Cyberespionage Group Turla Deploys Backdoor Ahead of G20
Task Force Summit
Archived: 2026-04-02 10:52:48 UTC
A cyberespionage group known as Turla is
reportedly targeting invitees, guests, and nation-state participants of the upcoming G20 task force summit in
Hamburg, Germany with a backdoor named KopiLuwak (detected by Trend Micro
as TROJ_KOPILUWAK.Aopen on a new tab, JS_KOPILUWAK.Aopen on a new tab, and
JS_KOPILUWAK.Bopen on a new tab). The payload is capable of exfiltrating data, as well as downloading and
triggering additional malware and executing arbitrary commands on the infected machine. Security researchers
have since notified CERT-Bund, Germany’s federal computer emergency response team.
[READ: What is spear-phishing, and how can you defend against it?news article]
Turla’s latest campaign is noted for possibly using watering hole and spear-phishingnews article emails that lure
would-be victims with an email containing an invitation for a G20 Task Force summit on digital economy. The
event is real, slated in October, and security experts note that the PDF, named Save the Date G20 Digital Economy
Taskforce 23 24 October.pdf, attached in the spear-phishing emails appear to be a legitimate file but ultimately a
decoy. It also drops a malicious JavaScript file that executes KopiLuwak in the infected system’s memory when
decrypted.
[RELATED: APT10/menuPass cyberespionage campaign Operation Cloud Hopper attacks managed
service providersnews article]
Turla, a Russian-speaking cyberespionage group, is known for using unique, stealthy tactics. They made headlines
in early June when their command and control (C&C) servers were found hiding in the comment section of
Britney Spears’ Instagram posts. The malware they delivered posed as a security extension/plug-in for Firefox and
distributed via a compromised Swiss website. In September 2015, they were able to conceal their C&C servers by
exploiting and abusing poorly secured satellite-based internet services. In December 2014, the cyberespionage
group employed an open-source backdoor that targeted machines running the Linux operating system (OS).
https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit
Page 1 of 3

[From TrendLabs Security Intelligence Blog: Pawn Storm ramps up spear-phishing campaign before zero-days get patched]
The attack chain of Turla’s latest campaign resembles one employed by other cyberespionage groups Pawn
Stormnews article and ChessMaster. Real events and legitimate documents were used as decoys to install
backdoors on the machines of their targets of interest. This enables them to move laterally within the
compromised network as well as steal confidential and mission-critical data.
These cyberespionage attacks highlight the need for organizations to be similarly proactive in order to prevent
intrusion or mitigate their effects. IT/system administrators and information security professionals should adopt
best practices against targeted attacksunderstanding-targeted-attacks-defensive-measures. Keeping the OS and its
programs updated should be intuitive—it helps prevent attackers from leveraging security flaws as doorways into
the systems. Consider virtual patchingnews article in the absence of patches for certain vulnerabilities. Enforce the
principle of least privilege. Secure your email gatewaysnews- cybercrime-and-digital-threats and, more
importantly, implement defense in depth—multilayered security mechanisms—to protect the security, integrity,
and availability of your organization’s important assets.
Trend Micro Solutions
Trend Microproducts™ Deep Discoveryproducts™ provides detection, in-depth analysis, and proactive response
to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to
protect organizations against targeted attacks and advanced threats through specialized engines, custom
sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, like those
employed by cyberespionage group Turla, even without any engine or pattern update.
Trend Micro’s Hybrid Cloud Securityproducts solution, powered by XGen™ security and features Trend Micro™
Deep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to
protect physical, virtual, and cloud workloads/servers.
HIDE
Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your
page (Ctrl+V).
Image will appear the same size as you see above.
We Recommend
The Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article
Complexity and Visibility Gaps in Power Automatenews article
https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit
Page 2 of 3

Azure Control Plane Threat Detection With TrendAI Vision One™news article
AI Security Starts Here: The Essentials for Every Organizationnews article
The AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions
Ransomware Spotlight: DragonForcenews article
Stay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article
The Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article
Source: https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summi
t
https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit
Page 3 of 3