Skip to content

G0010 Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.7493

Item Value
ID G0010
Associated Names IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear
Version 3.1
Created 31 May 2017
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IRON HUNTER 10
Group 88 8
Belugasturgeon 1
Waterbug Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.11
WhiteBear WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.62
Snake 952
Krypton 9
Venomous Bear 92

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token Turla RPC backdoors can impersonate or steal process tokens before executing commands.5
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Turla has used net user to enumerate local accounts on the system.1315
enterprise T1087.002 Domain Account Turla has used net user /domain to enumerate domain accounts.13
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.15
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Turla has used HTTP and HTTPS for C2 communications.316
enterprise T1071.003 Mail Protocols Turla has used multiple backdoors which communicate with a C2 server via email attachments.22
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.316
enterprise T1547.004 Winlogon Helper DLL Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.3
enterprise T1110 Brute Force Turla may attempt to connect to systems within a victim’s network using net use commands and a predefined list or collection of passwords.7
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire‘s PSInject.16512 Turla has also used PowerShell scripts to load and execute malware in memory.
enterprise T1059.003 Windows Command Shell Turla RPC backdoors have used cmd.exe to execute commands.512
enterprise T1059.005 Visual Basic Turla has used VBS scripts throughout its operations.12
enterprise T1059.006 Python Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.18
enterprise T1059.007 JavaScript Turla has used various JavaScript-based backdoors.3
enterprise T1584 Compromise Infrastructure -
enterprise T1584.003 Virtual Private Server Turla has used the VPS infrastructure of compromised Iranian threat actors.14
enterprise T1584.004 Server Turla has used compromised servers as infrastructure.1712
enterprise T1584.006 Web Services Turla has frequently used compromised WordPress sites for C2 infrastructure.17
enterprise T1555 Credentials from Password Stores -
enterprise T1555.004 Windows Credential Manager Turla has gathered credentials from the Windows Credential Manager tool.12
enterprise T1213 Data from Information Repositories Turla has used a custom .NET tool to collect documents from an organization’s internal central database.13
enterprise T1005 Data from Local System Turla RPC backdoors can upload files from victim machines.5
enterprise T1025 Data from Removable Media Turla RPC backdoors can collect files from USB thumb drives.512
enterprise T1140 Deobfuscate/Decode Files or Information Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.5
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Turla has developed its own unique malware for use in operations.17
enterprise T1189 Drive-by Compromise Turla has infected victims using watering holes.1310
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Turla has used WMI event filters and consumers to establish persistence.5
enterprise T1546.013 PowerShell Profile Turla has used PowerShell profiles to maintain persistence on an infected machine.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Turla has used WebDAV to upload stolen USB files to a cloud drive.12 Turla has also exfiltrated stolen files to OneDrive and 4shared.13
enterprise T1068 Exploitation for Privilege Escalation Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.20
enterprise T1083 File and Directory Discovery Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user’s desktop, the Program Files directory, and Recent.713 Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.5
enterprise T1615 Group Policy Discovery Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.13
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.5
enterprise T1105 Ingress Tool Transfer Turla has used shellcode to download Meterpreter after compromising a victim.16
enterprise T1570 Lateral Tool Transfer Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.512
enterprise T1112 Modify Registry Turla has modify Registry values to store payloads.512
enterprise T1106 Native API Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.5
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.4
enterprise T1027.010 Command Obfuscation Turla has used encryption (including salted 3DES via PowerSploit‘s Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.5
enterprise T1027.011 Fileless Storage Turla has used the Registry to store encrypted and encoded payloads.512
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Turla has used malware obtained after compromising other threat actors, such as OilRig.1417
enterprise T1588.002 Tool Turla has obtained and customized publicly-available tools like Mimikatz.12
enterprise T1201 Password Policy Discovery Turla has used net accounts and net accounts /domain to acquire password policy information.13
enterprise T1120 Peripheral Device Discovery Turla has used fsutil fsinfo drives to list connected drives.13
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.13
enterprise T1069.002 Domain Groups Turla has used net group “Domain Admins” /domain to identify domain administrators.13
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.3
enterprise T1057 Process Discovery Turla surveys a system upon check-in to discover running processes using the tasklist /v command.7 Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.5
enterprise T1055 Process Injection Turla has also used PowerSploit‘s Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.5
enterprise T1055.001 Dynamic-link Library Injection Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.1619
enterprise T1090 Proxy Turla RPC backdoors have included local UPnP RPC proxies.5
enterprise T1090.001 Internal Proxy Turla has compromised internal network systems to act as a proxy to forward traffic to C2.2
enterprise T1012 Query Registry Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.7 Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .5
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Turla used net use commands to connect to lateral systems within a network.7
enterprise T1018 Remote System Discovery Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group “Domain Computers” /domain, net group “Domain Controllers” /domain, and net group “Exchange Servers” /domain to enumerate domain computers, including the organization’s DC and Exchange Server.713
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.13
enterprise T1553 Subvert Trust Controls -
enterprise T1553.006 Code Signing Policy Modification Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.2021
enterprise T1082 System Information Discovery Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.713
enterprise T1016 System Network Configuration Discovery Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.71213 Turla RPC backdoors have also retrieved registered RPC interface information from process memory.5
enterprise T1016.001 Internet Connection Discovery Turla has used tracert to check internet connectivity.13
enterprise T1049 System Network Connections Discovery Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.713 Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.5
enterprise T1007 System Service Discovery Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.7
enterprise T1124 System Time Discovery Turla surveys a system upon check-in to discover the system time by using the net time command.7
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Turla has used spearphishing via a link to get users to download and run their malware.3
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Turla has abused local accounts that have the same password across the victim’s network.15
enterprise T1102 Web Service Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.115
enterprise T1102.002 Bidirectional Communication A Turla JavaScript backdoor has used Google Apps Script as its C2 server.316

