Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton, Group G0010

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton, Group G0010 | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="admin@338-admin@338"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ajax Security Team-Ajax Security Team"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT-C-36-APT-C-36"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT1-APT1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT12-APT12"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT16-APT16"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT17-APT17"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT18-APT18"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT19-APT19"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT28-APT28"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT29-APT29"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT3-APT3"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT30-APT30"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT32-APT32"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT33-APT33"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT37-APT37"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT38-APT38"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT39-APT39"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT41-APT41"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Axiom-Axiom"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackOasis-BlackOasis"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackTech-BlackTech"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Blue Mockingbird-Blue Mockingbird"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bouncing Golf-Bouncing Golf"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BRONZE BUTLER-BRONZE BUTLER"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbanak-Carbanak"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Chimera-Chimera"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cleaver-Cleaver"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobalt Group-Cobalt Group"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CopyKittens-CopyKittens"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dark Caracal-Dark Caracal"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Darkhotel-Darkhotel"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkHydrus-DarkHydrus"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkVishnya-DarkVishnya"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Deep Panda-Deep Panda"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly-Dragonfly"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly 2.0-Dragonfly 2.0"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DragonOK-DragonOK"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dust Storm-Dust Storm"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Elderwood-Elderwood"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Equation-Equation"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Evilnum-Evilnum"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN10-FIN10"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN4-FIN4"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN5-FIN5"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN6-FIN6"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN7-FIN7"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN8-FIN8"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fox Kitten-Fox Kitten"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Frankenstein-Frankenstein"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GALLIUM-GALLIUM"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gallmaker-Gallmaker"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gamaredon Group-Gamaredon Group"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GCMAN-GCMAN"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GOLD SOUTHFIELD-GOLD SOUTHFIELD"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gorgon Group-Gorgon Group"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Group5-Group5"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAFNIUM-HAFNIUM"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Higaisa-Higaisa"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Honeybee-Honeybee"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Inception-Inception"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Indrik Spider-Indrik Spider"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ke3chang-Ke3chang"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kimsuky-Kimsuky"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lazarus Group-Lazarus Group"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leafminer-Leafminer"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leviathan-Leviathan"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lotus Blossom-Lotus Blossom"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Machete-Machete"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Magic Hound-Magic Hound"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="menuPass-menuPass"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Moafee-Moafee"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mofang-Mofang"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Molerats-Molerats"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MuddyWater-MuddyWater"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mustang Panda-Mustang Panda"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Naikon-Naikon"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NEODYMIUM-NEODYMIUM"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Night Dragon-Night Dragon"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OilRig-OilRig"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Operation Wocao-Operation Wocao"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Orangeworm-Orangeworm"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Patchwork-Patchwork"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PittyTiger-PittyTiger"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLATINUM-PLATINUM"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Poseidon Group-Poseidon Group"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PROMETHIUM-PROMETHIUM"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Putter Panda-Putter Panda"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rancor-Rancor"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rocke-Rocke"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RTM-RTM"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sandworm Team-Sandworm Team"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Scarlet Mimic-Scarlet Mimic"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sharpshooter-Sharpshooter"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sidewinder-Sidewinder"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silence-Silence"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silent Librarian-Silent Librarian"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SilverTerrier-SilverTerrier"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sowbug-Sowbug"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stealth Falcon-Stealth Falcon"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stolen Pencil-Stolen