Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Sea Turtle

🌐Sea Turtle

🌐 Sea Turtle is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 27 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1041) ↗
14Use cases
0Articles
27Techniques
0IOCs

About this actor (MITRE)

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea Turtle](https://attack.mitre.org/groups/G1041) is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling [Sea Turtle](https://attack.mitre.org/groups/G1041) to spoof log in portals and other applications for credential collection.(Cita

Known aliases

Sea TurtleTeal KurmaMarbled DustCosmic WolfSILICON

Top techniques

T1027.004 · Compile After DeliveryT1059.004 · Unix ShellT1071.001 · Web Protocols

All other tracked techniques

T1074.002 · Remote Data StagingT1078 · Valid AccountsT1078.003 · Local AccountsT1114.001 · Local Email CollectionT1133 · External Remote ServicesT1190 · Exploit Public-Facing ApplicationT1199 · Trusted RelationshipT1203 · Exploitation for Client ExecutionT1213.006 · DatabasesT1505.003 · Web ShellT1557 · Adversary-in-the-MiddleT1560.001 · Archive via UtilityT1564.011 · Ignore Process InterruptsT1566 · PhishingT1583 · Acquire InfrastructureT1583.001 · DomainsT1583.002 · DNS ServerT1583.003 · Virtual Private ServerT1584.002 · DNS ServerT1588.002 · ToolT1588.004 · Digital CertificatesT1608.003 · Install Digital CertificateT1685.006 · Clear Linux or Mac System LogsT1690 · Prevent Command History Logging

Detection use cases (14)

Sea Turtle (Marbled Dust) DNS hijack — anomalous resolution flip on corporate auth/SSO portals AI · profile S Sea Turtle (Teal Kurma / Marbled Dust) SnappyTCP nohup-detached reverse shell from compromised Linux web server AI · profile SΣ 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match