{ "id": "6adf6d0f-3570-44a3-b431-d0ffd86027df", "created_at": "2026-04-06T00:08:22.95726Z", "updated_at": "2026-04-10T03:37:04.103996Z", "deleted_at": null, "sha1_hash": "f6b16f11d7b92e70f3098aa37ba7b0197415050c", "title": "Turla: A Galaxy of Opportunity | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 217290, "plain_text": "Turla: A Galaxy of Opportunity | Mandiant\r\nBy Mandiant\r\nPublished: 2023-01-05 · Archived: 2026-04-05 17:14:44 UTC\r\nWritten by: Sarah Hawley, Gabby Roncone, Tyler McLellan, Eduardo Mattos, John Wolfram\r\nUPDATE (Feb. 2): This post has been updated to remove references to an ANDROMEDA domain that was\r\nsinkholed during the time of activity. While connections were made to this domain, it was not malicious.\r\nIn September 2022, Mandiant discovered a suspected Turla Team operation, currently tracked as UNC4210,\r\ndistributing the KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware\r\nvictims in Ukraine. Mandiant discovered that UNC4210 re-registered at least three expired ANDROMEDA\r\ncommand and control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and\r\nQUIETCANARY in September 2022.\r\nANDROMEDA was a common commodity malware that was widespread in the early 2010’s. The particular\r\nversion whose C2 was hijacked by UNC4210 was first uploaded to VirusTotal in 2013 and spreads from infected\r\nUSB keys. Mandiant Managed Defense continues to observe ANDROMEDA malware infections across a wide\r\nvariety of industries, however, Mandiant has only observed suspected Turla payloads delivered in Ukraine.\r\nFigure 1: Timeline of ANDROMEDA to Turla Team intrusion\r\nUSB Spreading\r\nAs Mandiant recently wrote about in our blog post, Always Another Secret: Lifting the Haze on China-nexus\r\nEspionage in Southeast Asia, USB spreading malware continues to be a useful vector to gain initial access into\r\norganizations. In this incident, a USB infected with several strains of older malware was inserted at a Ukrainian\r\norganization in December 2021. When the system's user double clicked a malicious link file (LNK) disguised as a\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 1 of 11\n\nfolder within the USB drive, a legacy ANDROMEDA sample was automatically installed and began to beacon\r\nout.\r\nANDROMEDA or 2013 Wants Its Malware Back\r\nThe version of ANDROMEDA that was installed to C:\\Temp\\TrustedInstaller.exe (MD5:\r\nbc76bd7b332aa8f6aedbb8e11b7ba9b6), was first uploaded on 2013-03-19 to VirusTotal and several of the C2\r\ndomains had either expired or been sinkholed by researchers. When executed, the ANDROMEDA binary\r\nestablished persistence by dropping another ANDROMEDA sample to C:\\ProgramData\\Local\r\nSettings\\Temp\\mskmde.com (MD5: b3657bcfe8240bc0985093a0f8682703) and adding a Run Registry Key to\r\nexecute it every time the system user logged on. One of its C2 domains, “anam0rph[.]su,” which had expired, was\r\nfound to be newly re-registered on 2022-08-12. UNC4210 used this C2 to profile victims before sending the first\r\nstage KOPILUWAK dropper if the victim was deemed interesting.\r\nMandiant identified several different hosts with beaconing ANDROMEDA stager samples. However, we only\r\nobserved one case in which Turla-related malware was dropped in additional stages, suggesting a high level of\r\nspecificity in choosing which victims received a follow-on payload. During the time Mandiant monitored the C2s\r\nused to deliver the next stage payloads, the servers only remained up for a short period of a few days before going\r\noffline for several weeks at a time.