C0026: C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[1]
Analyst context for executives and security teams
C0026 matters because it shows how old malware infrastructure and prior infections can become a new access path. In this campaign, re-registered ANDROMEDA command-and-control domains were used to selectively deliver KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA victims in Ukraine. For leaders, the practical lesson is that historical compromise, stale domain dependencies, and unmanaged egress paths can remain business risks long after an original malware family is considered old news.
Executive priority
Prioritize this as an incident-readiness and resilience question: can the organization identify systems with historical malware exposure, detect renewed contact with previously malicious or re-registered domains, and prove that outbound traffic, tool transfer, collection, archiving, and exfiltration behaviors are monitored? The ATT&CK object does not provide detection guidance or a current targeting claim, so the business value is in validating controls against the campaign pattern rather than assuming exposure.
Technical view
SOC and IR teams should use C0026 as a validation scenario covering command-and-control through re-used or re-registered domains, selective malware delivery, reconnaissance, collection, archiving, and exfiltration. Relationship context includes ANDROMEDA, KOPILUWAK, QUIETCANARY, Net, Arp, netstat, Dynamic Resolution, Ingress Tool Transfer, Data from Local System, Archive via Utility, and Data Transfer Size Limits. Because the campaign object has no official platforms or tactics, platform assumptions should come from the related software and techniques, especially the Windows-oriented related malware and utilities where applicable.
Likely telemetry
- DNS query and domain registration/enrichment history for previously malicious or expired/re-registered domains
- Proxy, firewall, and egress logs showing outbound command-and-control or tool-transfer activity
- Endpoint process execution and command-line telemetry for Net, arp, netstat, scripting, archive utilities, and unusual .NET or JavaScript execution
- File creation, staging, compression, and archive activity on endpoints and servers
- Network transfer metadata useful for identifying repeated or size-limited outbound transfers
Detection direction
- Validate whether DNS and proxy analytics can surface renewed contact with historical ANDROMEDA-related infrastructure or domains that have changed ownership; local threat intelligence enrichment is required because no indicators are supplied in the ATT&CK object.
- Tune detections around sequences rather than single tools: reconnaissance utilities followed by tool transfer, local data access, archive creation, and outbound transfer are more meaningful than Net, arp, or netstat alone.
- Account for false positives from legitimate administration and troubleshooting use of Net, arp, netstat, and archive utilities by correlating user, host role, timing, destination reputation, and follow-on network activity.
- Review coverage for Dynamic Resolution and Data Transfer Size Limits, since domain-based blocking and simple volume thresholds may miss changing infrastructure or chunked exfiltration patterns.
- Because MITRE provides no official detection text for C0026, detection engineering should map the related techniques to local telemetry and test whether logs are retained long enough for campaign-level reconstruction.
Mitigation priorities
- Inventory and investigate systems with historical ANDROMEDA or similar commodity malware exposure where such records exist; prior compromise can be relevant to renewed targeting.
- Strengthen DNS, proxy, and egress controls so endpoints cannot freely contact untrusted or newly changed external infrastructure.
- Maintain incident response playbooks for malware reactivation scenarios, including host isolation, domain-contact scoping, credential review, and data-access assessment.
- Limit unnecessary command-line administration capability where feasible, and monitor use of built-in utilities in sensitive environments rather than trying to block all legitimate administrative tools.
- Ensure collection and exfiltration controls cover local data access, archive creation, inbound tool transfer, and unusual outbound transfer patterns.
Analyst notes and limits
The source description states that several tools and tactics used during C0026 were consistent with historic Turla operations, but the supplied fields do not support treating this as a definitive attribution claim. The most useful defensive framing is the reuse of old ANDROMEDA infrastructure to reach previous victims and deliver additional malware.
Official detection is not provided, and the campaign object itself lists no platforms or tactics. Platform and behavior guidance here is derived from the supplied relationships and descriptions only. Local telemetry, threat intelligence, historical infection records, and approved indicator sources are required to determine relevance to any specific environment.
C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1030 | Data Transfer Size Limits | During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1568 | Dynamic Resolution | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During C0026, the threat actors used WinRAR to collect documents on targeted systems. The threat actors appeared to only exfiltrate files created after January 1, 2021.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1583.001 | Domains Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | During C0026, the threat actors downloaded malicious payloads onto select compromised hosts.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1005 | Data from Local System | During C0026, the threat actors collected documents from compromised hosts.CitationMandiant Suspected Turla Campaign February 2023 |
Groups, software, and campaigns
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S1074: ANDROMEDA
S1076: QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[1]
S0104: netstat
S1075: KOPILUWAK
S0099: Arp
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a0fa62d629ec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Suspected Turla Campaign February 2023
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Open source URL -
[2]
mitre-attack C0026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.