16. Crutch execution prevention alert shown in Cortex XDR.
Malware: ComRAT
Aliases: Agent.btz
Malware Type: Backdoor
First Seen: 2007
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 12 of 21

Figure 17. PowerShell dropper drops ComRAT to disk shown in Cortex XDR in detect mode.
Description: ComRAT is one of Pensive Ursa’s oldest backdoors, which they named Agent.btz in earlier
iterations of the malware. ComRAT was reportedly first discovered in 2007. Since then it has had many upgrades.
As of 2020, the latest iteration of ComRAT is version 4. This threat is developed in C++ and the threat actor has
deployed it using PowerShell implants, such as PowerStallion. Figure 17 shows the PowerShell dropper
mechanism. The threat actor’s main purpose of operations when using ComRAT was to steal and exfiltrate
confidential documents from high value targets.
Figure 18a. ComRAT PowerShell dropper execution prevention alert shown in Cortex XDR.
Figures 18a and 18b depict the PowerShell and DLL executions preventions respectively, in Cortex XDR.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 13 of 21

Figure 18b. ComRAT DLL execution prevention alerts shown in Cortex XDR.
Malware: Carbon
Malware Type: Backdoor
First Seen: 2014
Description: Carbon is a modular backdoor framework that has been used by Pensive Ursa for several years. The
Carbon framework includes an installer, an orchestrator component, a communication module and a configuration
file.
Carbon also has P2P communication capabilities, which the threat actor uses to send commands to other infected
machines on an affected network. Carbon receives commands from the C2 through the use of legitimate web
services providers like Pastebin.
Figure 19 and Figure 20 show Carbon’s execution detection and prevention in Cortex XDR.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 14 of 21

Figure 19. Carbon creates a service that loads the additional components, which is shown in Cortex
XDR in detect mode.
Figure 20. Carbon execution prevention alert shown in Cortex XDR.
Malware: HyperStack
Malware Type: Backdoor
First Seen: 2018
Description: HyperStack (aka SilentMoo, BigBoss) is an RPC backdoor that was first observed in 2018, which
the threat actor used in operations targeting government entities in Europe. HyperStack operates with a controller
that uses named pipes to communicate over RPC with other machines in a compromised environment that are
infected with HyperStack. This communication method enables the attacker to control machines on a local
network.
HyperStack shows several similarities with Pensive Ursa’s Carbon backdoor, such as the encryption scheme,
configuration file format and logging convention.
Figure 21 and Figure 22 show HyperStack’s detection and prevention respectively, in Cortex XDR.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 15 of 21

Figure 21. HyperStack creates a service for persistence shown in Cortex XDR in detect mode.
Figure 22. HyperStack execution prevention alert shown in Cortex XDR.
Malware: TinyTurla
Malware Type: Backdoor
First Seen: 2021
Description: The TinyTurla malware was first discovered by Talos in 2021. They assumed it was a second stage
backdoor, and it has been seen on targets in the US, EU and later in Asia.
TinyTurla’s main features include the following:
Downloading additional payloads
Uploading files to the attacker's C2 server
Executing other processes
As shown in Figure 23, threat actors install the backdoor via a batch script as a service called Windows Time
Service. The batch script is also in charge of writing the C2 server’s data to the registry. Once the backdoor is
executed, it reads these values to communicate with its C2. It masquerades as a DLL called w64time.dll, under the
system32 folder.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 16 of 21

Figure 23. Content of the batch script described above.
Although w32time.dll is a legitimate DLL, and other legitimate DLLs do have both 32- and 64-bit variants, a
legitimate w64time.dll does not exist. This naming convention is intended to further distract victims from
suspecting anything is amiss.
Figure 24 and Figure 25 show Cortex XDR detecting the writing and execution of the batch script, the W64Time
service and the TinyTurla DLL execution.
Figure 24. TinyTurla prevention shown in Cortex XDR in detect mode.
Figure 25. TinyTurla execution prevention alert shown in Cortex XDR.
Tactics, Techniques and Procedures (TTPs)
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 17 of 21

