S0537: HyperStack
HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[1]
Analyst context for executives and security teams
HyperStack matters because ATT&CK identifies it as a Windows, RPC-based backdoor associated with Turla reporting. For leaders, the practical issue is not the malware name alone; it is whether the organization can recognize backdoor activity that blends native Windows execution, inter-process communication, registry changes, account discovery, default-account abuse, and encrypted command-and-control patterns.
Executive priority
Prioritize validation of endpoint, identity, and network evidence needed to investigate a Windows backdoor case. This object has no official ATT&CK detection guidance, so executives should ask whether SOC and IR teams can prove coverage for the related behaviors: default account exposure, local account enumeration, registry modification, native API execution, IPC abuse, and encrypted C2. These checks support resilience planning, privileged account governance, incident scoping, and audit evidence around monitoring depth.
Technical view
Treat HyperStack as a Windows backdoor reference point mapped to specific ATT&CK behaviors rather than as a fully documented detection package. SOC teams should validate telemetry for Windows registry modifications, local account listing activity, suspicious use of default accounts, process behavior involving native APIs and IPC, and network patterns consistent with encrypted C2. Because the malware is described as RPC-based, defenders should also review whether Windows RPC-related activity is logged and correlated with process, account, and network context.
Likely telemetry
- Windows endpoint process execution and parent-child process context
- Windows Registry change telemetry
- Local user and group enumeration events or command activity
- Authentication logs for built-in, default, or provider-created accounts
- Inter-process communication and RPC-related endpoint/network evidence where available
Detection direction
- Do not rely on a HyperStack-specific signature alone; ATT&CK provides no official detection text for this object.
- Map detections to the related techniques: T1078.001, T1087.001, T1106, T1112, T1559, and T1573.001.
- Tune account-discovery detections to distinguish administrative inventory activity from unusual enumeration on sensitive Windows systems.
- Review default-account monitoring for disabled, renamed, rarely used, or unexpectedly active built-in accounts.
- Correlate registry modification with process lineage, user context, and persistence-related locations rather than alerting on all registry writes.
Mitigation priorities
- Inventory and govern default accounts, including disabling or tightly controlling accounts that are not operationally required.
- Harden Windows endpoints with least privilege and administrative access controls to reduce the value of local account discovery and registry modification.
- Ensure registry and process telemetry is retained long enough for incident response scoping.
- Segment and monitor systems where RPC-based backdoor activity would create material business risk.
- Prepare IR playbooks that combine endpoint containment, credential review, and network scoping for suspected backdoor activity.
Analyst notes and limits
ATT&CK describes HyperStack as a RPC-based backdoor used by Turla since at least 2018 and notes similarities to Carbon. The relationship set is the strongest source for defensive planning because the object itself does not specify tactics or detection guidance.
This take is limited to supplied ATT&CK fields, external references, and relationships. No active exploitation, customer exposure, full procedure details, indicators, or guaranteed detections are provided. Local environment baselines are required to determine what is abnormal.
HyperStack
HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.001 | Default Accounts Sub-technique | HyperStack can use default credentials to connect to IPC$ shares on remote machines.CitationAccenture HyperStack October 2020 |
| Enterprise | T1106 | Native API | HyperStack can use Windows API's |
| Enterprise | T1559 | Inter-Process Communication | HyperStack can connect to the IPC$ share on remote machines.CitationAccenture HyperStack October 2020 |
| Enterprise | T1112 | Modify Registry | HyperStack can add the name of its communication pipe to |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | HyperStack has used RSA encryption for C2 communications.CitationAccenture HyperStack October 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | HyperStack can enumerate all account names on a remote share.CitationAccenture HyperStack October 2020 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8f362253e261… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Accenture HyperStack October 2020
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
Open source URL -
[2]
mitre-attack S0537Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.