Pencil"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Strider-Strider"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Suckfly-Suckfly"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA459-TA459"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA505-TA505"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA551-TA551"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Taidoor-Taidoor"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEMP.Veles-TEMP.Veles"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="The White Company-The White Company"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-1314-Threat Group-1314"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-3390-Threat Group-3390"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Thrip-Thrip"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tropic Trooper-Tropic Trooper"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="Turla-Turla"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Volatile Cedar-Volatile Cedar"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Whitefly-Whitefly"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windigo-Windigo"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windshift-Windshift"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti Group-Winnti Group"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WIRTE-WIRTE"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wizard Spider-Wizard Spider"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZIRCONIUM-ZIRCONIUM"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9bc10ab42f5041809586a8061be87f54"> <span>A-B</span> <div class="expand-button collapsed" id="9bc10ab42f5041809586a8061be87f54-header" data-toggle="collapse" data-target="#9bc10ab42f5041809586a8061be87f54-body" aria-expanded="false" aria-controls="#9bc10ab42f5041809586a8061be87f54-body"></div> </div> <div class="sidenav-body collapse" id="9bc10ab42f5041809586a8061be87f54-body" aria-labelledby="9bc10ab42f5041809586a8061be87f54-header"> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-eb897c1f5ad6440c8f00aec9a67b84c6"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8fd5ab8725924d97ba0b2eba004f2fee"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-c32bf624d6bf42ce95707467e8b90269"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0c3154fe96b343078274c0dc2f23dda1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-843a69656c2b482bb3b10d76f7c6e16f"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1ab49126b7894fcfae69deeac14618fc"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f88228946e41453e92e38c5866a4212f"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-26f2dc710f78450dbbc1be11faa21ddd"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1fdff936c860439ebe70a7ff3be5989d"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-fb8607b2690341d89cde7ca7a69c91c6"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-9e54c5fbd52e4859b9fc4fcf11335e4c"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3a223da5b87447f0bbd859a5bba79ce0"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0fc20a27442549099f96a0595e939e69"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-311b6fd499004f0ab3c936b9a5db4817"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f2d9fa39e41344d3bb3e0d64ba14a219"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4706e13c21cf48e59061dbbaab2ecc84"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-080b6603df0c41b394986e93492c6baa"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4df65ad27985448e8d0570867a13bf45"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-06a4b5899d3549e3aa5e4d4ac0adc511"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f1cd11a66db84516a3520405067f85dc"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-5fc1a029befe48b587d4dece1a6bfeeb"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-7d8f8060918143018a61b7d75fae5d61"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3c28366e21404f609b54930888771a75"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-b83df494e0cf43a7a348dcfe001722de"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8080a2475195401ab077c1180ab335bb"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="c9652acf849c48b6b237f8b1ebf4fe78"> <span>C-D</span> <div class="expand-button collapsed" id="c9652acf849c48b6b237f8b1ebf4fe78-header" data-toggle="collapse" data-target="#c9652acf849c48b6b237f8b1ebf4fe78-body" aria-expanded="false" aria-controls="#c9652acf849c48b6b237f8b1ebf4fe78-body"></div> </div> <div class="sidenav-body collapse" id="c9652acf849c48b6b237f8b1ebf4fe78-body" aria-labelledby="c9652acf849c48b6b237f8b1ebf4fe78-header"> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-db8b931f952d412e9d12e18c2c6681fc"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-f3581612c373478bad1829f9b42d6481"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-dd4c80e77f3e489eb664554c42cdd0ab"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-b1e7f8f3bf7d4258b62f192b87703106"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-1d8331b206264aa0bd4524d9de1ef598"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-147b48ccc2654c4fb25185883229826b"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-634f2cae3e0442dba2d09fc987e39e6d"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-50e56472a5ed4f6195061236a3fb3d00"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-08a60dc295e846d89694ff96717072b6"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-15a1180154b449aa9c27c65a46dc074b"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-995ee427b54e4a9aae324ad3f081b0db"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-41c57f3ed8b240c0a8c6120a2652495c"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-8b316a89b77e4e7f837bd4b1f4fad10c"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-a4100800c4f1428bbbe2540845511483"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9f2eecc86c504f9eabd959d63728aaa1"> <span>E-F</span> <div class="expand-button collapsed" id="9f2eecc86c504f9eabd959d63728aaa1-header" data-toggle="collapse" data-target="#9f2eecc86c504f9eabd959d63728aaa1-body" aria-expanded="false" aria-controls="#9f2eecc86c504f9eabd959d63728aaa1-body"></div> </div> <div class="sidenav-body collapse" id="9f2eecc86c504f9eabd959d63728aaa1-body" aria-labelledby="9f2eecc86c504f9eabd959d63728aaa1-header"> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-59ce950244e04dbc8dba513a6a773287"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0cba5b5ed65b4029be092df210cff9aa"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-3f10859e19074cfb95f376c246350cc5"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0842ff6a6e21414ba8f475a9bb395a7c"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-7b7338533d7b4c54bc0ef9eaf4d1a251"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6af19e38aa4d4b57b5c0606f5a7e8391"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6464cb233f6f4c53b1ab5db10f23a210"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-48bd3bce115544c5952947533d0b60a3"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-372710aab0084f3c8aba309b6ef2d212"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-b8594e11427448c3a8224726c17cd747"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-e33946268c9c4844bfcde0970048b263"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7f34b9e0316841f8b1c5533bc278a8d4"> <span>G-H</span> <div class="expand-button collapsed" id="7f34b9e0316841f8b1c5533bc278a8d4-header" data-toggle="collapse" data-target="#7f34b9e0316841f8b1c5533bc278a8d4-body" aria-expanded="false" aria-controls="#7f34b9e0316841f8b1c5533bc278a8d4-body"></div> </div> <div class="sidenav-body