S0091: Epic

Epic is a Windows backdoor documented by ATT&CK as used by Turla. Its decision value is not just the malware name: the related behaviors show a toolset that can profile a host and network, look for users, services, accounts, security tools, files, storage, and connections, then use stealth, web-based command-and-control, encryption, archiving, and file deletion. For leaders, this makes Epic relevant to readiness questions: can the organization prove it can detect suspicious discovery and C2 activity on Windows endpoints before an intrusion becomes broader incident response work?

Executive priority

Treat this as a coverage-validation item for high-consequence Windows environments, especially where espionage-style intrusions would affect business continuity, sensitive data, regulated evidence, or operational resilience. Because ATT&CK provides no official detection text for Epic, priority should be placed on validating telemetry and controls against the related techniques rather than assuming malware-name detection is sufficient. Ask whether endpoint, network, identity, and incident response teams can reconstruct discovery, security-tool enumeration, collection preparation, and web-protocol C2 from retained evidence.

Technical view

SOC and detection teams should map Epic-related coverage to the supplied ATT&CK relationships: Windows registry queries, service/process/user/account/group discovery, network configuration and remote-system discovery, file/directory/storage discovery, security software discovery, web-protocol C2, symmetric cryptography, obfuscation, file deletion, code signing abuse, Extra Window Memory Injection, and archive creation via libraries. Since the object is a Windows malware entry and official detection is not provided, validation should focus on behavior chains and host/network correlation rather than a single signature. IR teams should confirm they can timeline suspicious discovery commands or API activity, unexpected archive creation, deletion of staging artifacts, abnormal web traffic, and code/process anomalies on Windows systems.

Likely telemetry

Windows endpoint process creation and command-line telemetry
Windows registry access/query events
Service, process, local user, and local group enumeration evidence
File system events for discovery, archive creation, and deletion
Endpoint security tool and sensor health/status telemetry

Detection direction

Build detections around clustered discovery behaviors rather than isolated administration commands, because many related techniques overlap with legitimate troubleshooting and inventory activity.
Tune for unusual combinations: security software discovery followed by obfuscated payload activity, archive creation, file deletion, or web-protocol external communications.
Validate Windows registry, service, process, account, group, network, file, and storage discovery visibility on endpoints where business impact would be high.
Correlate endpoint events with proxy/DNS/network metadata for web-protocol C2, especially where traffic patterns are inconsistent with the host role.
Review code-signing trust decisions; signed binaries should not be automatically treated as benign when behavior aligns with discovery, collection, or C2.

Mitigation priorities

Prioritize endpoint visibility and retention on Windows systems before relying on malware-specific detections.
Harden least-privilege access and local administrator membership to reduce the value of account and group discovery.
Restrict and monitor outbound web traffic from servers and sensitive workstations according to expected business need.
Maintain tamper-resistant security tooling and alert on attempts to discover or disable defensive products where telemetry supports it.
Use application control, code-signing policy review, and execution controls to reduce trust in unknown or unexpected binaries.

Analyst notes and limits

The most useful defensive interpretation is relationship-driven: ATT&CK links Epic to a broad set of discovery techniques plus stealth, command-and-control, collection preparation, and defense-impairment behaviors. This supports a managed detection and incident response focus on behavior correlation and evidence completeness, not a claim that any single analytic will identify Epic by name.

ATT&CK lists Epic as a Windows backdoor used by Turla and provides one cited external reporting source, but no official detection guidance and no object-level tactics. The relationship context supplies technique associations, but local validation is required to determine whether those behaviors are visible, suspicious, or already covered in a specific environment. This summary does not assert current activity, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

Epic

Epic is a backdoor that has been used by Turla. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 22 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1012	Query Registry	Epic uses the `rem reg query` command to obtain values from Registry keys.CitationKaspersky Turla
Enterprise	T1057	Process Discovery	Epic uses the `tasklist /v` command to obtain a list of processes.CitationKaspersky TurlaCitationKaspersky Turla Aug 2014
Enterprise	T1071.001	Web Protocols Sub-technique	Epic uses HTTP and HTTPS for C2 communications.CitationKaspersky TurlaCitationKaspersky Turla Aug 2014
Enterprise	T1033	System Owner/User Discovery	Epic collects the user name from the victim’s machine.CitationKaspersky Turla Aug 2014
Enterprise	T1124	System Time Discovery	Epic uses the `net time` command to get the system time from the machine and collect the current date and time zone information.CitationKaspersky Turla
Enterprise	T1083	File and Directory Discovery	Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.CitationKaspersky TurlaCitationKaspersky Turla Aug 2014
Enterprise	T1070.004	File Deletion Sub-technique	Epic has a command to delete a file from the machine.CitationKaspersky Turla Aug 2014
Enterprise	T1082	System Information Discovery	Epic collects the OS version, hardware information, computer name, available system memory status, and system and user language settings.CitationKaspersky Turla Aug 2014
Enterprise	T1049	System Network Connections Discovery	Epic uses the `net use`, `net session`, and `netstat` commands to gather information on network connections.CitationKaspersky TurlaCitationKaspersky Turla Aug 2014
Enterprise	T1018	Remote System Discovery	Epic uses the `net view` command on the victim’s machine.CitationKaspersky Turla
Enterprise	T1560.002	Archive via Library Sub-technique	Epic compresses the collected data with bzip2 before sending it to the C2 server.CitationKaspersky Turla Aug 2014
Enterprise	T1055.011	Extra Window Memory Injection Sub-technique	Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.CitationESET Recon Snake Nest
Enterprise	T1553.002	Code Signing Sub-technique	Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.CitationKaspersky Turla
Enterprise	T1087.001	Local Account Sub-technique	Epic gathers a list of all user accounts, privilege classes, and time of last logon.CitationKaspersky Turla Aug 2014
Enterprise	T1560	Archive Collected Data	Epic encrypts collected data using a public key framework before sending it over the C2 channel.CitationKaspersky Turla Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.CitationKaspersky Turla Aug 2014
Enterprise	T1069.001	Local Groups Sub-technique	Epic gathers information on local group names.CitationKaspersky Turla Aug 2014
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Epic encrypts commands from the C2 server using a hardcoded key.CitationKaspersky Turla
Enterprise	T1016	System Network Configuration Discovery	Epic uses the `nbtstat -n` and `nbtstat -s` commands on the victim’s machine.CitationKaspersky Turla
Enterprise	T1007	System Service Discovery	Epic uses the `tasklist /svc` command to list the services on the system.CitationKaspersky Turla
Enterprise	T1518.001	Security Software Discovery Sub-technique	Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.CitationKaspersky Turla
Enterprise	T1680	Local Storage Discovery	Epic collects disk space information.CitationKaspersky Turla Aug 2014
Enterprise	T1027	Obfuscated Files or Information	Epic heavily obfuscates its code to make analysis more difficult.CitationKaspersky Turla

Associated objects

Groups, software, and campaigns

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.4
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Oct 22, 2025, 02:34 UTC (UTC+00:00)
Raw hash: 7760cd30b787c966...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.4	Oct 22, 2025, 02:34 UTC (UTC+00:00)	Current bundle	`7760cd30b787…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Kaspersky Turla

Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
Open source URL
[2]
Epic

(Citation: Kaspersky Turla)
[3]
TadjMakhal

(Citation: Kaspersky Turla)
[4]
Tavdig

(Citation: Kaspersky Turla)
[5]
Wipbot

(Citation: Kaspersky Turla)
[6]
WorldCupSec

(Citation: Kaspersky Turla)
[7]
mitre-attack S0091
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams