MalwareUsed by 1 actor

SnappyTCP

SnappyTCP is a Linux/Unix malware family described by PwC as a simple reverse TCP shell with basic command-and-control capabilities that is also used to establish persistence on compromised systems. The reporting indicates at least two main variants: one using plaintext communications and another using TLS via OpenSSL and TLS certificates to encrypt traffic. SnappyTCP performs an HTTP-based negotiation before spawning a reverse TCP shell, and its C2 traffic has been described as using HTTP GET requests; reported traffic may include the HTTP header "X-Auth-43245-S-20." The malware has been observed in both executable and shared object formats, compiled for multiple architectures and operating systems, sometimes with statically linked GLIBC, and uses pthreads to spawn bash processes. It can parse configuration files to determine C2 IP addresses. Sea Turtle, also referred to as Teal Kurma, Marbled Dust, and Cosmic Wolf, deployed SnappyTCP during intrusion operations, including as a web shell, and executed it with nohup to keep it running after shell exit. The actor used shell scripts such as upxa.sh to drop executables for C2 communication. Supporting reporting associates SnappyTCP with a Türkiye-nexus espionage actor targeting organizations in Europe, the Middle East, North Africa, and Mediterranean Europe, including government, telecommunications, IT, NGO, media, and other public- and private-sector entities. Reported infrastructure associated with SnappyTCP includes domains such as lo0.systemctl.network, ybcd.tech, alhurra.online, al-marsad.co, and anfturkce.news, and IP addresses including 168.100.10.187, 93.115.22.212, and 108.61.103.186. The actor has also been reported exploiting CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 for initial access in related operations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Sea Turtle

Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal. Sea Turtle deployed the SnappyTCP web shell during intrusion operations.

via mitre attack websiteattack.mitre.org

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059.004Unix ShellEvidence1

Persistence

1 technique

T1505.003Web ShellEvidence2

Sea Turtle deployed the SnappyTCP web shell during intrusion operations.

Stealth

1 technique

T1564.011Ignore Process InterruptsEvidence1

Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence3

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

T1095Non-Application Layer ProtocolEvidence1

T1573Encrypted ChannelEvidence1

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

T1573.002Asymmetric CryptographyEvidence2

Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

mitre attack websiteNews

Nov 20, 2024

Sea Turtle, Teal Kurma, Marbled Dust, Cosmic Wolf, SILICON, Group G1041 | MITRE ATT&CK®

A web shell used by Sea Turtle during intrusion operations to maintain execution and post-compromise access on victim systems.

pwcNews

Dec 5, 2023

The Tortoise and The Malwahare

SnappyTCP is a simple reverse TCP shell for Linux/Unix systems, used by the Teal Kurma (Sea Turtle) threat actor for remote command execution, persistence, and command and control. It has at least two variants: one using plaintext communication and another using TLS for secure connections. The malware is used for espionage, enabling the threat actor to collect and exfiltrate sensitive data from targeted organizations.

mitre attack websiteNews

Aug 1, 2017

Encrypted Channel: Asymmetric Cryptography, Sub-technique T1573.002 - Enterprise | MITRE ATT&CK®

Malware that uses OpenSSL and TLS certificates to encrypt traffic.

mitre attackNews

Jan 24, 2026

Server Software Component: Web Shell, Sub-technique T1505.003 - Enterprise | MITRE ATT&CK®

Reverse TCP shell/web shell providing C2 and persistence capabilities.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.