\r\nRecon with Ol’ Reliable KOPILUWAK\r\nAfter several months of ANDROMEDA beaconing without any significant activity observed, UNC4210\r\ndownloaded and executed a WinRAR Self-Extracting Archive (WinRAR SFX) containing KOPILUWAK (MD5:\r\n2eb6df8795f513c324746646b594c019) to the victim host on September 6, 2022. Interestingly, the attackers\r\nappeared to download and run the same WinRAR SFX dropper containing KOPILUWAK seven times between\r\nSeptember 6 and September 8. Each time the KOPILUWAK cast its net, it attempted to transfer significant\r\namounts of data to the C2 manager.surro[.]am. It is unclear why UNC4210 did this as the profiling commands are\r\nhard coded in KOPILUWAK and would not yield different sets of data from the same host.\r\nKOPILUWAK is a JavaScript-based reconnaissance utility used to facilitate C2 communications and victim\r\nprofiling. It was first reported publicly by Kaspersky and has been tracked by Mandiant since 2017. Historically,\r\nthe utility has been delivered to victims as a first-stage malicious email attachment. This is consistent with Turla’s\r\nhistorical reuse of tools and malware ecosystems, including KOPILUWAK, in cyber operations.\r\nThe ANDROMEDA injected process “wuauclt.exe” made a GET request to “yelprope.cloudns[.]cl\" with the target\r\nURL \"/system/update/version.” yelprope.cloudns[.]cl is a ClouDNS dynamic DNS subdomain which was\r\npreviously used by ANDROMEDA and was re-registered by UNC4210. The ANDROMEDA injected process then\r\ndownloaded and executed a WinRAR SFX containing KOPILUWAK to C:\\Users\\\r\n[username]\\AppData\\Local\\Temp\\0171ef74.exe (MD5: 2eb6df8795f513c324746646b594c019). Notably, this\r\nfilename format has also been observed being utilized in Temp.Armageddon operations. Upon execution, the self-extracting archive created and executed KOPILUWAK from C:\\Windows\\Temp\\xpexplore.js (MD5:\r\nd8233448a3400c5677708a8500e3b2a0).\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 2 of 11\n\nIn this case, UNC4210 used KOPILUWAK as a “first-stage” profiling utility as KOPILUWAK was the first\r\ncustom malware used by this suspected Turla Team cluster following ANDROMEDA. Through KOPILUWAK,\r\nUNC4210 conducted basic network reconnaissance on the victim machine with whoami, netstat, arp, and net,\r\nlooking for all current TCP connections (with PID) and network shares. The attackers also checked the logical\r\ndisks and list of current running processes on the machine. Each command result was piped into\r\n%TEMP%\\result2.dat, before being uploaded to KOPILUWAK's C2 \"manager.surro[.]am\" via POST requests.\r\nQUIETCANARY in the Mine\r\nTwo days after the initial execution of and reconnaissance performed with KOPILUWAK, on September 8, 2022,\r\nMandiant detected UNC4210 download QUIETCANARY to a host twice, but only executing commands through\r\nit on the second time. QUIETCANARY is a lightweight .NET backdoor also publicly reported as “Tunnus” which\r\nUNC4210 used primarily to gather and exfiltrate data from the victim. Please see the QUIETCANARY analysis in\r\nthe annex for technical details regarding the malware.\r\nFollowing the extensive victim profiling by KOPILUWAK, the ANDROMEDA injected process \"wuauclt.exe\"\r\nmade a GET request to \"yelprope.cloudns[.]cl\" with the target URL \"/system/update/cmu\", which downloaded and\r\nexecuted QUIETCANARY. QUIETCANARY (MD5: 403876977dfb4ab2e2c15ad4b29423ff) was then written to\r\ndisk.\r\nUNC4210 then interacted with the QUIETCANARY backdoor, proceeding to utilize QUIETCANARY for\r\ncompressing, staging, and exfiltrating data approximately 15 minutes later.\r\nData Theft\r\nMandiant observed interactive commands sent to and executed by QUIETCANARY. In one command observed,\r\nUNC4210 made a typo “netstat -ano -p tcppp” and had to reissue the command suggesting the following data theft\r\nwas manual process rather than automated collection.\r\nUNC4210 attempted to collect documents and data using WinRAR:\r\nData Collection Command Primary Command Operational Choices\r\nrar a c:\\\\programdata\\\\win_rec.rar\r\n\"%appdata%\\\\microsoft\\\\windows\\\\\" -u -\r\ny -r -m2 -inul\r\nCreation of “win_rec.rar” archive containing files recursively\r\nfound in directories within “%\r\nAppData%\\Microsoft\\Windows\\”, which would have expanded\r\nto “C:\\Users\\\r\n[Username]\\AppData\\Roaming\\Microsoft\\Windows\\” as\r\nQUIETCANARY was executed under the compromised user’s\r\ncontext.