Turla Group

APT Group Information theft and espionage Financial crime 46 zero-day CVEs ETDA ✓

Also Known As 26 names

Turla ATK13 Blue Python G0010 Group 88 Hippo Team IRON HUNTER ITG12 KRYPTON MAKERSMARK Pacifier APT Pfinet Popeye SIG23 SUMMIT Secret Blizzard Snake TAG_0530 UAC-0003 UAC-0024 UAC-0144 UNC4210 Uroburos VENOMOUS Bear WRAITH Waterbug

Target Countries 67

Countries highlighted in red

United Arab Emirates Afghanistan Armenia Austria Australia Azerbaijan Belgium Plurinational State of Bolivia Brazil Botswana Belarus Canada Switzerland Chile China Germany Denmark Algeria Ecuador Estonia Egypt Spain Finland France United Kingdom Georgia Gambia Greece Hong Kong Hungary Indonesia India Iraq Islamic Republic of Iran Italy Jamaica Jordan Japan Kyrgyzstan Kuwait Kazakhstan Sri Lanka Latvia Mexico Malaysia Netherlands Pakistan Poland Paraguay Qatar Romania Serbia Russian Federation Saudi Arabia Sweden Thailand Tajikistan Turkmenistan Tunisia Ukraine United States Uruguay Uzbekistan Bolivarian Republic of Venezuela Vietnam Yemen South Africa

Sectors Targeted

Healthcare Grantmaking and Giving Services 8132 High-Tech Commercial Banking 52211 Public Relations Agencies 54182 Food and Agriculture Jewelry Stores 44831 Offices of Physicians 6211 Lumber and Other Construction Materials Merchant Wholesalers 4233 Civic and Social Organizations 8134 Computer Systems Design Services 541512 Pharmaceutical NAICS:45231 45231 Employment Placement Agencies and Executive Search Services 56131 NGOs IT National Security and International Affairs 928110 Aviation Government Financial Aerospace Insurance Carriers and Related Activities 524 Data Processing, Hosting, and Related Services 51821 Newspaper Publishers 51111 Human Resources Consulting Services 541612 Educational Support Services 6117 Food Services and Drinking Places 722 Telecommunications Education Water Supply and Irrigation Systems 22131 Construction 23 Embassies Hospitals 622 Periodical Publishers 51112 Retail Scientific Research and Development Services 5417 Computer Systems Design and Related Services 54151 Remediation and Other Waste Management Services 5629 Business Schools and Computer and Management Training 6114 Computer Systems Design and Related Services 5415 Defense National Security and International Affairs 9281 Energy Justice, Public Order, and Safety Activities 9221 Think Tanks Research Non-profit organizations Internet Publishing and Broadcasting and Web Search Portals 51913 Media

Details

Origin Russian Federation
Last Updated 01 Jun 2022

Malware Families 27

turla_rpc
prometei
delivery_check
skipper
penquin_turla
agent_btz
zhmimikatz
turla_silentmoon
comlook
nautilus
turla_rat
tinyturla_ng
cobra
neuron
turla_ff_ext
netflash
outlook_backdoor
minijs
satellite_turla
twoface
wipbot
cyber_azov
ksl0t
turla_maintools
epicsplit
quietcanary
tiny_turla