collapse" id="7f34b9e0316841f8b1c5533bc278a8d4-body" aria-labelledby="7f34b9e0316841f8b1c5533bc278a8d4-header"> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-4b7069ae092f469582d5726f70b96eb1"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-db030a3ae5d3425e8cc3ccf2cfb84f3b"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-1bebf0070465403494974a0af6d52786"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f69559b91b06468eb923b635e71bcede"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f4789813e37546e89840f110bdcafdba"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-c4e44253bd5b4a829356d7689056c55f"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-16adea168fef439786f2d924ab908d83"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-ccffcc3471bf43b5946a606b0a4b9b1a"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-a887df3159bc46088852185e877d7b11"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-82b66952833942b781e7d85766e990f8"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="69cb6ac7c257408dbc2b1f5e09965b3f"> <span>I-J</span> <div class="expand-button collapsed" id="69cb6ac7c257408dbc2b1f5e09965b3f-header" data-toggle="collapse" data-target="#69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-expanded="false" aria-controls="#69cb6ac7c257408dbc2b1f5e09965b3f-body"></div> </div> <div class="sidenav-body collapse" id="69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-labelledby="69cb6ac7c257408dbc2b1f5e09965b3f-header"> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-e0f25da1e47241ed9003cf925c208671"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-2bcf49313dcf44908e4b514a118ec380"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="cdc4d061012c45d89f82f0ccefd42bbb"> <span>K-L</span> <div class="expand-button collapsed" id="cdc4d061012c45d89f82f0ccefd42bbb-header" data-toggle="collapse" data-target="#cdc4d061012c45d89f82f0ccefd42bbb-body" aria-expanded="false" aria-controls="#cdc4d061012c45d89f82f0ccefd42bbb-body"></div> </div> <div class="sidenav-body collapse" id="cdc4d061012c45d89f82f0ccefd42bbb-body" aria-labelledby="cdc4d061012c45d89f82f0ccefd42bbb-header"> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-61494339efa24892b74cb1bab727ebab"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-7fcbe0dbfca64881b3d90886fa02a057"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-bdb1c87e10124497bc426a32b425de37"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-26f389bcb54744a2a88e3d8b14ebb187"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-01a297ae43e24d27b48dc26f67588c57"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-0173fd0276f24cb2addbf1d49af106f1"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="8bba62bbe3cf487eb3d0e1324d5ea3a7"> <span>M-N</span> <div class="expand-button collapsed" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-header" data-toggle="collapse" data-target="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-expanded="false" aria-controls="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body"></div> </div> <div class="sidenav-body collapse" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-labelledby="8bba62bbe3cf487eb3d0e1324d5ea3a7-header"> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-8edbdbed90584c03b70fc818644a5185"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-e84a7ed3b84b4dcfb01df20449c1064d"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-af944ff295644b2db8f5215c30425187"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-76aa410923384ac0b07fab724da445b6"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-31eff51171d14109ab2ed1ebeb118bbe"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-125859f5afd244758c04d908faabd932"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-7e1535d22fd949e9a58bafd020550df3"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-615d6fbe25804bd68bd2f4a1107d920b"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-73fa70a5a9cb4c5689c7526e4f66081d"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-375acf3b572244a08b896bf8466d0a00"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-5eb93e7b5ae146c5b46a5d21fe03a4a7"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="0ca8ff8ba9024fe09ea2afc61a952501"> <span>O-P</span> <div class="expand-button collapsed" id="0ca8ff8ba9024fe09ea2afc61a952501-header" data-toggle="collapse" data-target="#0ca8ff8ba9024fe09ea2afc61a952501-body" aria-expanded="false" aria-controls="#0ca8ff8ba9024fe09ea2afc61a952501-body"></div> </div> <div class="sidenav-body collapse" id="0ca8ff8ba9024fe09ea2afc61a952501-body" aria-labelledby="0ca8ff8ba9024fe09ea2afc61a952501-header"> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-54768326f6654fb8926eac02f28ad486"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-0aacbe0d942b4eb28d5d7d2476fcfd52"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e11639e6af294e1d9b8052e5cd1e620f"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-5e003492658643c897dc46152eaffcb5"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e1359725d8ae4cc2a16eee5802effde5"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-1529d895bd404a2f8856099b8e8fb640"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-d8ce4ed2e7ce4371b8836b1ba5e2cf2d"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e9fd05a2492241b5bc7d3d99d1e5be94"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-b2b2da56d6ef4998b5b51cadfa0e4e0f"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9c315870cc46405688ed5b4992ea0cd9"> <span>Q-R</span> <div class="expand-button collapsed" id="9c315870cc46405688ed5b4992ea0cd9-header" data-toggle="collapse" data-target="#9c315870cc46405688ed5b4992ea0cd9-body" aria-expanded="false" aria-controls="#9c315870cc46405688ed5b4992ea0cd9-body"></div> </div> <div class="sidenav-body collapse" id="9c315870cc46405688ed5b4992ea0cd9-body" aria-labelledby="9c315870cc46405688ed5b4992ea0cd9-header"> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-ac912afa8e08410292784c628456c4dd"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-e37a841ffc72485794a70ba7c13bc8a4"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-128de6e01a6b4412a9b684bb75248fe8"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="87d8075c72ad40fbb19f9022ad8f64b2"> <span>S-T</span> <div class="expand-button collapsed" id="87d8075c72ad40fbb19f9022ad8f64b2-header" data-toggle="collapse" data-target="#87d8075c72ad40fbb19f9022ad8f64b2-body" aria-expanded="false" aria-controls="#87d8075c72ad40fbb19f9022ad8f64b2-body"></div> </div> <div class="sidenav-body collapse" id="87d8075c72ad40fbb19f9022ad8f64b2-body" aria-labelledby="87d8075c72ad40fbb19f9022ad8f64b2-header"> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-5016020b8dd34724af6755ba6ec71120"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-701e7ac2250642b481d565530e3de2e1"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d297ba1ca5094ca594b4f9effd3d2a63"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d7375e52b3a04157a6ae508927123b95"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-8722d61de36d488fbe1a5b061595fd95"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-29bbc5e7d8db40a8886ff19e83a96b41"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a714165996ce4096b5da2a5abbed72c5"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-ec9a3b77890f4172b18077a1efb6b0b7"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a5140dc1144743179e6711320b2b6043"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4b045f80fec54b1db359b2c97504a3e5"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-3e720da026d74a0da8910ff0ac0db268"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-69c24c5cfbbe4b039b26265b8b55ebb4"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-2825b0b754b94a25bbde6cb5d9780785"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a79283297c4943b98dd0b22780f5def6"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4dd0f0bc793a4770a237e2616f0b608f"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-43a8b490c3904cc194247d4e02fc4296"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-0e740212837d485397e122344e69d4ee"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a03080dbde0840219c117fc3dd9251c8"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-bfac41f1e4ed41c18fe176cc94c5b393"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-68731fabd49e404c8160d82eff15b50d"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-23bf52c62b394f2c832876b7cea27d7a"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-b40e63fa8c834212b0e3769480b64496"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="87d8075c72ad40fbb19f9022ad8f64b2-d87018444dee40e3b3d9904f9f86521c"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1a50e36945244146b3675ab05250650d"> <span>U-V</span> <div class="expand-button collapsed" id="1a50e36945244146b3675ab05250650d-header" data-toggle="collapse" data-target="#1a50e36945244146b3675ab05250650d-body" aria-expanded="false" aria-controls="#1a50e36945244146b3675ab05250650d-body"></div> </div> <div class="sidenav-body collapse" id="1a50e36945244146b3675ab05250650d-body" aria-labelledby="1a50e36945244146b3675ab05250650d-header"> <div class="sidenav"> <div class="sidenav-head" id="1a50e36945244146b3675ab05250650d-cb299810c5d643f0b1de3974367e174e"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4b4931e3517041d3861283faa2b8c343"> <span>W-X</span> <div class="expand-button collapsed" id="4b4931e3517041d3861283faa2b8c343-header" data-toggle="collapse" data-target="#4b4931e3517041d3861283faa2b8c343-body" aria-expanded="false" aria-controls="#4b4931e3517041d3861283faa2b8c343-body"></div> </div> <div class="sidenav-body collapse" id="4b4931e3517041d3861283faa2b8c343-body" aria-labelledby="4b4931e3517041d3861283faa2b8c343-header"> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-a11643f4cca04a36893be9e7a5ebad8f"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-8215d91eca124542a1d489bd901c10d5"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-7186929dafbe4852b778e8a357d449bf"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-52ba1a0a287943299fe88eac3493c514"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-93553aa3a2fd4173af460f9569c879cd"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-6848e592c4ce492bbb368b79ee6e735a"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="a5819d5e89464ffabceb17e836662294"> <span>Y-Z</span> <div class="expand-button collapsed" id="a5819d5e89464ffabceb17e836662294-header" data-toggle="collapse" data-target="#a5819d5e89464ffabceb17e836662294-body" aria-expanded="false" aria-controls="#a5819d5e89464ffabceb17e836662294-body"></div> </div> <div class="sidenav-body collapse" id="a5819d5e89464ffabceb17e836662294-body" aria-labelledby="a5819d5e89464ffabceb17e836662294-header"> <div class="sidenav"> <div class="sidenav-head" id="a5819d5e89464ffabceb17e836662294-2779946926394bc19a3c66031d634130"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/groups/">Groups</a></li> <li class="breadcrumb-item">Turla</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Turla </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v9/groups/G0010">Turla</a> is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. <a href="/versions/v9/groups/G0010">Turla</a> is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. <a href="/versions/v9/groups/G0010">Turla</a>’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ESET Gazer Aug 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="CrowdStrike VENOMOUS BEAR"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>G0010 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Matthieu Faou, ESET; Edward Millington </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 2.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>26 April 2021 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0010" href="/versions/v9/groups/G0010/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0010" href="/groups/G0010/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> Group 88 </td> <td> <p><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Leonardo Turla Penquin May 2020"><sup><a href="https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> Belugasturgeon </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> Waterbug </td> <td> <p>Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Symantec Waterbug"><sup><a href="https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> WhiteBear </td> <td> <p>WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Securelist WhiteBear Aug 2017"><sup><a href="https://securelist.com/introducing-whitebear/81638/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> VENOMOUS BEAR </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="CrowdStrike VENOMOUS BEAR"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> Snake </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="CrowdStrike VENOMOUS BEAR"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> Krypton </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="CrowdStrike VENOMOUS BEAR"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> </tbody> </table>  <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v9/groups/G0010/G0010-enterprise-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v9/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0010/G0010-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div>  <h2 class="pt-3" id="techniques">Techniques Used</h2> <table class="table techniques-used table-bordered mt-2"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent" id="uses-T1134-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1134">T1134</a> </td> <td> <a href="/versions/v9/techniques/T1134/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/002">Create Process with Token</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors can impersonate or steal process tokens before executing commands.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent" id="uses-T1087-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v9/techniques/T1087/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>net user</code> to enumerate local accounts on the system.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1087-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>net user /domain</code> to enumerate domain accounts.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1583-006"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v9/techniques/T1583/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v9/techniques/T1583/006">Web Services</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has created web accounts including Dropbox and GitHub for C2 and document exfiltration.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1071-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v9/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used HTTP and HTTPS for C2 communications.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1071-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used multiple backdoors which communicate with a C2 server via email attachments.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="Crowdstrike GTR2020 Mar 2020"><sup><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1560-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v9/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/001">Archive via Utility</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has encrypted files stolen from connected USB drives into a RAR file before exfiltration.