\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 3 of 11\n\nrar a c:\\\\programdata\\\\win_rec.rar\r\n\"c:\\\\users\\\\\" -u -y -r -m2 -inul -\r\nn*.lnk\r\nCreation of “win_rec.rar” archive containing files with .lnk\r\nextension (namely Windows LNK shortcuts), recursively found\r\nin directories within “C:\\Users\\”\r\nrar a c:\\\\programdata\\\\win_files.rar\r\n\"c:\\\\users\\\\\" \"d:\\\\\" -u -y -r -m2 -\r\ninul -n*.pdf -n*.xls* -n*.txt -n*.doc*\r\n-hp[redacted] -v3M -ta20210101000000\r\nCreation of “win_files.rar” password (redacted) encrypted\r\narchive split in 3MB parts, containing files with extensions\r\n.pdf, .xls(x), .txt and .doc(x), which were modified after 2021-\r\n01-01, recursively found in directories within “C:\\Users\\” and\r\n“D:\\”\r\nrar a c:\\\\programdata\\\\win_txt.rar\r\n\"c:\\\\users\" \"d:\\\\\" -u -y -r -m2 -inul\r\n-n*.txt -hp[redacted] -v3M\r\nCreation of “win_txt.rar” password (redacted) encrypted\r\narchive split in 3MB parts, containing files with extension .txt,\r\nrecursively found in directories within “C:\\Users\\” and “D:\\”\r\nNotably, UNC4210 appeared to only exfiltrate files created after 2021/01/01.\r\nConclusion\r\nAs older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered\r\ndomains pose a risk as new threat actors can take control and deliver new malware to victims. This novel\r\ntechnique of claiming expired domains used by widely distributed, financially motivated malware can enable\r\nfollow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to\r\nbe overlooked by defenders triaging a wide variety of alerts.\r\nThis is Mandiant’s first observation of suspected Turla targeting Ukrainian entities since the onset of the invasion.\r\nThe campaign’s operational tactics appear consistent with Turla’s considerations for planning and advantageous\r\npositioning to achieve initial access into victim systems, as the group has leveraged USBs and conducted\r\nextensive victim profiling in the past. In this case, the extensive profiling achieved since January possibly allowed\r\nthe group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate\r\ninformation of strategic importance to inform Russian priorities. However, we note some elements of this\r\ncampaign that appear to be a departure from historical Turla operations. Both KOPILUWAK and\r\nQUIETCANARY were downloaded in succession at various times, which may suggest the group was operating\r\nwith haste or less concern for operational security, experiencing some aspect of operational deficiency, or using\r\nautomated tools.\r\nAcknowledgements\r\nWith thanks to Nick Richard and Parnian Najafi for technical review. Special thanks to all the Mandiant\r\nConsultants, Mandiant Managed Defense, and Pokemon Masters supporting Ukraine engagements.\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 4 of 11\n\nIndicators\r\nFamily Indicator\r\nANDROMEDA bc76bd7b332aa8f6aedbb8e11b7ba9b6 TrustedInstaller.exe\r\nANDROMEDA b3657bcfe8240bc0985093a0f8682703 mskmde.com\r\nKOPILUWAK WinRAR SFX 2eb6df8795f513c324746646b594c019\r\nKOPILUWAK d8233448a3400c5677708a8500e3b2a0 xpexplore.js\r\nQUIETCANARY 403876977dfb4ab2e2c15ad4b29423ff 00c3df3b.exe\r\nQUIETCANARY 8954caa2017950e0f6269d6f6168b796 file.exe16\r\nUNC4210 ANDROMEDA C2 yelprope.cloudns[.]cl\r\nUNC4210 ANDROMEDA C2 anam0rph[.]su\r\nUNC4210 ANDROMEDA C2 212.114.52[.]24\r\nUNC4210 KOPILUWAK C2 manager.surro[.]am\r\nQUIETCANARY C2 194.67.209[.]186:443\r\nYARA Rules\r\nKOPILUWAK\r\nrule M_APT_Kopiluwak_Recon_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $rc4_1 = \".charCodeAt(i %\"\r\n $rc4_2 = \".length)) % 256\"\r\n $b64_1 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\r\nabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n $b64_3 = \".charAt(parseInt(\"\r\n $recon_1 = \"WScript.CreateObject\"\r\n $recon_2 = \".Run(\"\r\n $Arguments = \"WScript.Arguments\"\r\n condition:\r\n ($rc4_1 and $rc4_2 and $b64_1) and ($Arguments or\r\n($b64_3 and $recon_1 and $recon_2))\r\n}\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 5 of 11\n\nQUIETCANARY\r\nrule M_HUNTING_QUIETCANARY_STRINGS {\r\n meta:\r\n author=\"Mandiant\"\r\n strings:\r\n $pdb1 = \"c:\\\\Users\\\\Scott\\\\source\\\\repos\\\\Kapushka.Client\\\\\r\nBrowserTelemetry\\\\obj\\\\Release\\\\CmService.pdb\" ascii wide nocase\r\n $pdb2 = \"c:\\\\Users\\\\Scott\\\\source\\\\repos\\\\Kapushka.Client\\\\\r\nBrowserTelemetry\\\\obj\\\\Release\\\\BrowserTelemetry.pdb\" ascii wide nocase\r\n $pdb3 = \"c:\\\\Users\\\\Scott\\\\source\\\\repos\\\\BrowserTelemetry\\\\\r\nBrowserTelemetry\\\\obj\\\\Release\\\\BrowserTelemetry.pdb\" ascii wide nocase\r\n $orb1 = { 68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F }\r\n $orb2 = { 68 00 74 00 74 00 70 00 3A 00 2F 00 2F }\r\n $command1 = \"get_Command\" ascii wide nocase\r\n $command2 = \"set_Command\" ascii wide nocase\r\n $command3 = \"DownloadCommand\" ascii wide nocase\r\n $command4 = \"UploadCommand\" ascii wide nocase\r\n $command5 = \"AddCommand\" ascii wide nocase\r\n $command6 = \"ExeCommand\" ascii wide nocase\r\n $command7 = \"KillCommand\" ascii wide nocase\r\n $command8 = \"ClearCommand\" ascii wide nocase\r\n $rc4 = {21 00 62 00 76 00 7A 00 65 00 26 00 78 00 61 00 62 00\r\n72 00 39 00 7C 00 38 00 5B 00 3F 00 78 00 77 00 7C 00 7C 00 79\r\n00 26 00 7A 00 6C 00 23 00 74 00 70 00\r\n6B 00 7A 00 6A 00 5E 00 62 00 39 00 61 00 38 00 6A 00 5D 00 40\r\n00 6D 00 39 00 6E 00 28 00 67 00 67 00 24 00 40 00 74 00 74 00\r\n65 00 33 00 33 00 6E 00 28 00 32 00 72 00 7A\r\n00 62 00 7A 00 69 00 74 00 75 00 31 00 2A 00 66 00 61 00 00 80\r\nE9 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 }\r\n condition:\r\n (1 of ($pdb*)) and (1 of ($orb*)) and (all of ($command*)) or ($rc4)\r\n}\r\nNetwork Rules\r\nANDROMEDA\r\nalert tcp any any -\u003e any any ( msg:\"503 irc_bot_cmd Trojan\r\n.Downloader.Andromeda AI\r\ncallback-trojan block\"; content:\".php HTTP/1\"; nocase; content:\"|0a|\";\r\ncontent:\"|0a|\"; within:4; content:\"POST \"; content:\"Mozilla/4.0|0d 0a|\";\r\ncontent:!\"Referer: \"; nocase; content:!\"Cookie: \"; nocase; content:!\"Accept-Language: \"; nocase; content:!\"Accept-Encoding: \"; nocase; content:!\"pharma\";\r\nnocase; content:!\"|0d0a|TE:\"; nocase; pcre:\"/POST (http\\:\\/\\/\\S*\\.[a-z0-9]\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 6 of 11\n\n{1,4})?/[a-z]{1,3}\\.php HTTP/\"; reference:fe_date,2013-07-11;\r\nreference:a_type,mal.dsh; reference:mal_hash,bc76bd7b332aa8f6a\r\nedbb8e11b7ba9b6;\r\npriority:90; sid:89039193; rev:3; )\r\nMITRE ATT\u0026CK\r\nATT\u0026CK Tactic Category Techniques\r\nDefense Evasion\r\n  T1027: Obfuscated Files or Information\r\n  T1055: Process Injection\r\n  T1070.004: File Deletion\r\n  T1112: Modify Registry\r\n  T1564.003: Hidden Window\r\n  T1622: Debugger Evasion\r\nPersistence\r\n  T1547.001 Registry Run Keys / Startup Folder\r\nDiscovery\r\n  T1010: Application Window Discovery\r\n  T1012: Query Registry\r\n  T1033: System Owner/User Discovery\r\n  T1049: System Network Connections Discovery\r\n  T1057: Process Discovery\r\n  T1082: System Information Discovery\r\n  T1083: File and Directory Discovery\r\n  T1518: Software Discovery\r\nCollection\r\n  T1560: Archive Collected Data\r\n  T1560.001: Archive via Utility\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 7 of 11\n\nResource Development\r\n  T1584: Compromise Infrastructure\r\n  T1608.003: Install Digital Certificate\r\nCommand and Control\r\n  T1071.001: Web Protocols\r\n  T1573.002: Asymmetric Cryptography\r\nImpact\r\n  T1529: System Shutdown/Reboot\r\nAnnex: QUIETCANARY Analysis\r\nQUIETCANARY is a .NET backdoor that can handle commands from C2. The communications between\r\nQUIETCANARY and the hard-coded C2 are RC4 encrypted and Base64 encoded over HTTPS. QUIETCANARY\r\nsamples often contain the artifact “Kapushka” in the PDB path of the malware. All samples of QUIETCANARY\r\nwe have identified in the wild have been nearly identical with the only differences being the hardcoded C2 and\r\nRC4 key used. Notably as well, each sample of QUIETCANARY we found contains but does not use the class\r\nServerInfoExtractor.