Threat-actor profile

← Back to main site

Home/ Threat Actors/ Turla

🇷🇺Turla

🇷🇺 Turla is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 86 MITRE ATT&CK techniques, with 3 threat-intel articles citing them. Active in our corpus from 2023-09-06 to 2025-12-02.

crit 1med 2

View full actor card → All threat actors MITRE ATT&CK group spec (G0010) ↗

26Use cases

3Articles

86Techniques

0IOCs

Known aliases

TurlaSnakeVenomous BearWaterbugUroburosKryptonSecret BlizzardIRON HUNTERGroup 88WhiteBearBELUGASTURGEON

Top techniques

T1555.003 · Credentials from Web Browsers T1204.002 · Malicious File T1036.005 · Match Legitimate Resource Name or Location

All other tracked techniques

T1003.001 · LSASS Memory T1005 · Data from Local System T1007 · System Service Discovery T1012 · Query Registry T1016 · System Network Configuration Discovery T1016.001 · Internet Connection Discovery T1018 · Remote System Discovery T1021.002 · SMB/Windows Admin Shares T1025 · Data from Removable Media T1027.005 · Indicator Removal from Tools T1027.010 · Command Obfuscation T1027.011 · Fileless Storage T1041 · Exfiltration Over C2 Channel T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1055 · Process Injection T1055.001 · Dynamic-link Library Injection T1057 · Process Discovery T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1068 · Exploitation for Privilege Escalation T1069.001 · Local Groups T1069.002 · Domain Groups T1071.001 · Web Protocols T1071.003 · Mail Protocols T1074.001 · Local Data Staging T1078.003 · Local Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.001 · Local Account T1087.002 · Domain Account T1090 · Proxy T1090.001 · Internal Proxy T1102 · Web Service T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1106 · Native API T1110 · Brute Force T1112 · Modify Registry T1120 · Peripheral Device Discovery T1124 · System Time Discovery T1132.001 · Standard Encoding T1134.001 · Token Impersonation/Theft T1134.002 · Create Process with Token T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1201 · Password Policy Discovery T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1213.006 · Databases T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1518.001 · Security Software Discovery T1546.003 · Windows Management Instrumentation Event Subscription T1546.013 · PowerShell Profile T1547.001 · Registry Run Keys / Startup Folder T1547.004 · Winlogon Helper DLL T1553.006 · Code Signing Policy Modification T1555.004 · Windows Credential Manager T1560.001 · Archive via Utility T1564.012 · File/Path Exclusions T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1574.002 · T1574.002 T1583.006 · Web Services T1584.003 · Virtual Private Server T1584.004 · Server T1584.006 · Web Services T1587.001 · Malware T1588.001 · Malware T1588.002 · Tool T1615 · Group Policy Discovery T1620 · Reflective Code Loading T1685 · Disable or Modify Tools

Detection use cases (26)

Secret Blizzard (Turla) ComRAT v4 — Gmail web-UI C2 from non-browser process AI · profile SΣDD Turla (Iron Hunter) TinyTurla-NG ServiceDLL persistence outside System32 AI · profile SΣDD MuddyWater Fooder loader (OsUpdater.exe) execution from Downloads Bespoke MuddyViper persistence via ManageOnDriveUpdater scheduled task or Startup folder hijack Bespoke MuddyViper C2 fingerprint: 'A WinHTTP Example Program/1.0' UA + distinctive URI paths Bespoke MuddyWater CE-Notes / LP-Notes / Blub stealer staging-file writes Bespoke Non-browser process reading Chrome/Edge/Opera Login Data or Local State Bespoke Archive utility writing LNK/DLL/EXE to Windows Startup folder (RomCom CVE-2025-8088) Bespoke Python interpreter executed from %TEMP% / Public — RomCom DLL side-load chain (CVE-2025-8088) Bespoke Asset exposure — vulnerability matches article CVE(s) Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Remote service execution — PsExec / SMB lateral movement Internal 1Password failed sign-in burst MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match

Threat-intel articles (3)

med MuddyWater: Snakes by the riverbank · 2025-12-02

crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06

med Fetch the Flag CTF 2023 sneak peek · 2023-09-06

Tracked indicators

CVEs (2)

CVE-2024-42009 CVE-2025-8088