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1547-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v9/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>A <a href="/versions/v9/groups/G0010">Turla</a> Javascript backdoor added a local_update_check value under the Registry key <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> to establish persistence. Additionally, a <a href="/versions/v9/groups/G0010">Turla</a> custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1547-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1547/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/004">Winlogon Helper DLL</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> established persistence by adding a Shell value under the Registry key <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</code>.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1110"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v9/techniques/T1110">Brute Force</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> may attempt to connect to systems within a victim's network using <code>net use</code> commands and a predefined list or collection of passwords.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1059-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v9/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from <a href="/versions/v9/software/S0363">Empire</a>'s PSInject.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> has also used PowerShell scripts to load and execute malware in memory.</p> </td> </tr> <tr class="sub technique" id="uses-T1059-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have used cmd.exe to execute commands.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1059-005"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used VBS scripts throughout its operations.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </p> </td> </tr> <tr class="sub technique" id="uses-T1059-006"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/006">Python</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used IronPython scripts as part of the <a href="/versions/v9/software/S0581">IronNetInjector</a> toolchain to drop payloads.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Unit 42 IronNetInjector February 2021 "><sup><a href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1059-007"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/007">.007</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/007">JavaScript</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used various JavaScript-based backdoors.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent" id="uses-T1584-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1584">T1584</a> </td> <td> <a href="/versions/v9/techniques/T1584/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v9/techniques/T1584/003">Virtual Private Server</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used the VPS infrastructure of compromised Iranian threat actors.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="NSA NCSC Turla OilRig"><sup><a href="https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1584-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1584/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v9/techniques/T1584/004">Server</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used compromised servers as infrastructure.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Recorded Future Turla Infra 2020"><sup><a href="https://www.recordedfuture.com/turla-apt-infrastructure/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1584-006"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1584/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v9/techniques/T1584/006">Web Services</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has frequently used compromised WordPress sites for C2 infrastructure.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Recorded Future Turla Infra 2020"><sup><a href="https://www.recordedfuture.com/turla-apt-infrastructure/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1555-004"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v9/techniques/T1555/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has gathered credentials from the Windows Credential Manager tool.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </p> </td> </tr> <tr class="technique" id="uses-T1213"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v9/techniques/T1213">Data from Information Repositories</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used a custom .NET tool to collect documents from an organization's internal central database.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1005"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v9/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors can upload files from victim machines.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1025"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1025">T1025</a> </td> <td> <a href="/versions/v9/techniques/T1025">Data from Removable Media</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors can collect files from USB thumb drives.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1140"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or <a href="/versions/v9/techniques/T1546/013">PowerShell Profile</a>, to decode encrypted PowerShell payloads.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1587-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1587">T1587</a> </td> <td> <a href="/versions/v9/techniques/T1587/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1587">Develop Capabilities</a>: <a href="/versions/v9/techniques/T1587/001">Malware</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has developed its own unique malware for use in operations.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Recorded Future Turla Infra 2020"><sup><a href="https://www.recordedfuture.com/turla-apt-infrastructure/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1189"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1189">T1189</a> </td> <td> <a href="/versions/v9/techniques/T1189">Drive-by Compromise</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has infected victims using watering holes.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1546-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v9/techniques/T1546/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used WMI event filters and consumers to establish persistence.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1546-013"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1546/013">.013</a> </td> <td> <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/013">PowerShell Profile</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used PowerShell profiles to maintain persistence on an infected machine.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1567-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1567">T1567</a> </td> <td> <a href="/versions/v9/techniques/T1567/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/002">Exfiltration to Cloud Storage</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used WebDAV to upload stolen USB files to a cloud drive.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> has also exfiltrated stolen files to OneDrive and 4shared.