MITRE ATT&CK 229

T1001 T1003 - OS Credential Dumping T1005 - Data from Local System T1007 T1008 T1010 T1011 - Exfiltration Over Other Network Medium T1012 - Query Registry T1014 T1016 - System Network Configuration Discovery T1016.001 T1018 - Remote System Discovery T1020 T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1021.002 T1025 - Data from Removable Media T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.005 T1027.010 T1027.011 T1033 - System Owner/User Discovery T1035 T1036 - Masquerading T1036.003 - Rename System Utilities T1036.004 - Masquerade Task or Service T1036.005 - Match Legitimate Name or Location T1040 T1041 - Exfiltration Over C2 Channel T1045 - Software Packing T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1049 - System Network Connections Discovery T1052 - Exfiltration Over Physical Medium T1053 - Scheduled Task/Job T1055 - Process Injection T1055.001 - Dynamic-link Library Injection T1056 - Input Capture T1056.001 - Keylogging T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.005 - Visual Basic T1059.006 T1059.007 T1060 T1068 - Exploitation for Privilege Escalation T1069 T1069.001 T1069.002 T1070 - Indicator Removal on Host T1070.001 - Clear Windows Event Logs T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.003 T1072 - Software Deployment Tools T1074 - Data Staged T1074.001 T1078 - Valid Accounts T1078.001 - Default Accounts T1078.003 - Local Accounts T1080 - Taint Shared Content T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1086 - PowerShell T1087 - Account Discovery T1087.001 T1087.002 T1090 - Proxy T1090.001 T1091 - Replication Through Removable Media T1092 - Communication Through Removable Media T1095 - Non-Application Layer Protocol T1098 - Account Manipulation T1102 - Web Service T1102.002 T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1110 - Brute Force T1111 T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.001 T1115 - Clipboard Data T1119 - Automated Collection T1120 - Peripheral Device Discovery T1123 T1124 T1125 T1127 - Trusted Developer Utilities Proxy Execution T1127.001 T1130 T1132 - Data Encoding T1132.001 - Standard Encoding T1132.002 - Non-Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1134.001 - Token Impersonation/Theft T1134.002 T1135 - Network Share Discovery T1136 T1136.001 - Local Account T1137 T1137.006 T1140 - Deobfuscate/Decode Files or Information T1170 T1176 - Browser Extensions T1185 - Man in the Browser T1187 T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1195 T1195.001 T1199 T1201 T1203 T1204 - User Execution T1204.001 T1204.002 - Malicious File T1205 T1210 - Exploitation of Remote Services T1213 - Data from Information Repositories T1213.006 T1217 - Browser Bookmark Discovery T1218 - Signed Binary Proxy Execution T1218.011 - Rundll32 T1219 T1220 T1410 - Network Traffic Capture or Redirection T1480 - Execution Guardrails T1482 T1483 T1485 T1486 T1489 - Service Stop T1490 - Inhibit System Recovery T1496 T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1497.003 T1498 - Network Denial of Service T1499 T1503 T1505 T1518 - Software Discovery T1518.001 T1525 T1528 - Steal Application Access Token T1529 T1530 - Data from Cloud Storage Object T1531 T1537 T1539 - Steal Web Session Cookie T1543 - Create or Modify System Process T1543.002 T1543.003 - Windows Service T1546 - Event Triggered Execution T1546.003 T1546.013 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1547.004 T1548 T1550 T1552 - Unsecured Credentials T1553 - Subvert Trust Controls T1553.002 - Code Signing T1553.004 - Install Root Certificate T1553.006 T1555 - Credentials from Password Stores T1555.004 T1557 - Man-in-the-Middle T1559 T1560 - Archive Collected Data T1560.001 T1561 T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.002 - Disable Windows Event Logging T1562.004 - Disable or Modify System Firewall T1564 - Hide Artifacts T1564.003 T1564.012 T1565 T1566 - Phishing T1566.002 T1567 - Exfiltration Over Web Service T1567.002 T1568 - Dynamic Resolution T1569 - System Services T1570 T1571 - Non-Standard Port T1572 - Protocol Tunneling T1573 - Encrypted Channel T1573.001 - Symmetric Cryptography T1573.002 - Asymmetric Cryptography T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.002 T1583.006 T1584 - Compromise Infrastructure T1584.003 T1584.004 T1584.006 T1585 - Establish Accounts T1587 - Develop Capabilities T1587.001 T1588 - Obtain Capabilities T1588.001 T1588.002 T1590 T1590.002 - DNS T1592 T1595 T1598 T1608 - Stage Capabilities T1608.003 T1610 T1615 T1685 TA0011 - Command and Control

Related Zero-Days 46

CVE-2013-5065 CVE-2015-1701 CVE-2015-2546 CVE-2016-0165 CVE-2016-0167 CVE-2016-7255 CVE-2017-0199 CVE-2017-0263 CVE-2017-5638 CVE-2017-7269 CVE-2018-8174 CVE-2018-8453 CVE-2019-0708 CVE-2019-0797 CVE-2019-0859 CVE-2019-10149 CVE-2019-1132 CVE-2019-11510 CVE-2019-1458 CVE-2020-1472 CVE-2021-1675 CVE-2021-1732 CVE-2021-26855 CVE-2021-28310 CVE-2021-34527 CVE-2021-37973 CVE-2021-40444 CVE-2021-44228 CVE-2022-26134 CVE-2022-26138 CVE-2022-30190 CVE-2022-3236 CVE-2022-42475 CVE-2023-0669 CVE-2023-27350 CVE-2023-36884 CVE-2023-38831 CVE-2023-46805 CVE-2023-4966 CVE-2024-21887 CVE-2024-3400 CVE-2024-49039 CVE-2024-9680 CVE-2025-0282 CVE-2025-0283 CVE-2025-22457