Skip to content


TURNEDUP is a non-public backdoor. It has been dropped by APT33‘s StoneDrill malware. 1 2

Item Value
ID S0199
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TURNEDUP is capable of writing to a Registry Run key to establish.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TURNEDUP is capable of creating a reverse shell.1
enterprise T1105 Ingress Tool Transfer TURNEDUP is capable of downloading additional files.1
enterprise T1055 Process Injection -
enterprise T1055.004 Asynchronous Procedure Call TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an “Early Bird injection.”3
enterprise T1113 Screen Capture TURNEDUP is capable of taking screenshots.1
enterprise T1082 System Information Discovery TURNEDUP is capable of gathering system information.1

Groups That Use This Software

ID Name References
G0064 APT33 124


Back to top