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1068"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1068">T1068</a> </td> <td> <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="Unit42 AcidBox June 2020"><sup><a href="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1083"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have also searched for files matching the <code>lPH*.dll</code> pattern.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1562-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v9/techniques/T1562/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1562">Impair Defenses</a>: <a href="/versions/v9/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1105"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used shellcode to download Meterpreter after compromising a victim.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1570"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v9/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors can be used to transfer files to/from victim machines on the local network.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1112"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1112">T1112</a> </td> <td> <a href="/versions/v9/techniques/T1112">Modify Registry</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used the Registry to store encrypted payloads.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1106"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1106">T1106</a> </td> <td> <a href="/versions/v9/techniques/T1106">Native API</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1027"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used encryption (including salted 3DES via <a href="/versions/v9/software/S0194">PowerSploit</a>'s <code>Out-EncryptedScript.ps1</code>), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1027-005"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1027/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1027/005">Indicator Removal from Tools</a> </td> <td> <p>Based on comparison of <a href="/versions/v9/software/S0168">Gazer</a> versions, <a href="/versions/v9/groups/G0010">Turla</a> made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ESET Gazer Aug 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1588-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v9/techniques/T1588/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v9/techniques/T1588/001">Malware</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used malware obtained after compromising other threat actors, such as <a href="/versions/v9/groups/G0049">OilRig</a>.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="NSA NCSC Turla OilRig"><sup><a href="https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Recorded Future Turla Infra 2020"><sup><a href="https://www.recordedfuture.com/turla-apt-infrastructure/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1201"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1201">T1201</a> </td> <td> <a href="/versions/v9/techniques/T1201">Password Policy Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>net accounts</code> and <code>net accounts /domain</code> to acquire password policy information.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1120"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1120">T1120</a> </td> <td> <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>fsutil fsinfo drives</code> to list connected drives.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1069-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1069">T1069</a> </td> <td> <a href="/versions/v9/techniques/T1069/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>net localgroup</code> and <code>net localgroup Administrators</code> to enumerate group information, including members of the local administrators group.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1069-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1069/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/002">Domain Groups</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>net group "Domain Admins" /domain</code> to identify domain administrators.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1566-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v9/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1057"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1057">T1057</a> </td> <td> <a href="/versions/v9/techniques/T1057">Process Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover running processes using the <code>tasklist /v</code> command.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have also enumerated processes associated with specific open ports or named pipes.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1055"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v9/techniques/T1055">Process Injection</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has also used <a href="/versions/v9/software/S0194">PowerSploit</a>'s <code>Invoke-ReflectivePEInjection.ps1</code> to reflectively load a PowerShell payload into a random process on the victim system.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1055-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1055/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used Metasploit to perform reflective DLL injection in order to escalate privileges.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Github Rapid7 Meterpreter Elevate"><sup><a href="https://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1090"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v9/techniques/T1090">Proxy</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have included local UPnP RPC proxies.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> </p> </td> </tr> <tr class="technique" id="uses-T1012"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1012">T1012</a> </td> <td> <a href="/versions/v9/techniques/T1012">Query Registry</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query</code> command.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1021-002"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v9/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> used <code>net use</code> commands to connect to lateral systems within a network.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1018"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v9/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover remote systems on a local network using the <code>net view</code> and <code>net view /DOMAIN</code> commands. <a href="/versions/v9/groups/G0010">Turla</a> has also used <code>net group "Domain Computers" /domain</code>, <code>net group "Domain Controllers" /domain</code>, and <code>net group "Exchange Servers" /domain</code> to enumerate domain computers, including the organization's DC and Exchange Server.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1518-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1518">T1518</a> </td> <td> <a href="/versions/v9/techniques/T1518/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has obtained information on security software, including security logging information that may indicate whether their malware has been detected.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1553-006"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1553">T1553</a> </td> <td> <a href="/versions/v9/techniques/T1553/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v9/techniques/T1553/006">Code Signing Policy Modification</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="Unit42 AcidBox June 2020"><sup><a href="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="GitHub Turla Driver Loader"><sup><a href="https://github.com/hfiref0x/TDL" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1082"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover operating system configuration details using the <code>systeminfo</code>, <code>gpresult</code>, and <code>set</code> commands.