S1141: LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.[1]
Analyst context for executives and security teams
LunarWeb matters because ATT&CK describes it as a Windows backdoor observed on servers, used by Turla since at least 2020, including in a European ministry of foreign affairs compromise with related Lunar tools. For leaders, the key issue is not just malware blocking; it is whether server monitoring, web egress visibility, and incident response processes can recognize stealthy command-and-control, discovery, and cleanup behavior when no official ATT&CK detection guidance is provided.
Executive priority
Prioritize this as a server resilience and espionage-readiness concern where Windows servers support sensitive operations, government-facing work, regulated data, or critical business services. Executives should ask whether security teams can prove visibility into server-side PowerShell, cmd, WMI, discovery commands, file deletion, encoded artifacts, and unusual web-based outbound traffic. The object’s Turla relationship raises threat-intelligence relevance for organizations that track state-linked espionage risk, but local exposure should be determined from asset criticality, server egress policy, and telemetry coverage—not assumed from ATT&CK alone.
Technical view
ATT&CK lists LunarWeb as Windows malware and relates it to behaviors spanning command-and-control, execution, discovery, stealth, and exfiltration support. SOC and IR teams should validate coverage for web-protocol C2, proxy use, multi-stage channels, steganography, standard encoding, encoded/encrypted files, deobfuscation, WMI, PowerShell, Windows command shell, user/group/system/network/process/software/share discovery, file and directory discovery, data transfer size limits, time-based checks, and file deletion. Because official detection text is not provided, detection engineering should map these related techniques to local Windows server telemetry and focus on correlated behavior rather than a single indicator.
Likely telemetry
- Windows server EDR or host telemetry for process creation, parent-child process relationships, and command-line arguments
- PowerShell logging and script block/module activity where enabled
- WMI activity and Windows management event logs for local or remote execution patterns
- Windows command shell execution events, especially discovery and administrative utilities on servers
- File creation, modification, encoding/decoding, and deletion events for suspicious artifacts
Detection direction
- Build detections around behavior clusters: server process execution plus discovery activity plus outbound web traffic is more decision-useful than any single technique match.
- Validate visibility for PowerShell, cmd.exe, and WMI on Windows servers; these are common administrative paths, so tune against approved management systems, service accounts, and maintenance windows.
- Review egress controls and monitoring for servers. Web traffic from servers may be legitimate, but unusual outbound HTTP/S patterns, proxy chaining, multi-stage callbacks, encoded payload characteristics, or size-limited transfers should be triaged with host context.
- Hunt for discovery bursts covering system information, network configuration, network connections, processes, users, local groups, software, security tools, files/directories, and network shares.
- Account for stealth behaviors: encoded/encrypted files, deobfuscation activity, file deletion, steganography, and time-based checks may reduce static signature value and sandbox reliability.
Mitigation priorities
- Prioritize Windows server hardening and monitoring for systems with sensitive data or high business impact.
- Restrict and monitor unnecessary outbound web access from servers; require business justification for direct internet egress where feasible.
- Constrain administrative execution paths such as PowerShell, cmd, and WMI through least privilege, logging, and approved administration channels.
- Maintain high-fidelity endpoint and file telemetry on servers, including process, command-line, script, WMI, and file deletion events.
- Baseline normal server discovery and management activity so SOC teams can distinguish routine administration from suspicious enumeration.
Analyst notes and limits
The supplied ATT&CK object is a malware entry, not a technique, and it has no official detection section. The strongest defensive value comes from the relationships: LunarWeb is associated with Turla and uses multiple techniques related to C2, execution, discovery, stealth, and transfer behavior. Its observed deployment against servers makes server telemetry and egress governance especially important.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, indicators of compromise, specific infrastructure, guaranteed detection logic, or impact beyond what is provided. Local asset criticality, logging configuration, network architecture, and threat intelligence are required to turn this into environment-specific coverage decisions.
LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1615 | Group Policy Discovery | LunarWeb can capture information on group policy settingsCitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1001.002 | Steganography Sub-technique | LunarWeb can receive C2 commands hidden in the structure of .jpg and .gif images.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LunarWeb can run shell commands using a BAT file with a name matching `%TEMP%\<random_9_alnum_chars>.batfile` or through cmd.exe with the `/c` and `/U` option for Unicode output.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1082 | System Information Discovery | LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | LunarWeb has the ability to run shell commands via PowerShell.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | LunarWeb can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1104 | Multi-Stage Channels | LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | LunarWeb can zlib-compress data prior to exfiltration.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | LunarWeb can pause for a number of hours before entering its C2 communication loop.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1572 | Protocol Tunneling | LunarWeb can run a custom binary protocol under HTTPS for C2.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1083 | File and Directory Discovery | LunarWeb has the ability to retrieve directory listings.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1135 | Network Share Discovery | LunarWeb can identify shared resources in compromised environments.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LunarWeb can send AES encrypted C2 commands.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1518 | Software Discovery | LunarWeb can list installed software on compromised systems.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | LunarWeb can create a ZIP archive with specified files and directories.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | LunarWeb can use shell commands to discover network adapters and configuration.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LunarWeb can self-delete from a compromised host if safety checks of C2 connectivity fail.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1049 | System Network Connections Discovery | LunarWeb can enumerate system network connections.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LunarWeb can use `POST` to send victim identification to C2 and `GET` to retrieve commands.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The LunarWeb install files have been encrypted with AES-256.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1057 | Process Discovery | LunarWeb has used shell commands to list running processes.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | LunarWeb can use WMI queries for discovery on the victim host.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1069.001 | Local Groups Sub-technique | LunarWeb can discover local group memberships.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1090 | Proxy | LunarWeb has the ability to use a HTTP proxy server for C&C communications.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1030 | Data Transfer Size Limits | LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1559 | Inter-Process Communication | LunarWeb can retrieve output from arbitrary processes and shell commands via a pipe.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | LunarWeb can use Base64 encoding to obfuscate C2 commands.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1033 | System Owner/User Discovery | LunarWeb can collect user information from the targeted host.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | LunarWeb has run shell commands to obtain a list of installed security products.CitationESET Turla Lunar toolset May 2024 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b5ecbf9c3d3c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Turla Lunar toolset May 2024
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
Open source URL -
[2]
mitre-attack S1141Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.