\r\nQUIETCANARY Execution\r\nUpon execution, QUIETCANARY initializes the hard-coded variables within it for C2 communication, including\r\nthe RC4 key, user agent, and C2. It then attempts to connect to the C2 via GET request.\r\nQUIETCANARY checks to see if the initial response from the C2 is longer than 13 characters and begins with the\r\nstring \"use.\" If so, it takes the substring between the third and tenth characters from the response and replaces the\r\ninitial RC4 key with a new key. If this initial connection or exchange of a new RC4 key is not completed, the\r\nmalware sleeps for five minutes and tries again. If the malware fails to connect to the C2 again, it quits execution.\r\nOtherwise, QUIETCANARY begins a loop that waits for a response from the C2, and, when it receives one,\r\nparses and executes the command.\r\nQUIETCANARY does not contain a persistence method and thus relies on an external tool or technique to\r\nmaintain persistence.\r\nQUIETCANARY Commands\r\nQUIETCANARY uses a custom parsing routine to decode the command codes and additional parameters from the\r\nC2 before executing the command routines.\r\nQUIETCANARY expects the following structure for a command from the C2: \r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 8 of 11\n\ni \u003cid\u003e s \u003ccode val\u003e l \u003clength of parameter\u003e c \u003c parameter\u003e\r\nWhere:\r\n\u003cid\u003e is a decimal command ID, which can be up to ten digits\r\n\u003ccode val\u003e is a three-digit command code\r\n\u003clength of parameter\u003e is the length of an expected parameter, which can be up to six digits\r\n\u003cparameter\u003e immediately follows the \"c\" character in the array and is the length specified by \u003clength of\r\nparameter\u003e\r\nFor example, a command from the C2 could look like:\r\ni123456789s220l26ccmd.exe echo \"hello world\"\r\nWhen a command is successfully parsed, the command code is queried and returned.\r\nQUIETCANARY can parse multiple commands in a single response from the C2. Upon receiving and\r\nsuccessfully parsing a command, QUIETCANARY adds it to a command queue.\r\nQUIETCANARY can handle the following command codes from the C2:\r\nCommand Code Command Name Command Description\r\n0 ClearCommand Aborts current command execution thread and starts a new one\r\n220 ExeCommand Execute a command with arguments\r\n265 TimeoutCommand Sets a new time until C2 loop execution times out\r\n420 UploadCommand Uploads a command to a given path\r\n479 DownloadCommand Reads all bytes from a filepath and converts to Base64 encoding\r\n666 KillCommand Kills execution after a specified delay\r\nCommand codes\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 9 of 11\n\nGiven the different encodings of each command, we detail here how QUIETCANARY processes each command\r\nfrom the C2 before execution.\r\n0: ClearCommand\r\nAborts current thread of command execution and clears current command in the queue. Starts new command\r\nexecution thread.\r\n220: ExeCommand\r\nChecks to see if parameter starts with the \" character. If so, creates a new string that begins with the \"\\\" character\r\nand consists of each following character in the parameter until it reaches a second \" character.\r\nIf the parameter does not start with the \" character, splits the parameter into substrings by space characters.