Turkey🇹🇷 TR3 malware familiesExploits CVEs in the wild

Sea Turtle

Also known asCOSMIC WOLFMarbled DustSea TurtleSILICONTeal KurmaUNC1326

Sea Turtle is a Türkiye-nexus threat actor, also tracked as Marbled Dust, SILICON, UNC1326, Cosmic Wolf, Teal Kurma, and Sea Turtle. Public reporting in the provided content describes the group as conducting sophisticated intrusion campaigns centered on DNS hijacking, adversary-in-the-middle operations, credential theft, and long-term access to victim environments. Sea Turtle has targeted third-party entities in trusted relationships with primary targets, including DNS registrars, telecommunication companies, and internet service providers, and has also been reported targeting Kurdish websites in the Netherlands. The group has registered domains for authoritative name servers and command-and-control infrastructure, modified DNS and name server records at service providers to redirect victim traffic, and built adversary-in-the-middle DNS and VPS-based impersonation servers to capture credentials. It has also performed certificate impersonation, including obtaining CA-signed X.509 certificates for the same domain from another provider and installing captured legitimate SSL certificates from victim organizations on Sea Turtle-controlled infrastructure. For initial access, the content states that Sea Turtle used spear phishing, exploitation of public-facing applications, external-facing SSH, abuse of trusted third-party relationships, and compromise of cPanel accounts. It gained access in multiple campaigns by exploiting known vulnerabilities, including CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847. ATT&CK techniques explicitly associated in the content include T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1505.004 IIS Components, T1059 Command and Scripting Interpreter, T1608.001 Upload Malware, and T1608.002 Upload Tool. During post-compromise activity, Sea Turtle used tools such as Adminer to remotely access MySQL services, deployed the SnappyTCP web shell, used Unix shell scripts, downloaded source code and compiled it locally with GCC, and used nohup to keep malware running after shell exit. The actor used HTTP over TCP for command and control, collected and archived victim email data with tar, and staged collected email archives in public web directories accessible from the internet. Defense evasion behavior in the content includes unsetting Bash and MySQL history files and overwriting Linux system logs. The content also states that Sea Turtle used compromised credentials to maintain long-term access to victim environments.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Telecommunication Services
Media & Entertainment

Where they target

Geographies tied to known operations.

🇳🇱 Netherlands

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics57 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1593

Search Open Websites/Domains

T1595

Active Scanning

TA0042

Resource Development

3 techniques

T1583

Acquire Infrastructure

T1583.001×2

Domains

T1583.002

DNS Server

T1583.003

Virtual Private Server

T1588

Obtain Capabilities

T1588.002×3

Tool

T1588.004

Digital Certificates

T1608

Stage Capabilities

T1608.001

Upload Malware

T1608.002

Upload Tool

TA0001

Initial Access

5 techniques

T1078×5

Valid Accounts

T1133×8

External Remote Services

T1190×28

Exploit Public-Facing Application

T1199×2

Trusted Relationship

T1566×2

Phishing

TA0002

Execution

3 techniques

T1059×3

Command and Scripting Interpreter

T1059.004

Unix Shell

T1129

Shared Modules

T1203×4

Exploitation for Client Execution

TA0003

Persistence

4 techniques

T1078×5

Valid Accounts

T1098

Account Manipulation

T1133×8

External Remote Services

T1505

Server Software Component

T1505.003×5

Web Shell

T1505.004

IIS Components

TA0004

Privilege Escalation

3 techniques

T1068

Exploitation for Privilege Escalation

T1078×5

Valid Accounts

T1098

Account Manipulation

TA0005

Stealth

2 techniques

T1070

Indicator Removal

T1070.008

Clear Mailbox Data

T1078×5

Valid Accounts

TA0006

Credential Access

3 techniques

T1539

Steal Web Session Cookie

T1552

Unsecured Credentials

T1552.001

Credentials In Files

T1557×3

Adversary-in-the-Middle

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.004

SSH

TA0009

Collection

5 techniques

T1005

Data from Local System

T1074

Data Staged

T1114

Email Collection

T1114.001

Local Email Collection

T1557×3

Adversary-in-the-Middle

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001×5

Web Protocols

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

T1573

Encrypted Channel

T1573.002

Asymmetric Cryptography

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

TA0040

Impact

2 techniques

T1485

Data Destruction

T1565

Data Manipulation

T1565.001

Stored Data Manipulation

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

OMServerService.exe"OMServerService.exe is a backdoor written in Go and cleverly disguised as the legitimate file with the same name. In some cases, OMServerService.exe is observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration"5Mar 18, 2026

OMClientService.exe"the installer extracts and executes both the legitimate OutputMessenger.exe and another backdoor written in Go, OMClientService.exe. The latter connects to a Marbled Dust command-and-control (C2) domain"3Mar 18, 2026

SnappyTCPSea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal. Sea Turtle deployed the SnappyTCP web shell during intrusion operations.1Mar 17, 2026

WEAPONIZED

Associated vulnerabilities

19 CVEs this actor has used in observed campaigns. 19 of them exploited in the wild.

CVE-2021-21974VMware ESXi OpenSLP Heap Overflow RCEIn the wildEvidence3

Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847...

CVE-2021-44228Log4ShellIn the wildEvidence3

Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228...

CVE-2022-0847Dirty PipeIn the wildEvidence3

Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847...

CVE-2025-27920Directory Traversal in Srimax Output MessengerIn the wildEvidence2

Since April 2024, the threat actor Marbled Dust (aka Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) has exploited a zero-day flaw (CVE-2025-27920) in Output Messenger... The vulnerability CVE-2025-27920 is a directory traversal vulnerability... impacts Output Messenger versions before 2.0.63.

CVE-2009-1151PHP code injection in phpMyAdmin setup.phpIn the wildEvidence1

Talos believes that the threat actors have exploited multiple known CVEs... CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin

14 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Jun 14, 2026

Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

malpediaNews

May 14, 2026

Turla (Threat Actor)

Named threat actor referenced in retrospective threat reporting.

splunk researchNews

Apr 13, 2026

Detection: Windows Metasploit Confluence Plugin Execution | Splunk Security Content

Listed as a threat actor associated with the detection for Metasploit-based Atlassian Confluence exploitation activity.

splunk researchNews

Apr 13, 2026

Detection: Windows Potential Web Shell Creation For VMware Workspace ONE | Splunk Security Content

Listed as a threat actor associated with web shell persistence activity in the context of this VMware Workspace ONE web shell detection.

+187 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping42

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs19

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.