{ "id": "33632d2c-b3c5-4306-b292-fcfa55c68895", "created_at": "2026-04-06T00:10:41.560537Z", "updated_at": "2026-04-10T03:33:35.904944Z", "deleted_at": null, "sha1_hash": "f64fc37ac8721ab6d509eac7c2f8f95b5fd59fbd", "title": "Turla LightNeuron: An email too far", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 365861, "plain_text": "Turla LightNeuron: An email too far\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 14:52:11 UTC\r\nDue to security improvements in operating systems, rootkit usage has been in constant decline for several years.\r\nAs such, malware developers – especially those working in espionage groups – have been busy developing new\r\nstealthy userland malware.\r\nRecently, ESET researchers have investigated a sophisticated backdoor used by the infamous espionage group\r\nTurla, also known as Snake. This backdoor, dubbed LightNeuron, has been specifically targeting Microsoft\r\nExchange mail servers since at least 2014. Although no samples were available for analysis, code artefacts in the\r\nWindows version lead us to believe that a Linux variant exists.\r\nVictimology\r\nDuring the course of our investigation, we were able to identify at least three different victim organizations, as\r\nshown in Figure 1.\r\nFigure 1. Map of known LightNeuron victims\r\nTwo of the victims – a ministry of foreign affairs and a regional diplomatic organization – are in line with recent\r\nTurla campaigns we have analyzed.\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 1 of 8\n\nAs we noticed the victim in Brazil thanks to a sample uploaded to the popular multi-scanner VirusTotal, we were\r\nnot able to determine the nature of the victim organization.\r\nAttribution to Turla\r\nWe believe with high confidence that Turla operates LightNeuron. The following artefacts, collected during our\r\ninvestigation, back this:\r\nOn one compromised Exchange server:\r\na PowerShell script containing malware previously attributed to Turla was dropped 44 minutes\r\nbefore a PowerShell script used to install LightNeuron, and\r\nboth scripts were located in C:\\windows\\system32.\r\nThe script used to install LightNeuron has a filename – msinp.ps1 – that looks like typical filenames used\r\nby Turla.\r\nOn another compromised server, IntelliAdmin – a remote administration tool, packed with a packer used\r\nonly by Turla – was dropped by LightNeuron.\r\nFor each LightNeuron attack, there were several other instances of Turla malware on the same network.\r\nThe email address used by the attackers was registered at GMX and was impersonating an employee of the\r\ntargeted organization. The same provider was used for the Outlook backdoor and for an undocumented\r\nPowerShell backdoor we named PowerStallion.\r\nFurther, in an earlier APT trends report, Kaspersky Labs researchers attributed LightNeuron with medium\r\nconfidence to Turla.\r\nOperator activity\r\nWhile analyzing a compromised asset, we were able to retrace part of the attackers’ activities. In particular, we\r\nwere able to map the working hours of the operators, using the time at which the compromised Exchange server\r\nreceived emails containing commands for the backdoor.\r\nOur first observation is that the activity aligns well with a typical 9-to-5 workday in the UTC+3 time zone, as\r\nshown in Figure 2.\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 2 of 8\n\nFigure 2. LightNeuron operators’ working hours\r\nOur second observation is that no activity was observed between December 28, 2018 and January 14, 2019, while\r\npreviously and afterwards, the attackers sent several emails per week. This break in activities corresponds to\r\nholidays around the Eastern Orthodox Christmas.\r\nEven if it is not sufficient for a strong attribution, you can correlate these two observations with other elements\r\nyou might have at your disposal.\r\nMain characteristics\r\nLightNeuron is, to our knowledge, the first malware specifically targeting Microsoft Exchange email servers. It\r\nuses a persistence technique never before seen: a Transport Agent. In the mail server architecture, it operates at the\r\nsame level of trust as security products such as spam filters. Figure 3 summarizes how LightNeuron operates.\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 3 of 8\n\nFigure 3. LightNeuron Transport Agent\nBy leveraging the Transport Agent accesses, LightNeuron is able to:\nRead and modify any email going through the mail server.\nCompose and send new emails.\nBlock any email. The original recipient will not receive the email.\nA flexible set of XML rules drives these functions, as shown in Figure 4.\n[...] [...] https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\nPage 4 of 8\n\nlog:logHandler\nzip:zipHandler\nchangeSubject:changeSubjectHandler\nchangeBody:changeBodyHandler\ncreate:createHandler\ncommand:commandHandler\nblock:blockHandler\nreplace:replaceHandler\nstat:statHandler\nFigure 4. Redacted example of a rule file\nThe email addresses used in these rules are customized for each victim in order to target the most interesting\npeople.\nAt the end of the rules, there is the list of the handlers implemented by LightNeuron. These functions are used in\nthe rules to process the emails. Table 1 describes the eleven different handlers.