\r\nArguments directly follow the filename to execute. Then executes the process name with arguments in a hidden\r\nwindow. \r\n265: TimeoutCommand\r\nTakes an integer parameter and changes the timeout value in seconds for the execution of the C2 loop.\r\n420: UploadCommand\r\nTakes a \"|\" delimited parameter and splits into substrings. The first substring is the path to which the command\r\nshould be uploaded. Converts each substring following the first from Base64 then writes to the given path on the\r\ninfected machine.\r\n479: DownloadCommand\r\nChecks to see if the file passed to the function within the parameter exists. If it does exist, prepends \"file:\" to the\r\nBase64-encoded bytes of the specified filepath. If it does not, returns \"not found.\" Results of execution are stored\r\nin memory and later sent to C2.\r\n666: KillCommand\r\nTakes an integer it uses to calculate a time for the malware to sleep. Then kills the process after the sleep.\r\nQUIETCANARY separates the commands into two categories: fast commands and long commands. Fast\r\ncommands are executed outside the timeout command structure. The commands will execute once received, and\r\nresults will immediately be generated after execution. QUIETCANARY\r\ninterprets ClearCommand and KillCommand as fast commands. Every other supported command is a long\r\ncommand. Long commands are held to a timeout structure. Once the commands are parsed, they are queued.\r\nAccess to and execution of the commands is synchronized using the C# Monitor class.\r\nIt then generates a response string in the following format: \r\ni\u003ccommand id\u003el\u003clength of result\u003er\u003cresult of command execution\u003e\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 10 of 11\n\nWhere the value following the \"r\" character is \"ok\" if the command was successful, and, if the command\r\nexecution was unsuccessful, the type of command followed by \"error\" (i.e., \"kill error,\" \"command error,\" etc.). \r\nQUIETCANARY appends the response string to the string \"rep\" and sends a POST request to the C2. If the C2s\r\nresponse to the POST request is greater than 3 characters long and the first 3 characters are \"per,\" it returns the\r\nstring after the first 3 characters to be parsed.\r\nQUIETCANARY’s Unused Code\r\nThe sample of QUIETCANARY we analyzed had an unused class called ServerInfoExtractor. The class contains a\r\nfunction that would get some Base64-encoded value from the following registry key:\r\nKey: HKCU\\Software\\Microsoft\\Fax\\Verification \r\nIf the value within the key is \"No,\" the function returns the result \"No.\" Otherwise, it Base64 decodes the contents\r\nand returns them.\r\nWe suspect this registry value may be used to store some configuration in other versions of QUIETCANARY.\r\nSince no code is present in the QUIETCANARY sample that would set this configuration value, we assume this\r\nwould be set by some method outside the malware.\r\nQUIETCANARY Network Communications\r\nAll network communications between QUIETCANARY and the C2 are RC4-encrypted and then Base-64\r\nencoded. QUIETCANARY is proxy-aware and uses the System.Net.HttpWebRequest class to get any default\r\nproxy specified on the victim computer. The malware also dynamically generates a random PHP session ID to use\r\nwhen sending a GET request to the C2, which is added to the Cookie field in the request header. \r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nhttps://www.mandiant.com/resources/blog/turla-galaxy-opportunity\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" ], "report_names": [ "turla-galaxy-opportunity" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434102, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6b16f11d7b92e70f3098aa37ba7b0197415050c.pdf", "text": "https://archive.orkl.eu/f6b16f11d7b92e70f3098aa37ba7b0197415050c.txt", "img": "https://archive.orkl.eu/f6b16f11d7b92e70f3098aa37ba7b0197415050c.jpg" } }