S0022: Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]
Analyst context for executives and security teams
Uroburos matters because ATT&CK describes it as a long-lived, sophisticated espionage tool with Windows, Linux, and macOS implants, stealthy communications, modular components, and use on external-facing nodes before further internal activity. For leaders, the decision value is not a single malware signature; it is whether the organization can find quiet command-and-control, rootkit-style hiding, discovery, local data collection, and cleanup behavior across internet-facing systems and internal hosts.
Executive priority
Prioritize Uroburos as a resilience and readiness test for high-value environments: external-facing nodes, sensitive data repositories, and cross-platform endpoint coverage. Executives should ask whether SOC, IR, and compliance evidence can show visibility into DNS/web/mail and non-application-layer C2, process and file discovery, registry queries on Windows, fileless or packed payloads, service masquerading, and suspicious file deletion. The related Turla context and cited espionage use make this especially relevant for organizations with sensitive government, research, defense, diplomatic, education, or pharmaceutical exposure, while still requiring local risk validation.
Technical view
ATT&CK provides no official detection text for S0022, so defenders should derive coverage from the related techniques. Validate host and network detections for C2 over web protocols, mail protocols, DNS, non-application-layer protocols, protocol impersonation, junk data, fallback channels, multi-stage channels, and multi-hop proxying. On endpoints, test visibility for rootkit indicators, packed or encoded files, embedded payloads, fileless storage, DLL injection on Windows, masqueraded tasks or services, command shell execution, process discovery, system information discovery, file and directory discovery, local data access, registry queries, and file deletion. Because Uroburos is described as modular and stealth-oriented, detection should emphasize behavior correlation rather than reliance on static indicators alone.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows, Linux, and macOS
- Windows registry access/query telemetry
- Service, scheduled task, and systemd unit creation or modification records
- File creation, modification, deletion, and directory enumeration telemetry
- Endpoint memory, module load, and injection-related telemetry where available
Detection direction
- Map current detections to the related ATT&CK techniques rather than to the malware name alone, since the official object has no detection guidance.
- Correlate external-facing host activity with later discovery, collection, and C2 behaviors to reflect the described deployment pattern.
- Tune network analytics for C2 that blends into web, DNS, mail, or lower-layer protocols, including fallback or multi-stage behavior; expect false positives from legitimate infrastructure and require baselining.
- Review blind spots where encrypted, encoded, packed, embedded, or fileless artifacts may bypass file-signature controls.
- Validate Windows-specific visibility for registry queries, DLL injection, and command shell execution, while also confirming Linux and macOS endpoint logging for process, file, service, and network activity.
Mitigation priorities
- Start with exposure management for external-facing nodes, because the description says Uroburos is typically deployed there on targeted networks.
- Harden and monitor egress paths across DNS, web, mail, and non-application-layer protocols; restrict unnecessary outbound communication where operationally feasible.
- Improve cross-platform endpoint controls and logging for Windows, Linux, and macOS, including service/task changes, process execution, file activity, and privileged behavior.
- Use least privilege and administrative access control to reduce the value of discovery, local data collection, registry access, and service manipulation.
- Prepare IR playbooks for stealthy, modular malware where eradication may require rootkit-aware host triage, network C2 analysis, and validation of fallback channels.
Analyst notes and limits
This take is based on ATT&CK S0022 Uroburos, its official description and references, and listed relationships showing use by Turla and use of multiple command-and-control, discovery, collection, execution, privilege-escalation, and stealth techniques. The most important defensive implication is coverage depth: cross-platform endpoint visibility plus network telemetry capable of identifying covert or impersonated communications.
MITRE provides no official detection text for this object, and the supplied object lists no tactics directly. Recommendations are therefore inferred from the official description and relationship context, not from confirmed local incidents. Local asset criticality, internet exposure, logging maturity, and normal network baselines are required to determine actual priority and coverage.
Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1620 | Reflective Code Loading | Uroburos has the ability to load new modules directly into memory using its `Load Modules Mem` command.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1106 | Native API | Uroburos can use native Windows APIs including `GetHostByName`.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1005 | Data from Local System | Uroburos can use its `Get` command to exfiltrate specified files from the compromised system.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Uroburos uses a custom packer.CitationSymantec WaterbugCitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1095 | Non-Application Layer Protocol | Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Uroburos can use custom communications protocols that ride over SMTP.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1001.001 | Junk Data Sub-technique | Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Uroburos has the ability to use the command line for execution on the targeted system.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1564.005 | Hidden File System Sub-technique | Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.`CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Uroburos has registered a service named `WerFaultSvc`, likely to spoof the legitimate Windows error reporting service.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1012 | Query Registry | Uroburos can query the Registry, typically `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds`, to find the key and path to decrypt and load its kernel driver and kernel driver loader.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1559 | Inter-Process Communication | Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1082 | System Information Discovery | Uroburos has the ability to gather basic system information and run the POSIX API `gethostbyname`.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1104 | Multi-Stage Channels | Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1008 | Fallback Channels | Uroburos can use up to 10 channels to communicate between implants.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Uroburos has registered a service, typically named `WerFaultSvc`, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | Uroburos can use a `Put` command to write files to an infected machine.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1572 | Protocol Tunneling | Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Uroburos can use DLL injection to load embedded files and modules.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1205 | Traffic Signaling | Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1057 | Process Discovery | Uroburos can use its `Process List` command to enumerate processes on compromised hosts.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1014 | Rootkit | Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.CitationKaspersky TurlaCitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Uroburos can use AES and CAST-128 encryption to obfuscate resources.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1071.004 | DNS Sub-technique | Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1083 | File and Directory Discovery | Uroburos can search for specific files on a compromised system.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.CitationJoint Cybersecurity Advisory AA23-129A Snake Malware May 2023 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | a6a4018c7d97… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
Open source URL -
[2]
Kaspersky Turla
Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
Open source URL -
[3]
Snake
(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
-
[4]
mitre-attack S0022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.