Cortex XDR alerts are mapped to the MITRE ATT&CK framework and present information about the tactic and
the technique associated with the threat, as shown in Figure 26 below.
Figure 26. Mitre ATT&CK mapping in Cortex XDR.
Pensive Ursa-related activities and arsenal raised multiple alerts in Cortex XDR, which were mapped to the
MITRE ATT&CK tactics and techniques referenced in Table 1.
MITRE
ATT&CK
tactic
MITRE ATT&CK technique
Resource
Development
Acquire Infrastructure, Compromise Infrastructure, Develop Capabilities, Obtain
Capabilities
Execution Command and Scripting Interpreter, Native API, User Execution
Initial Access Drive-by Compromise, Phishing, Valid Accounts
Persistence Boot or Logon Autostart Execution, Event Triggered Execution, Valid Accounts
Privilege
Escalation
Access Token Manipulation, Boot or Logon Autostart Execution, Event Triggered
Execution, Exploitation for Privilege Escalation, Process Injection, Valid Accounts
Defense
Evasion
Access Token Manipulation, Deobfuscate/Decode Files or Information, Impair Defenses,
Modify Registry, Obfuscated Files or Information, Process Injection, Subvert Trust
Controls, Valid Accounts
Credential
Access
Brute Force, Credentials from Password Stores
Discovery Account Discovery, File and Directory Discovery, Group Policy Discovery, Password
Policy Discovery, Peripheral Device Discovery, Permission Groups Discovery, Process
Discovery, Query Registry, Remote System Discovery, Software Discovery, System
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 18 of 21

Information Discovery, System Network Configuration Discovery, System Network
Connections Discovery, System Service Discovery
Lateral
Movement
Lateral Tool Transfer, Remote Services
Collection
Archive Collected Data, Data from Information Repositories, Data from Local System,
Data from Removable Media
Command and
Control
Application Layer Protocol, Ingress Tool Transfer, Proxy, Web Service
Exfiltration Exfiltration Over Web Service
Table 1. MITRE ATT&CK tactics and techniques.
Conclusion
The Pensive Ursa advanced persistent threat (APT) group is known to be a significant and persistent adversary.
With their advanced techniques, this Russian-FSB operated group has demonstrated an evasive modus operandi
while targeting a wide range of sectors across the globe.
We explored the top 10 types of malware in Pensive Ursa’s arsenal and witnessed their execution through the lens
of Palo Alto Networks Cortex XDR product. This demonstrated the importance of using a multilayered protection
model against an advanced threat.
The potential damage of falling victim to a Pensive Ursa APT attack can be significant. The consequences extend
beyond financial losses and data breaches to the possibility of them reaching critical infrastructure, which could
have national security and geopolitical ramifications. Thus, every organization, regardless of its size or industry,
must prioritize comprehensive security strategies and invest in multilayer security measurements to safeguard
against the growing threat of APT groups like Pensive Ursa.
Protections and Mitigations
Palo Alto Networks Cortex XDR and XSIAM customers receive protections against Pensive Ursa’s arsenal of
malware described in this blog post.
Prevention and detection alerts were raised for each malware: Capibar, Kazua, Snake, Kopiluwak,
QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla.
SmartScore is a unique ML-driven scoring engine that translates security investigation methods and their
associated data into a hybrid scoring system. It scored an incident involving a combination of known Pensive Ursa
tools and techniques a 91 score, which is a very high level of risk, as shown below in Figure 26.
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 19 of 21

Figure 27. SmartScore information about the incident.
For Palo Alto Networks customers, our products and services provide the following coverage associated with this
group:
Cortex XDR detects user and credential-based threats by analyzing user activity from multiple data sources
including the following:
Endpoints
Network firewalls
Active Directory
Identity and access management solutions
Cloud workloads
Cortex XDR builds behavioral profiles of user activity over time with machine learning. By comparing new
activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR detects anomalous
activity indicative of credential-based attacks.
It also offers the following protections related to the attacks discussed in this post:
Prevents the execution of known malicious malware and also prevents the execution of unknown malware
using Behavioral Threat Protection and machine learning based on the Local Analysis module
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 20 of 21

Protects against credential gathering tools and techniques using the new Credential Gathering Protection
available from Cortex XDR 3.4
Protects from threat actors dropping and executing commands from web shells using Anti-Webshell
Protection, newly released in Cortex XDR 3.4
Protects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the
Anti-Exploitation modules as well as Behavioral Threat Protection
Cortex XDR Pro detects post-exploit activity, including credential-based attacks, with behavioral analytics
If you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident
Response team or call:
North America Toll-Free: 866.486.4842 (866.4.UNIT42)
EMEA: +31.20.299.3130
APAC: +65.6983.8730
Japan: +81.50.1790.0200
Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our
fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to
their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Source: https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/
Page 21 of 21