{
	"id": "9eee0f82-43fe-4d98-b155-a963301ea3dd",
	"created_at": "2026-04-06T00:11:53.440179Z",
	"updated_at": "2026-04-10T03:33:35.912736Z",
	"deleted_at": null,
	"sha1_hash": "f50602a3ca836896080396c9ab07a1a0bad18189",
	"title": "New details on TinyTurla’s post-compromise activity reveal full kill chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 831955,
	"plain_text": "New details on TinyTurla’s post-compromise activity reveal full kill\r\nchain\r\nBy Asheer Malhotra\r\nPublished: 2024-03-21 · Archived: 2026-04-05 19:50:10 UTC\r\nCisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a\r\nRussian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the\r\nentire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable\r\ninformation from their victims and propagate through their infected enterprises. \r\nTalos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the\r\ncompromised network of a European non-governmental organization (NGO). \r\nThe attackers compromised the first system, established persistence and added exclusions to anti-virus\r\nproducts running on these endpoints as part of their preliminary post-compromise actions. \r\nTurla then opened additional channels of communication via Chisel for data exfiltration and to pivot to\r\nadditional accessible systems in the network.\r\nTracing Turla’s steps from compromise to exfiltration\r\nTalos discovered that post-compromise activity carried out by Turla in this intrusion isn’t restricted to the sole\r\ndeployment of their backdoors. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus\r\nsoftware exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to\r\nthe disk, and persistence is established by creating a malicious service.\r\nPreliminary post-compromise activity and TinyTurla-NG deployment\r\nAfter gaining initial access, Turla first adds exclusions in the anti-virus software, such as Microsoft Defender, to\r\nlocations they will use to host the implant on the compromised systems.\r\nACTION INTENT\r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths | \r\n“C:\\Windows\\System32\\” = 0x0\r\n[T1562.001] Impair\r\nDefenses: Disable or\r\nModify Tools\r\nTurla then sets up the persistence of the TinyTurla-NG implants using one or more batch (BAT) files. The batch\r\nfiles create a service on the system to persist the TTNG DLL on the system. \r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 1 of 7\n\nACTION INTENT\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Svchost\" /v sysman /t REG_MULTI_SZ /d \"sdm\" /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\sdm\\Parameters\" /v\r\nServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\dcmd.dll\" /f\r\n[T1543.003] Create or\r\nModify System Process:\r\nWindows Service\r\nsc create sdm binPath= \"c:\\windows\\system32\\svchost.exe -k sysman\" type=\r\nshare start= auto\r\nsc config sdm DisplayName= \"System Device Manager\"\r\nsc description sdm \"Creates and manages system-mode driver processes. This\r\nservice cannot be stopped.\"\r\n[T1543.003] Create or\r\nModify System Process:\r\nWindows Service\r\nThis technique is identical to that used by Turla in 2021 to achieve persistence for their TinyTurla implants.\r\nHowever, we’re still unsure why the actor uses two different batch files, but it seems to be an unnecessarily\r\nconvoluted approach to evade detections.\r\nIn the case of TTNG, the service is created with the name “sdm” masquerading as a “System Device Manager”\r\nservice. \r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 2 of 7\n\nBatch file contents.\r\nThe creation and start of the malicious service kick starts the execution of the TinyTurla-NG implant via\r\nsvchost[.]exe (Windows’ service container). TinyTurla-NG is instrumented further to conduct additional\r\nreconnaissance of directories of interest and then copy files to a temporary staging directory on the infected\r\nsystem, followed by subsequent exfiltration to the C2. TinyTurla-NG is also used to deploy a custom-built Chisel\r\nbeacon from the open-sourced offensive framework.\r\nCustom Chisel usage\r\nOn deployment, Chisel will set up a reverse proxy tunnel to an attacker-controlled box [T1573.002 - Encrypted\r\nChannel: Asymmetric Cryptography]. We’ve observed that the attackers leveraged the chisel connection to the\r\ninitially compromised system, to pivot to other systems in the network. \r\nThe presence of Windows Remote Management (WinRM)-based connections on the target systems indicates that\r\nchisel was likely used in conjunction with other tools, such as proxy chains and evil-winrm to establish remote\r\nsessions. WinRM is Microsoft’s implementation of the WS-Management protocol and allows Windows-based\r\nsystems to exchange information and be administered using scripts or built-in utilities.\r\nThe overall infection chain is visualized below.\r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 3 of 7\n\nTurla tactics, tools and procedures flow.\r\nOnce the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender\r\nexclusions, drop the malware components, and create persistence, indicating that Turla follows a playbook that\r\ncan be articulated as the following cyber kill chain.\r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 4 of 7\n\nCyber kill chain.\r\nAnalyzing the traffic originating from Chisel revealed the tool beaconed back to its C2 server every hour.\r\nWhile the infected systems were compromised as early as October 2023 and Chisel was deployed as late as\r\nDecember 2023, Turla operators conducted the majority of their data exfiltration using Chisel much later on Jan.\r\n12, 2024 [T1041 - Exfiltration Over C2 Channel].\r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 5 of 7\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 6 of 7\n\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCS\r\nHashes\r\n267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b\r\nd6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40\r\nad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc\r\n13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346\r\nb376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044 \r\nDomains\r\nhanagram[.]jpthefinetreats[.]com\r\ncaduff-sa[.]chjeepcarlease[.]com\r\nbuy-new-car[.]com\r\ncarleasingguru[.]com\r\nIP Addresses\r\n91[.]193[.]18[.]120\r\nSource: https://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nhttps://blog.talosintelligence.com/tinyturla-full-kill-chain/\r\nPage 7 of 7\n\n  https://blog.talosintelligence.com/tinyturla-full-kill-chain/     \nCyber kill chain.       \nAnalyzing the traffic originating from Chisel revealed the tool beaconed back to its C2 server every hour.\nWhile the infected systems were compromised as early as October 2023 and Chisel was deployed as late as\nDecember 2023, Turla operators conducted the majority of their data exfiltration using Chisel much later on Jan.\n12, 2024 [T1041 -Exfiltration Over C2 Channel].     \n   Page 5 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/tinyturla-full-kill-chain/"
	],
	"report_names": [
		"tinyturla-full-kill-chain"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775792015,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f50602a3ca836896080396c9ab07a1a0bad18189.pdf",
		"text": "https://archive.orkl.eu/f50602a3ca836896080396c9ab07a1a0bad18189.txt",
		"img": "https://archive.orkl.eu/f50602a3ca836896080396c9ab07a1a0bad18189.jpg"
	}
}