G1041: Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]
Analyst context for executives and security teams
Sea Turtle matters because the ATT&CK record describes a threat actor focused on espionage and service-provider compromise, especially DNS registrars, ccTLD-related organizations, and DNS providers. The business risk is not limited to one server being compromised: DNS manipulation can redirect users to spoofed portals and enable credential collection against downstream victims. For executives, this makes DNS governance, third-party access, identity monitoring, and incident response readiness central control areas rather than purely technical infrastructure concerns.
Executive priority
Prioritize questions about who can change DNS records, which registrars and DNS providers are trusted, how those changes are approved and logged, and whether incident teams can rapidly validate DNS integrity during a suspected compromise. Because the ATT&CK relationships include valid accounts, trusted relationships, public-facing application exploitation, phishing, web shells, adversary-in-the-middle activity, and data collection, leaders should treat this as a cross-functional resilience issue spanning identity, vendor risk, SOC visibility, and crisis response evidence.
Technical view
ATT&CK does not provide a dedicated detection section for Sea Turtle, so defenders should validate coverage from the associated behaviors. Focus on monitoring DNS administration and registrar activity, authentication to external remote services and identity providers, public-facing Linux/Unix and web infrastructure, web shell persistence, Unix shell execution, web-protocol command-and-control, archive and staging activity, and collection from email or databases where applicable. Relationship context also identifies SnappyTCP as a Linux/Unix reverse TCP shell used by Sea Turtle between 2021 and 2023, so Linux web server and network egress telemetry are especially important where those systems are in scope.
Likely telemetry
- DNS registrar, authoritative DNS, and DNS provider change logs, including record changes, account changes, and delegation changes
- Identity provider, VPN, remote access, and privileged account authentication logs
- Web server access logs, file integrity monitoring, and process execution telemetry for public-facing applications
- Linux/Unix shell command history or endpoint telemetry where available
- Network egress metadata for unusual HTTP/S, WebSocket, reverse TCP, or DNS-related activity
Detection direction
- Baseline and alert on DNS record, name server, registrar account, and delegation changes, especially outside approved change windows or by unusual accounts.
- Correlate DNS changes with identity events, remote service logins, phishing reports, and public-facing application alerts rather than treating DNS administration as isolated infrastructure noise.
- Hunt for web shell indicators through unexpected files in web roots, unusual child processes spawned by web services, and command execution from web server contexts.
- Review Linux/Unix systems for suspicious shell execution, reverse shell-like network connections, persistence artifacts, and processes that ignore interrupts or survive session termination.
- Tune detections for valid-account abuse by emphasizing impossible travel, new device or infrastructure use, atypical administrative actions, and access through trusted relationships.
Mitigation priorities
- Establish strong governance for DNS and registrar administration: least privilege, multi-person approval for critical changes, MFA, logging, and periodic review of authorized accounts.
- Reduce trusted-relationship risk by inventorying third-party access paths, limiting privileges, enforcing strong authentication, and ensuring provider activity is logged and reviewable.
- Harden public-facing applications and web servers through timely vulnerability management, configuration review, and monitoring for unauthorized file changes or web shell behavior.
- Strengthen identity controls for valid accounts and local accounts, including credential hygiene, password reuse reduction, privileged access review, and alerting on abnormal use.
- Prepare incident response procedures for DNS hijacking scenarios, including rapid record validation, registrar escalation contacts, credential reset sequencing, and communication plans.
Analyst notes and limits
The most decision-relevant aspect of this object is the DNS and service-provider compromise theme. The associated techniques broaden the defensive view: initial access may involve phishing, public-facing application exploitation, external remote services, or trusted relationships; persistence may involve valid accounts or web shells; collection may involve email, databases, staging, and archiving; command and control may blend with web protocols. This supports a control validation exercise across DNS administration, identity, external attack surface, and Linux/Unix web infrastructure.
ATT&CK provides no official detection text, no group-level platforms, and no tactics directly on the intrusion-set object. Platform and tactic guidance here is derived only from the supplied relationships and should be validated against the local environment. The record supports Türkiye-linked attribution and historical activity since at least 2017, but this take does not assert current exploitation, customer exposure, or guaranteed detection coverage.
Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583 | Acquire Infrastructure | Sea Turtle accessed victim networks from VPN service provider networks.CitationHunt Sea Turtle 2024 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.CitationHunt Sea Turtle 2024 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Sea Turtle collected email archives from victim environments.CitationHunt Sea Turtle 2024 |
| Enterprise | T1583.002 | DNS Server Sub-technique | Sea Turtle built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used to capture credentials.CitationTalos Sea Turtle 2019_2CitationTalos Sea Turtle 2019 |
| Enterprise | T1608.003 | Install Digital Certificate Sub-technique | Sea Turtle captured legitimate SSL certificates from victim organizations and installed these on Sea Turtle-controlled infrastructure to enable subsequent adversary-in-the-middle operations.CitationTalos Sea Turtle 2019 |
| Enterprise | T1690 | Prevent Command History Logging | Sea Turtle unset the Bash and MySQL history files on victim systems.CitationHunt Sea Turtle 2024 |
| Enterprise | T1584.002 | DNS Server Sub-technique | Sea Turtle modified Name Server (NS) items to refer to Sea Turtle-controlled DNS servers to provide responses for all DNS lookups.CitationTalos Sea Turtle 2019CitationTalos Sea Turtle 2019_2 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Sea Turtle created adversary-in-the-middle servers to impersonate legitimate services and enable credential capture.CitationTalos Sea Turtle 2019 |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | Sea Turtle created new certificates using a technique called the actors performed "certificate impersonation," a technique in which Sea Turtle obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization.CitationTalos Sea Turtle 2019CitationTalos Sea Turtle 2019_2 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Sea Turtle used the tar utility to create a local archive of email data on a victim system.CitationHunt Sea Turtle 2024 |
| Enterprise | T1564.011 | Ignore Process Interrupts Sub-technique | Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.CitationHunt Sea Turtle 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | Sea Turtle has used tools such as Adminer during intrusions.CitationHunt Sea Turtle 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns.CitationTalos Sea Turtle 2019CitationPWC Sea Turtle 2023 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Sea Turtle compromised cPanel accounts in victim environments.CitationHunt Sea Turtle 2024 |
| Enterprise | T1203 | Exploitation for Client Execution | Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 to achieve client code execution.CitationPWC Sea Turtle 2023 |
| Enterprise | T1566 | Phishing | Sea Turtle used spear phishing to gain initial access to victims.CitationTalos Sea Turtle 2019 |
| Enterprise | T1133 | External Remote Services | Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations.CitationHunt Sea Turtle 2024 |
| Enterprise | T1213.006 | Databases Sub-technique | Sea Turtle used the tool Adminer to remotely logon to the MySQL service of victim machines.CitationHunt Sea Turtle 2024 |
| Enterprise | T1583.001 | Domains Sub-technique | Sea Turtle registered domains for authoritative name servers used in DNS hijacking activity and for command and control servers.CitationTalos Sea Turtle 2019_2CitationHunt Sea Turtle 2024 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.CitationHunt Sea Turtle 2024 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Sea Turtle has overwritten Linux system logs and unsets the Bash history file (effectively removing logging) during intrusions.CitationHunt Sea Turtle 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Sea Turtle used shell scripts for post-exploitation execution in victim environments.CitationPWC Sea Turtle 2023CitationHunt Sea Turtle 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Sea Turtle deployed the SnappyTCP web shell during intrusion operations.CitationPWC Sea Turtle 2023CitationHunt Sea Turtle 2024 |
| Enterprise | T1078 | Valid Accounts | Sea Turtle used compromised credentials to maintain long-term access to victim environments.CitationTalos Sea Turtle 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sea Turtle connected over TCP using HTTP to establish command and control channels.CitationHunt Sea Turtle 2024 |
| Enterprise | T1199 | Trusted Relationship | Sea Turtle targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars, telecommunication companies, and internet service providers.CitationTalos Sea Turtle 2019 |
| Enterprise | T1557 | Adversary-in-the-Middle | Sea Turtle modified DNS records at service providers to redirect traffic from legitimate resources to Sea Turtle-controlled servers to enable adversary-in-the-middle attacks for credential capture.CitationTalos Sea Turtle 2019CitationTalos Sea Turtle 2019_2 |
Groups, software, and campaigns
S1163: SnappyTCP
SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 77a97b048f3a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Sea Turtle 2019
Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
Open source URL -
[2]
Talos Sea Turtle 2019_2
Paul Rascagneres. (2019, July 9). Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques. Retrieved November 20, 2024.
Open source URL -
[3]
PWC Sea Turtle 2023
PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.
Open source URL -
[4]
Hunt Sea Turtle 2024
Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
Open source URL -
[5]
Cosmic Wolf
(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
-
[6]
Marbled Dust
(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
-
[7]
Microsoft Digital Defense 2021
Microsoft. (2021, October). Microsoft Digital Defense Report. Retrieved November 20, 2024.
Open source URL -
[8]
SILICON
(Citation: Microsoft Digital Defense 2021)(Citation: Hunt Sea Turtle 2024)
-
[9]
Teal Kurma
(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
-
[10]
mitre-attack G1041Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.