S1143: LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.[1]
Analyst context for executives and security teams
LunarLoader matters because it is not just a malware name; it is the loader component associated with the LunarWeb and LunarMail backdoors and has been observed on Windows, including as standalone malware and within trojanized open-source software such as AdmPwd. For leaders, the practical issue is supply-chain-like trust in administrative tooling and whether endpoint, identity, and SOC processes can identify a loader before it enables longer-term backdoor activity.
Executive priority
Prioritize validation of Windows endpoint visibility, software integrity controls for administrative/open-source tools, and incident response procedures for suspected loader activity. The ATT&CK relationship to Turla and the cited use against a European ministry of foreign affairs make this relevant to organizations with government, diplomatic, research, or other high-value environments, but local exposure must be assessed from actual software inventory and telemetry rather than assumed.
Technical view
ATT&CK lists LunarLoader as Windows malware with no official detection text. Relationship context maps it to discovery and stealth/persistence behaviors: System Network Configuration Discovery, Office Add-ins, Deobfuscate/Decode Files or Information, Execution Guardrails, and Reflective Code Loading. SOC and IR teams should validate whether they can correlate suspicious Windows software execution, Office add-in persistence artifacts, memory-resident code loading indicators, environment-check behavior, and network-configuration discovery from the same host or user context.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation/modification telemetry for installed administrative tools and trojanized software candidates
- Office add-in inventory and related registry/file-system persistence artifacts
- Endpoint detection telemetry for memory allocation, module loading, and reflective/in-memory execution patterns
- Script, PowerShell, or command interpreter activity associated with decoding or deobfuscation
Detection direction
- Because ATT&CK provides no official detection logic, start with behavior-based validation rather than malware-name matching.
- Baseline legitimate Office add-ins and alert on unusual add-in creation, modification, or execution paths on Windows systems.
- Review whether endpoint tooling can surface reflective code loading or suspicious in-memory execution; this is a common blind spot for file-centric controls.
- Correlate deobfuscation/decoding behavior with subsequent payload execution or add-in persistence to reduce false positives from legitimate administrative activity.
- Compare administrative/open-source tool binaries against approved inventory and expected hashes where available, especially for tools deployed broadly.
Mitigation priorities
- Maintain a trusted software inventory for Windows administrative and open-source tools, including source, version, and integrity validation.
- Restrict and monitor Office add-ins according to business need, with documented exceptions for approved users and departments.
- Harden endpoint controls to capture process, file, registry, and memory-relevant telemetry needed for loader investigations.
- Use application control or allowlisting for high-risk administrative tooling where operationally feasible.
- Prepare IR playbooks for suspected loader activity that include host isolation criteria, collection of volatile evidence, review of persistence artifacts, and assessment for LunarWeb or LunarMail follow-on activity.
Analyst notes and limits
The strongest decision value is in validating whether the organization can detect a Windows loader delivered directly or through trusted-looking software and whether persistence via Office add-ins or stealthy in-memory execution would be visible. The Turla relationship increases intelligence relevance, but it should not be treated as proof of current targeting or compromise in any specific environment.
This take is limited to the supplied ATT&CK fields, external reference, and relationships. ATT&CK provides no official detection guidance for LunarLoader, no aliases, and no object-level tactics. Specific indicators, hashes, infrastructure, command lines, and confirmed local exposure are not supplied and require separate intelligence and environment-specific investigation.
LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | LunarLoader can verify the targeted host's DNS name which is then used in the creation of a decyrption key.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1480 | Execution Guardrails | LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LunarLoader can deobfuscate files containing the next stages in the infection chain.CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1137.006 | Add-ins Sub-technique | LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. CitationESET Turla Lunar toolset May 2024 |
| Enterprise | T1620 | Reflective Code Loading | LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.CitationESET Turla Lunar toolset May 2024 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 06fe96bb6195… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Turla Lunar toolset May 2024
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
Open source URL -
[2]
mitre-attack S1143Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.