Software

ID Name References Techniques
S0099 Arp 7 Remote System Discovery System Network Configuration Discovery
S0335 Carbon 2610 Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Non-Application Layer Protocol Obfuscated Files or Information Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Remote System Discovery Scheduled Task:Scheduled Task/Job System Network Configuration Discovery System Network Connections Discovery System Time Discovery Web Service
S0160 certutil 12 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0126 ComRAT 111810 Web Protocols:Application Layer Protocol Mail Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution Hidden File System:Hide Artifacts Masquerade Task or Service:Masquerading Modify Registry Native API Embedded Payloads:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Query Registry Scheduled Task:Scheduled Task/Job Scheduled Transfer Software Discovery System Time Discovery Bidirectional Communication:Web Service
S0538 Crutch 152 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Automated Exfiltration Data from Local System Data from Removable Media Local Data Staging:Data Staged Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Fallback Channels DLL Search Order Hijacking:Hijack Execution Flow Masquerade Task or Service:Masquerading Peripheral Device Discovery Scheduled Task:Scheduled Task/Job Bidirectional Communication:Web Service
S0363 Empire 2315 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0091 Epic 710 Local Account:Account Discovery Web Protocols:Application Layer Protocol Archive via Library:Archive Collected Data Archive Collected Data Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Obfuscated Files or Information Local Groups:Permission Groups Discovery Process Discovery Extra Window Memory Injection:Process Injection Query Registry Remote System Discovery Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery
S0168 Gazer 4 Web Protocols:Application Layer Protocol Winlogon Helper DLL:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Screensaver:Event Triggered Execution NTFS File Attributes:Hide Artifacts File Deletion:Indicator Removal Timestomp:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Thread Execution Hijacking:Process Injection Process Injection Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Owner/User Discovery
S0537 HyperStack 1 Local Account:Account Discovery Symmetric Cryptography:Encrypted Channel Inter-Process Communication Modify Registry Native API Default Accounts:Valid Accounts
S0581 IronNetInjector 18 Python:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Masquerade Task or Service:Masquerading Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Process Injection Scheduled Task:Scheduled Task/Job
S0265 Kazuar 242 Local Account:Account Discovery Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Application Window Discovery Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Destruction Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Internal Proxy:Proxy Scheduled Transfer Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0395 LightNeuron 2510 Mail Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter Data from Local System Transmitted Data Manipulation:Data Manipulation Steganography:Data Obfuscation Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Remote Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Obfuscated Files or Information Scheduled Transfer Transport Agent:Server Software Component System Information Discovery System Network Configuration Discovery
S0002 Mimikatz 1612 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0256 Mosquito 31610 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution File Deletion:Indicator Removal Ingress Tool Transfer Modify Registry Native API Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Owner/User Discovery Windows Management Instrumentation
S0590 NBTscan 12 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0102 nbtstat 7 System Network Configuration Discovery System Network Connections Discovery
S0039 Net 7 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 7 System Network Connections Discovery
S0587 Penquin 8 Unix Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Linux and Mac File and Directory Permissions Modification:File and Directory Permissions Modification File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Network Sniffing Non-Application Layer Protocol Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Cron:Scheduled Task/Job System Information Discovery System Network Configuration Discovery Traffic Signaling Socket Filters:Traffic Signaling
S0393 PowerStallion 5 PowerShell:Command and Scripting Interpreter Timestomp:Indicator Removal Obfuscated Files or Information Process Discovery Bidirectional Communication:Web Service
S0029 PsExec 12 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0075 Reg 7 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0096 Systeminfo 7 System Information Discovery
S0057 Tasklist 7 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0668 TinyTurla 2 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel Fallback Channels Ingress Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Fileless Storage:Obfuscated Files or Information Query Registry Scheduled Transfer Service Execution:System Services
S0022 Uroburos 7 Software Packing:Obfuscated Files or Information Rootkit

References

  1. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  2. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  3. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  4. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  5. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  6. Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. 

  7. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  8. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  9. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018. 

  10. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022. 

  11. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. 

  12. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  13. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  14. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. 

  15. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  16. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. 

  17. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. 

  18. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  19. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018. 

  20. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. 

  21. TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. 

  22. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  23. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019. 

  24. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  25. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  26. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.