S1142: LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.[1]
Analyst context for executives and security teams
LunarMail matters because it is a Windows backdoor associated in ATT&CK with Turla and described as using email messages, steganography, and related command-and-control behavior. For leaders, the key issue is not just malware blocking; it is whether email, endpoint, and network monitoring can reveal a workstation using normal-looking mail traffic to receive commands, stage data, collect local email, and potentially exfiltrate over the same channel.
Executive priority
Prioritize this as an assurance question for high-value Windows workstations and diplomatic, government, or similarly sensitive environments where mailbox data and workstation access are business-critical. Executives should ask whether the organization can investigate suspicious mail-protocol use from endpoints, preserve mailbox evidence, and correlate endpoint behavior with email activity. Because MITRE provides no official detection guidance for LunarMail, coverage should be validated through control testing and incident response readiness rather than assumed from tool ownership.
Technical view
ATT&CK lists LunarMail as Windows malware and relates it to Turla, Steganography, Encrypted/Encoded File, Exfiltration Over C2 Channel, Visual Basic execution, file and mailbox data deletion, mail protocols, local data staging, system and file discovery, non-application-layer protocol C2, screen capture, local email collection, Office add-ins, deobfuscation, malicious file execution, and create/modify system process. SOC and IR teams should validate visibility across Windows endpoint process/file activity, Office and Outlook add-in persistence, mailbox artifacts, local email stores, mail protocol traffic, and evidence of data staging or cleanup. Treat email-based C2 and steganography as high-blind-spot areas because traffic may resemble legitimate mail workflows and encoded content may reduce signature value.
Likely telemetry
- Windows endpoint process creation and command/script execution events, including Visual Basic-related execution where available
- File creation, modification, staging, deletion, and decode/deobfuscation activity on workstations
- Office and Outlook add-in configuration, load events, and persistence-related registry or file artifacts
- Local email data access, including Outlook cache or storage files where monitored
- Mailbox audit logs and email metadata sufficient to investigate unusual deletion, export, or manipulation activity
Detection direction
- Do not rely on a LunarMail-specific analytic from ATT&CK; no official detection is provided. Build validation around the related ATT&CK behaviors and local baselines.
- Correlate workstation mail-protocol activity with process lineage, Office add-in loads, mailbox access, file staging, and deletion events to distinguish normal email client behavior from suspicious automation or post-compromise activity.
- Tune carefully for false positives from legitimate Outlook, add-ins, administrative mailbox operations, backup/export workflows, and normal user file searches.
- Assess blind spots in encrypted or encoded files, steganographic content, local mailbox access, and email traffic that bypasses central mail gateways or is not tied back to endpoint identity.
- Use relationship context to enrich triage: behaviors involving email-based C2, local email collection, cleanup, and exfiltration over C2 should be treated as higher-value investigation pivots on Windows workstations.
Mitigation priorities
- First confirm telemetry retention and auditability for Windows endpoints, mail systems, Office add-ins, and mail-protocol network flows.
- Harden Office and Outlook add-in governance so unauthorized or unexpected add-ins can be prevented, reviewed, and investigated.
- Reduce exposure from malicious files through user execution controls, attachment handling, and security awareness processes appropriate to the environment.
- Limit unnecessary direct mail-protocol access from workstations and monitor exceptions, especially where centralized email access paths are expected.
- Prepare IR playbooks for mailbox evidence preservation, endpoint isolation, staged-data collection, and investigation of file or mailbox deletion artifacts.
Analyst notes and limits
This take is based on the ATT&CK S1142 LunarMail software object, its official description, the ESET external reference cited by ATT&CK, and supplied relationships. The strongest defensive value is in validating coverage for the related behaviors rather than searching only for a named malware family. The Turla relationship is relevant for threat intelligence context, but local prioritization should depend on the organization’s sector, Windows workstation population, email architecture, and sensitivity of local mailbox data.
MITRE does not provide official detection text, aliases, labels, or explicit tactics on the LunarMail object itself. The platform supplied for the malware is Windows, while several related techniques list broader platforms; this summary treats Windows as the supported LunarMail platform. No claims are made here about current activity, customer exposure, guaranteed detection, or exploitation beyond the supplied ATT&CK fields and relationships.
LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1114.001 | Local Email Collection Sub-technique | LunarMail can capture the recipients of sent email messages from compromised accounts.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | LunarMail can set the `PR_DELETE_AFTER_SUBMIT` flag to delete messages sent for data exfiltration.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LunarMail can decrypt strings to retrieve configuration settings.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | LunarMail has been installed through a malicious macro in a Microsoft Word document.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1083 | File and Directory Discovery | LunarMail can search its staging directory for output files it has produced.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | LunarMail has been installed using a VBA macro.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1082 | System Information Discovery | LunarMail can capture environmental variables on compromised hosts.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1001.002 | Steganography Sub-technique | LunarMail can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1113 | Screen Capture | LunarMail can capture screenshots from compromised hosts.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1543 | Create or Modify System Process | LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1137.006 | Add-ins Sub-technique | LunarMail has the ability to use Outlook add-ins for persistence.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LunarMail can create a directory in `%TEMP%\` to stage data prior to exfilration.CitationESET Turla Lunar toolset May 2024 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1152dd469f67… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Turla Lunar toolset May 2024
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
Open source URL -
[2]
mitre-attack S1142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.