S0668: TinyTurla
Analyst context for executives and security teams
TinyTurla matters because ATT&CK describes it as a Windows backdoor associated through MITRE relationships with Turla and with behaviors that support persistence, stealth, command-and-control, tool transfer, local data collection, and scheduled exfiltration. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, registry, service, command-shell, and web-traffic monitoring can show what changed, what communicated externally, and whether sensitive data staging or transfer occurred.
Executive priority
Prioritize TinyTurla as an assessment point for Windows backdoor readiness: endpoint visibility, service and registry change control, outbound web traffic governance, and incident response evidence retention. The ATT&CK relationship to Turla raises threat-intelligence relevance for organizations that track espionage-oriented intrusion risk, but local exposure and impact must be determined from environment telemetry, not assumed from the ATT&CK entry.
Technical view
Validate coverage around the related ATT&CK behaviors: Windows Command Shell and Native API execution; Service Execution and masqueraded task/service names; Registry query, modification, and fileless storage; web-protocol command-and-control with fallback channels and asymmetric cryptography; ingress tool transfer; local system data collection; and scheduled transfer. Because MITRE provides no official detection text for S0668, SOC teams should map detections to the related techniques rather than relying on a TinyTurla-specific analytic alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and service-control activity
- Windows service creation, modification, execution, display name, and binary path records
- Windows Registry query and modification telemetry, including unusual persistence or storage locations
- Endpoint file, memory, and configuration evidence related to local data discovery or staging
- Network proxy, DNS, firewall, and TLS metadata for outbound web-protocol communications
Detection direction
- Treat the absence of MITRE-provided detection guidance as a gap to close with technique-level analytics and incident playbooks.
- Tune for suspicious Windows service execution and service/task names that resemble legitimate resources, while accounting for administrative software and normal IT operations as false-positive sources.
- Correlate registry modification or registry-backed storage with process execution, service creation, and outbound network activity rather than alerting on registry activity in isolation.
- Review outbound HTTP/S-like traffic for uncommon destinations, unusual periodicity, fallback behavior, or encrypted application-layer command-and-control indicators where local logging supports it.
- Use the Turla relationship as threat-intelligence context for hunting and prioritization, not as proof of attribution in an incident.
Mitigation priorities
- Ensure Windows endpoints have retained telemetry for process execution, services, registry activity, file activity, and network connections.
- Restrict and monitor administrative mechanisms that can create or execute services and modify sensitive Registry locations.
- Harden egress controls and require defensible logging for outbound web protocols, including proxy/DNS/firewall visibility.
- Maintain incident response procedures for backdoor containment, host isolation, credential review, and scoping of data access or transfer.
- Use ATT&CK technique mappings for control validation and compliance evidence, since this software object lacks official detection guidance.
Analyst notes and limits
TinyTurla is documented by MITRE as a backdoor used by Turla against targets in the US, Germany, and Afghanistan since at least 2020, with Cisco Talos as the cited source. The most actionable defensive content comes from the ATT&CK relationships to techniques such as Registry modification, service execution, command shell execution, web-protocol C2, fallback channels, ingress tool transfer, and scheduled transfer.
The supplied ATT&CK object lists Windows as the platform but does not provide malware-specific detection guidance, aliases, labels, or object-level tactics. Several related techniques have broader platform lists, but this take does not expand TinyTurla platform scope beyond the supplied Windows field. Local telemetry, asset criticality, and incident evidence are required to determine exposure, impact, or attribution.
TinyTurla
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.CitationTalos TinyTurla September 2021 |
| Enterprise | T1106 | Native API | TinyTurla has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions.CitationTalos TinyTurla September 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | TinyTurla has been deployed as `w64time.dll` to appear legitimate.CitationTalos TinyTurla September 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | TinyTurla can install itself as a service on compromised machines.CitationTalos TinyTurla September 2021 |
| Enterprise | T1112 | Modify Registry | TinyTurla can set its configuration parameters in the Registry.CitationTalos TinyTurla September 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TinyTurla has been installed using a .bat file.CitationTalos TinyTurla September 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.CitationTalos TinyTurla September 2021 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | TinyTurla can save its configuration parameters in the Registry.CitationTalos TinyTurla September 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | TinyTurla has mimicked an existing Windows service by being installed as |
| Enterprise | T1029 | Scheduled Transfer | TinyTurla contacts its C2 based on a scheduled timing set in its configuration.CitationTalos TinyTurla September 2021 |
| Enterprise | T1012 | Query Registry | TinyTurla can query the Registry for its configuration information.CitationTalos TinyTurla September 2021 |
| Enterprise | T1008 | Fallback Channels | TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.CitationTalos TinyTurla September 2021 |
| Enterprise | T1005 | Data from Local System | TinyTurla can upload files from a compromised host.CitationTalos TinyTurla September 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | TinyTurla can use HTTPS in C2 communications.CitationTalos TinyTurla September 2021 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8ec2ed2471fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos TinyTurla September 2021
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
Open source URL -
[2]
mitre-attack S0668Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.