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1016"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1016">T1016</a> </td> <td> <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover network configuration details using the <code>arp -a</code>, <code>nbtstat -n</code>, <code>net config</code>, <code>ipconfig /all</code>, and <code>route</code> commands, as well as <a href="/versions/v9/software/S0590">NBTscan</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have also retrieved registered RPC interface information from process memory.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1016-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1016/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used <code>tracert</code> to check internet connectivity.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1049"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1049">T1049</a> </td> <td> <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover active local network connections using the <code>netstat -an</code>, <code>net use</code>, <code>net file</code>, and <code>net session</code> commands.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> <a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have also enumerated the IPv4 TCP connection table via the <code>GetTcpTable2</code> API call.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1007"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1007">T1007</a> </td> <td> <a href="/versions/v9/techniques/T1007">System Service Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover running services and associated processes using the <code>tasklist /svc</code> command.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1124"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1124">T1124</a> </td> <td> <a href="/versions/v9/techniques/T1124">System Time Discovery</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> surveys a system upon check-in to discover the system time by using the <code>net time</code> command.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1204-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v9/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used spearphishing via a link to get users to download and run their malware.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1078-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v9/techniques/T1078/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1078">Valid Accounts</a>: <a href="/versions/v9/techniques/T1078/003">Local Accounts</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has abused local accounts that have the same password across the victim’s network.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="technique" id="uses-T1102"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1102">T1102</a> </td> <td> <a href="/versions/v9/techniques/T1102">Web Service</a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="sub technique" id="uses-T1102-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1102/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p>A <a href="/versions/v9/groups/G0010">Turla</a> JavaScript backdoor has used Google Apps Script as its C2 server.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="software">Software</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0099">S0099</a> </td> <td> <a href="/versions/v9/software/S0099">Arp</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0335">S0335</a> </td> <td> <a href="/versions/v9/software/S0335">Carbon</a> </td> <td> <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="ESET Carbon Mar 2017"><sup><a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/versions/v9/techniques/T1048/003">Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</a>, <a href="/versions/v9/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a>, <a href="/versions/v9/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0160">S0160</a> </td> <td> <a href="/versions/v9/software/S0160">certutil</a> </td> <td> <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v9/techniques/T1553/004">Install Root Certificate</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0126">S0126</a> </td> <td> <a href="/versions/v9/software/S0126">ComRAT</a> </td> <td> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Symantec Waterbug"><sup><a href="https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Unit 42 IronNetInjector February 2021 "><sup><a href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/005">Hidden File System</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0538">S0538</a> </td> <td> <a href="/versions/v9/software/S0538">Crutch</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/001">Archive via Utility</a>, <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1020">Automated Exfiltration</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1025">Data from Removable Media</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/versions/v9/techniques/T1008">Fallback Channels</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v9/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0363">S0363</a> </td> <td> <a href="/versions/v9/software/S0363">Empire</a> </td> <td> <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="ESET Turla August 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/002">Create Process with Token</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1217">Browser Bookmark Discovery</a>, <a href="/versions/v9/techniques/T1115">Clipboard Data</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/001">Local Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/002">Domain Account</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1484">Domain Policy Modification</a>: <a href="/versions/v9/techniques/T1484/001">Group Policy Modification</a>, <a href="/versions/v9/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v9/techniques/T1114">Email Collection</a>: <a href="/versions/v9/techniques/T1114/001">Local Email Collection</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/008">Accessibility Features</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/001">Exfiltration to Code Repository</a>, <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v9/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/007">Path Interception by PATH Environment Variable</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/008">Path Interception by Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/009">Path Interception by Unquoted Path</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/004">Dylib Hijacking</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/004">Credential API Hooking</a>, <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a>: <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/003">Distributed Component Object Model</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/004">SSH</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1127">Trusted Developer Utilities Proxy Execution</a>: <a href="/versions/v9/techniques/T1127/001">MSBuild</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/004">Private Keys</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1125">Video Capture</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0091">S0091</a> </td> <td> <a href="/versions/v9/software/S0091">Epic</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/002">Archive via