Turla

Turla is a Russian-speaking, Russian state-sponsored cyberespionage threat actor. Reported aliases in the provided content include ATG26, Belugasturgeon, Blue Python, Group 88, Iron Hunter, Krypton, Pensive Ursa, Secret Blizzard, Snake, Turla APT, Turla APT Group, Turla Team, Uroburos, Venomous Bear, Waterbug, WhiteBear, and Wraith. The group has conducted espionage operations for more than a decade and primarily targets foreign governments, embassies, defense organizations, and other government entities, including high-value Ukrainian targets and at least one undisclosed European government organization. The content describes direct operational collaboration between Turla and Gamaredon in incidents observed between February and June 2025, where Gamaredon tooling including PteroGraphin and PteroOdd was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after it appeared to have lost its foothold. This was presented as evidence of a division of labor in Russian cyberespionage operations, with Gamaredon establishing or maintaining access and Turla deploying a more advanced espionage platform. Turla is associated in the content with multiple custom malware families and backdoors, including Kazuar, Carbon, HyperStack, LightNeuron, DeliveryCheck, JavaScript backdoors, RPC backdoors, and Topinambour. Kazuar is described as Turla’s flagship backdoor, including v2 and v3. In an Accenture-reported intrusion against a European government organization, Turla used overlapping access via HyperStack, Kazuar, and Carbon. HyperStack is described as a custom Turla RPC backdoor using named pipes for remote procedure calls, IPC$ shares for lateral movement, service installation for persistence, and configuration stored in backport.inf. Carbon used traditional command-and-control URLs and Pastebin-based tasking. LightNeuron is a Turla backdoor specifically designed for Microsoft Exchange servers that integrates into mail flow as a mail transfer agent, allowing interception, redirection, modification, composition, and blocking of emails; commands were hidden in PDF or JPG attachments using steganography. Microsoft and CERT-UA also warned of Turla attacks targeting the defense industry and Microsoft Exchange servers with the DeliveryCheck backdoor. The provided content attributes to Turla a range of tactics and techniques including spearphishing-enabled follow-on access via partners, long-term persistence through overlapping backdoors, use of JavaScript-based backdoors, PowerShell execution including in-memory loading and Empire PSInject, use of cmd.exe for command execution, file upload from victim machines, registry querying with reg query, retrieval of PowerShell payloads hidden in registry keys, process discovery with tasklist /v, enumeration of processes tied to ports or named pipes, drive enumeration with fsutil fsinfo drives, and network discovery using arp -a, nbtstat -n, net config, ipconfig /all, route, and NBTscan. Persistence mechanisms mentioned include adding a local_update_check value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and placing a custom executable containing Metasploit shellcode in the Startup folder. The content also notes Turla’s use of compromised infrastructure and deception. It states Turla has used hijacked satellite connections for covert exfiltration, waterholing of government websites, covert-channel backdoors, rootkits, and deception tactics. One report says Turla used valid Sysprint AG digital certificates to sign its Epic dropper. Another notes a Turla JavaScript backdoor using Google Apps Script as command-and-control. Historical reporting in the content links Turla to Agent.BTZ-era activity and discusses possible but unproven links to Moonlight Maze; however, the Moonlight Maze connection is explicitly described as circumstantial and not definitive.