{
	"id": "f3face01-2fdf-4af2-b0f8-403c961e7225",
	"created_at": "2026-04-06T00:17:56.087913Z",
	"updated_at": "2026-04-10T03:33:35.637664Z",
	"deleted_at": null,
	"sha1_hash": "f4d2c60de60275c45a73b3244df2eb59df693d34",
	"title": "malware_analysis/turla_carbon at master · sisoma2/malware_analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46049,
	"plain_text": "malware_analysis/turla_carbon at master ·\r\nsisoma2/malware_analysis\r\nBy sisoma2\r\nArchived: 2026-04-05 21:53:52 UTC\r\nTurla Carbon System\r\nThe Carbon System or Project Cobra is a malware framework developed by the actors identified as Turla. It's a\r\nsophisticated backdoor used to steal sensitive information from high valuable targets like diplomats or foreign\r\naffairs ministries.\r\nIOCs\r\nSamples\r\nCarbon Dropper\r\na6efd027b121347201a3de769389e6dd\r\nCarbon Service\r\n957930597221ab6e0ff4fd7c6f2ee1cc\r\nCarbon Orchestrator\r\n3b10f20729d79ca3a92510674ff037c2\r\n78cadb0a538105f2fdcb42f9956e49b5\r\nCarbon Comms x86\r\nc9c819991d4e6476e8f0307beed080b7\r\n1a2372b990a7ff7efd991707d52a13e6\r\n0868a27ef0aa512cbae82f4251767f4b\r\nCarbon Comms x64\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/turla_carbon\r\nPage 1 of 2\n\ne5a90e7e63ededbdd5ee13219bc93fce\r\n7ec8a9641d7342d1a471ebcd98e28b62\r\nefcfff316e9cf183ca1cd619968cd11c\r\nC\u0026C\r\nwww.berlinguas[.]com:443:/wp-content/languages/index.php\r\nwww.balletmaniacs[.]com:443:/wp-includes/fonts/icons/\r\npastebin[.]com:443:/raw/5qXBPmAZ\r\nContent\r\nCarbon_decrypt_config.py\r\n ESET Python script to extract encrypted configuration from Carbon\r\na6efd027b121347201a3de769389e6dd_Config.txt\r\n Carbon configuration file extracted from the dropper with hash a6efd027b121347201a3de769389e6dd\r\nYara Rules\r\napt_RU_Turla_Carbon_Dropper.yar\r\nYARA Rule to detect the Carbon dropper\r\napt_RU_Turla_Carbon_ServiceDLL.yar\r\nYARA Rule to detect the Carbon Service DLL\r\napt_RU_Turla_Carbon_CommunicationLibrary.yar\r\nYARA Rule to detect the Carbon Comms Library\r\napt_RU_Turla_Carbon_Orchestrator.yar\r\nYARA Rule to detect the Carbon Orchestrator\r\nSource: https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/turla_carbon\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon"
	],
	"report_names": [
		"turla_carbon"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434676,
	"ts_updated_at": 1775792015,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4d2c60de60275c45a73b3244df2eb59df693d34.pdf",
		"text": "https://archive.orkl.eu/f4d2c60de60275c45a73b3244df2eb59df693d34.txt",
		"img": "https://archive.orkl.eu/f4d2c60de60275c45a73b3244df2eb59df693d34.jpg"
	}
}