Library</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/011">Extra Window Memory Injection</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v9/techniques/T1553/002">Code Signing</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1007">System Service Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0168">S0168</a> </td> <td> <a href="/versions/v9/software/S0168">Gazer</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ESET Gazer Aug 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/004">Winlogon Helper DLL</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/002">Screensaver</a>, <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/004">NTFS File Attributes</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/003">Thread Execution Hijacking</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v9/techniques/T1553/002">Code Signing</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0537">S0537</a> </td> <td> <a href="/versions/v9/software/S0537">HyperStack</a> </td> <td> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1559">Inter-Process Communication</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1078">Valid Accounts</a>: <a href="/versions/v9/techniques/T1078/001">Default Accounts</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0581">S0581</a> </td> <td> <a href="/versions/v9/software/S0581">IronNetInjector</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="Unit 42 IronNetInjector February 2021 "><sup><a href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/006">Python</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0265">S0265</a> </td> <td> <a href="/versions/v9/software/S0265">Kazuar</a> </td> <td> <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="Unit 42 Kazuar May 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/002">File Transfer Protocols</a>, <a href="/versions/v9/techniques/T1010">Application Window Discovery</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1485">Data Destruction</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1008">Fallback Channels</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>: <a href="/versions/v9/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v9/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1125">Video Capture</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395">S0395</a> </td> <td> <a href="/versions/v9/software/S0395">LightNeuron</a> </td> <td> <span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1020">Automated Exfiltration</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1565">Data Manipulation</a>: <a href="/versions/v9/techniques/T1565/002">Transmitted Data Manipulation</a>, <a href="/versions/v9/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v9/techniques/T1001/002">Steganography</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v9/techniques/T1114">Email Collection</a>: <a href="/versions/v9/techniques/T1114/002">Remote Email Collection</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v9/techniques/T1505">Server Software Component</a>: <a href="/versions/v9/techniques/T1505/002">Transport Agent</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0002">S0002</a> </td> <td> <a href="/versions/v9/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1098">Account Manipulation</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/006">DCSync</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v9/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/004">Private Keys</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0256">S0256</a> </td> <td> <a href="/versions/v9/software/S0256">Mosquito</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito May 2018"><sup><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1218">Signed Binary Proxy Execution</a>: <a href="/versions/v9/techniques/T1218/011">Rundll32</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0590">S0590</a> </td> <td> <a href="/versions/v9/software/S0590">NBTscan</a> </td> <td> <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a>, <a href="/versions/v9/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0102">S0102</a> </td> <td> <a href="/versions/v9/software/S0102">nbtstat</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0039">S0039</a> </td> <td> <a href="/versions/v9/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/001">Local Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/002">Domain Account</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v9/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1007">System Service Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0104">S0104</a> </td> <td> <a href="/versions/v9/software/S0104">netstat</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0587">S0587</a> </td> <td> <a href="/versions/v9/software/S0587">Penquin</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Leonardo Turla Penquin May 2020"><sup><a href="https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1222">File and Directory Permissions Modification</a>: <a href="/versions/v9/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a>, <a href="/versions/v9/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/005">Indicator Removal from Tools</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/003">Cron</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1205">Traffic Signaling</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0393">S0393</a> </td> <td> <a href="/versions/v9/software/S0393">PowerStallion</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0029">S0029</a> </td> <td> <a href="/versions/v9/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0075">S0075</a> </td> <td> <a href="/versions/v9/software/S0075">Reg</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/002">Credentials in Registry</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0096">S0096</a> </td> <td> <a href="/versions/v9/software/S0096">Systeminfo</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0057">S0057</a> </td> <td> <a href="/versions/v9/software/S0057">Tasklist</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0022">S0022</a> </td> <td> <a href="/versions/v9/software/S0022">Uroburos</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/002">Software Packing</a>, <a href="/versions/v9/techniques/T1014">Rootkit</a> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank"> ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" target="_blank"> Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank"> Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" target="_blank"> Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://securelist.com/introducing-whitebear/81638/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank"> ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="13.0"> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank"> Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf" target="_blank"> NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.recordedfuture.com/turla-apt-infrastructure/" target="_blank"> Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://unit42.paloaltonetworks.com/acidbox-rare-malware/" target="_blank"> Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate" target="_blank"> Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://github.com/hfiref0x/TDL" target="_blank"> TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" target="_blank"> ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?6439"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

CINXE.COM

Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton, Group G0010 | MITRE ATT&CK®