S0587: Penquin
Analyst context for executives and security teams
Penquin matters because ATT&CK describes it as a Linux remote access trojan used by Turla, with relationships spanning persistence, discovery, stealth, command-and-control, network sniffing, and exfiltration over C2. For leaders, the decision point is whether Linux systems are treated as first-class monitored assets, not just infrastructure assumed to be stable or low-risk.
Executive priority
Prioritize this as a Linux monitoring and resilience gap check. The ATT&CK relationships show behavior that can support long-running access, environmental reconnaissance, concealed communications, and data movement. Security leaders should ask whether Linux servers, network appliances where applicable, and high-value workloads have adequate endpoint logging, privileged access control, egress visibility, cron/change auditing, and incident response evidence retention. This is not primarily a vulnerability-prioritization object; it is a control-coverage and detection-readiness object.
Technical view
SOC and IR teams should validate coverage around the Linux behaviors linked to Penquin: cron-based execution or persistence, Unix shell activity, system/network/file/storage discovery, file deletion, permission changes, masquerading as legitimate resources, encoded or encrypted files, tool indicator changes, network sniffing, socket filters, traffic signaling, non-application-layer C2, asymmetric cryptography for C2, ingress tool transfer, and exfiltration over an existing C2 channel. ATT&CK provides no official detection text for this malware, so detection engineering should be relationship-driven and environment-baselined rather than relying on malware-name signatures alone.
Likely telemetry
- Linux process execution telemetry for shells, discovery utilities, permission changes, and file deletion activity
- Cron and scheduled task configuration/change logs
- File integrity, path, ownership, permission, and metadata changes on sensitive Linux directories
- Endpoint evidence of packet capture, promiscuous-mode activity, raw socket use, or socket filters where available
- Network flow and packet metadata for unusual ICMP, UDP, SOCKS, or other non-application-layer communications
Detection direction
- Do not depend only on static indicators; ATT&CK links this object to indicator removal, encoded/encrypted files, and masquerading.
- Baseline legitimate Linux administration because shell commands, cron, discovery, file deletion, and permission changes can be normal in operations.
- Correlate suspicious cron changes with shell execution, discovery commands, file transfers, network connections, and subsequent cleanup activity.
- Hunt for packet capture or socket-filter behavior on systems that do not normally perform network monitoring.
- Review egress controls and monitoring for protocols below the application layer, traffic-signaling patterns, and encrypted C2-like communications where payload inspection is limited.
Mitigation priorities
- Treat Linux servers and workloads as monitored endpoints with sufficient process, file, scheduled-task, and network telemetry.
- Restrict privileged capabilities that enable packet sniffing, raw socket access, permission tampering, and unauthorized service or cron changes.
- Implement change control and alerting for cron entries, sensitive file paths, ownership/permission changes, and unexpected executable placement.
- Use least privilege and administrative separation to reduce the chance that a RAT can perform sniffing, persistence, and broad discovery.
- Apply egress filtering and network monitoring for unusual non-application-layer traffic and unexpected external file transfers.
Analyst notes and limits
The most important practical lesson is coverage validation for Linux RAT tradecraft. The Turla relationship increases threat-intelligence relevance, but local prioritization should be based on whether the organization has Linux assets that hold sensitive data, support critical operations, or have weak telemetry. Detection content should be mapped to the related ATT&CK techniques rather than to the malware name alone.
ATT&CK does not provide official detection guidance, aliases are not listed, and the malware platform is specified as Linux. The relationship list supplies behavioral context, but it does not prove current activity, customer exposure, or detection efficacy in any specific environment. Local asset inventory, logging coverage, and network architecture are required to assess risk.
Penquin
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | Penquin can execute remote commands using bash scripts.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Penquin can report the IP of the compromised host to attacker controlled infrastructure.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1205 | Traffic Signaling | Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.CitationLeonardo Turla Penquin May 2020CitationKaspersky Turla Penquin December 2014 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Penquin has mimicked the Cron binary to hide itself on compromised systems.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Penquin can execute the command code |
| Enterprise | T1680 | Local Storage Discovery | Penquin can report the disk space of a compromised host to C2.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1053.003 | Cron Sub-technique | Penquin can use Cron to create periodic and pre-scheduled background jobs.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1040 | Network Sniffing | Penquin can sniff network traffic to look for packets matching specific conditions.CitationLeonardo Turla Penquin May 2020CitationKaspersky Turla Penquin December 2014 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | Penquin can remove strings from binaries.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | Penquin can add the executable flag to a downloaded file.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Penquin can execute the command code |
| Enterprise | T1205.002 | Socket Filters Sub-technique | Penquin installs a `TCP` and `UDP` filter on the `eth0` interface.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | The Penquin C2 mechanism is based on TCP and UDP packets.CitationKaspersky Turla Penquin December 2014CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1083 | File and Directory Discovery | Penquin can use the command code |
| Enterprise | T1082 | System Information Discovery | Penquin can report the file system type of a compromised host to C2.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Penquin can delete downloaded executables after running them.CitationLeonardo Turla Penquin May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Penquin has encrypted strings in the binary for obfuscation.CitationLeonardo Turla Penquin May 2020 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 2ce8ccca6c2b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Turla Penquin December 2014
Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
Open source URL -
[2]
Leonardo Turla Penquin May 2020
Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
Open source URL -
[3]
Penquin 2.0
(Citation: Leonardo Turla Penquin May 2020)
-
[4]
Penquin_x64
(Citation: Leonardo Turla Penquin May 2020)
-
[5]
mitre-attack S0587Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.