\nHandler name Description\nblock Block the email\nchangeBody Change the body of the email\nchangeTo Change the recipient of the email\nchangeSubject Change the subject of the email\ncommand Parse the jpg/pdf attachment, decrypt and execute the commands.\ncreate Create a new email\nlog Log email attachment in LOG_OUTPUT\nreplace Replace the attachment\nspam Re-create and re-send the email from the exchange server to bypass the spam filter\nstat Log the From, Date, To, and Subject headers in CSV format in STAT_PATH\nzip Encrypt the email with RSA and store it in the path specified by ZIP_FILE_NAME.\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\nPage 5 of 8\n\nTable 1 – Description of the handlers implemented in the DLL\r\nBackdoor\r\nThe command handler is different from the others that perform modifications on the emails. It is actually a\r\nbackdoor controlled by emails. The commands are hidden in PDF or JPG attachments using steganography.\r\nThe attackers just have to send an email containing a specially crafted PDF document or JPG image to any email\r\naddress of the compromised organization. It allows full control over the Exchange server by using the commands\r\nshown in Table 2.\r\nInstruction\r\nCode\r\nDescription Argument 1 Argument 2 Argument 3\r\n0x01\r\nWrite an executable. Execute it if\r\nit is an executable.\r\nExe path N/A File data\r\n0x02 Delete a file File path N/A N/A\r\n0x03 Exfiltrate a file File path\r\nSet to “1” to delete\r\nthe file\r\nN/A\r\n0x04 Execute a process (CreateProcess)\r\nCommand\r\nline\r\nN/A N/A\r\n0x05\r\nExecute a command line (cmd.exe\r\n/c)\r\nCommand\r\nline\r\nN/A N/A\r\n0x06 Return 0 N/A N/A N/A\r\n0x07 Disable backdoor for x minutes. Minutes N/A N/A\r\n0x09 Exfiltrate a file File path\r\nSet to “1” to delete\r\nthe file\r\nN/A\r\n0x65 Return 0 N/A N/A N/A\r\nTable 2. List of instruction codes\r\nOnce an email is recognized as a command email, the command is executed and the email is blocked directly on\r\nthe Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it.\r\nSteganography\r\nLightNeuron uses steganography to hide its commands inside a PDF document or a JPG image. Thus, even if the\r\nemail is intercepted, it might look legitimate, as it contains a valid attachment.\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 6 of 8\n\nIn the case of a PDF, the command data can be anywhere in the document. LightNeuron operators just add a\r\nheader at the beginning of the PDF to specify the offset at which the data is located, as shown in Figure 5.\r\nFigure 5. Representation in hexadecimal of a PDF containing a LightNeuron command container\r\nOnce this blob of data has been decrypted with AES-256, it reveals a custom structure shown in Figure 6.\r\nFigure 6. Hexadecimal dump of a decrypted command container\r\nThe most interesting fields are:\r\nOffset 0x08, the email address to which the result of the command is sent.\r\nOffset 0x1D, the instruction code. It corresponds to one of the function described above.\r\nOffset 0x25, the first argument. It will be passed to the function represented by the instruction code.\r\nIf an email containing such a command container, embedded in a JPG or in a PDF, is sent to a server compromised\r\nby LightNeuron, a calculator will be executed on the Microsoft Exchange server.\r\nCleaning\r\nThe cleaning of LightNeuron is not an easy task. Simply removing the two malicious files will break Microsoft\r\nExchange, preventing everybody in the organization from sending and receiving emails. Before actually\r\nremoving the files, the malicious Transport Agent should be disabled. We encourage you to read the full white\r\npaper before implementing a cleaning mechanism.\r\nIn conclusion\r\nOver the past years, we have published numerous blogposts and white papers detailing the activities of the Turla\r\ngroup, including man-in-the-middle attacks against adobe.com or sophisticated userland malware. However, for\r\nnow it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla’s arsenal.\r\nBy leveraging a previously unseen persistence mechanism, a Microsoft Exchange Transport Agent, LightNeuron\r\nallows its operators to stay under the radar for months or years. It allows them to exfiltrate sensitive documents\r\nand control other local machines via a C\u0026C mechanism that is very hard to detect and block.\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 7 of 8\n\nWe will continue to track Turla activities closely to help defenders protect their networks.\r\nA full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white\r\npaper and on GitHub.\r\nFor a detailed analysis of the backdoor, refer to our white paper Turla LightNeuron: One email away from remote\r\ncode execution. For any inquiries, or to make sample submissions related to the subject, contact us at\r\nthreatintel@eset.com.\r\nSource: https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nhttps://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/" ], "report_names": [ "turla-lightneuron-email-too-far" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f64fc37ac8721ab6d509eac7c2f8f95b5fd59fbd.pdf", "text": "https://archive.orkl.eu/f64fc37ac8721ab6d509eac7c2f8f95b5fd59fbd.txt", "img": "https://archive.orkl.eu/f64fc37ac8721ab6d509eac7c2f8f95b5fd59fbd.jpg" } }