Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

EnterpriseG0010GroupObject v5.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Turla matters because ATT&CK describes it as a long-running cyber espionage group associated with Russia’s FSB, with reported compromises across government, diplomatic, military, education, research, and pharmaceutical sectors in more than 50 countries. For leaders, the practical issue is not a single malware family; it is whether the organization can detect and investigate patient, multi-tool intrusions that may use spearphishing, watering holes, custom backdoors, credential dumping, and legitimate administration utilities.

Executive priority

Prioritize Turla as a readiness benchmark for high-consequence espionage scenarios, especially where sensitive research, government relations, foreign affairs, regulated data, or critical operational knowledge are material to the business. Ask whether incident response, identity controls, endpoint logging, email/web security, and server monitoring can produce audit-quality evidence for long-running compromise—not just block commodity malware. Budget decisions should focus on durable visibility and response capability across endpoints, privileged accounts, email/web entry points, and key servers.

Technical view

ATT&CK does not provide a group-level detection section or tactics for this object, so SOC and IR teams should derive validation from the documented software relationships. Turla is associated with custom backdoors and frameworks including Uroburos, Epic, ComRAT, Gazer, Mosquito, Kazuar, Carbon, PowerStallion, LightNeuron, HyperStack, Crutch, IronNetInjector, and Penquin, as well as dual-use or native tools such as Mimikatz, PsExec, Net, Tasklist, Reg, Systeminfo, Arp, nbtstat, netstat, certutil, and Empire. Detection engineering should validate coverage for suspicious use of administrative utilities, PowerShell and .NET activity, credential dumping indicators, remote execution behavior, registry modification, process and service discovery, network enumeration, backdoor-like command and control, and unusual activity on Microsoft Exchange or Linux systems where related software supports those platforms.

Likely telemetry

  • Endpoint process creation with command line arguments for Windows utilities such as PsExec, Net, Reg, Tasklist, Systeminfo, certutil, netstat, nbtstat, and Arp
  • PowerShell and script execution logs, including encoded or unusual administrative use where collected
  • Authentication and privileged account activity relevant to credential dumping and lateral movement investigations
  • Endpoint file, module, service, scheduled task, registry, and persistence-related events
  • EDR or host logs from Windows, Linux, and macOS systems where related Turla-associated tools support those platforms

Detection direction

  • Do not treat the Turla group page as a ready-made detection rule set; ATT&CK provides no official detection text for this object.
  • Build detections around behavior clusters from the related software: credential access, remote execution, discovery commands, registry interaction, PowerShell/.NET execution, backdoor persistence, and unusual server-side mail activity.
  • Tune carefully for administrative tools such as PsExec, Net, Reg, certutil, netstat, and Tasklist because legitimate IT operations can look similar; prioritize context such as user, host role, time, parent process, remote source, and command-line intent.
  • Validate visibility on non-Windows assets as well as Windows because related tools include Linux, macOS, and cross-platform backdoors, even though the group object itself does not specify platforms.
  • Use threat intelligence references to enrich hunts for named tools and aliases, but require local telemetry correlation before escalating to attribution.

Mitigation priorities

  • Harden identity first: reduce standing privileges, monitor privileged account use, and ensure rapid credential reset procedures for suspected credential dumping exposure.
  • Limit and monitor administrative remote execution and native utilities; establish baselines for expected use of PsExec, Net, Reg, certutil, PowerShell, and similar tools.
  • Strengthen email and web controls because ATT&CK notes spearphishing and watering-hole campaigns for Turla.
  • Ensure endpoint protection and logging coverage across Windows, Linux, and macOS assets where relevant to the related software set.
  • Prioritize monitoring and hardening of high-value servers, including mail infrastructure, research systems, diplomatic or government-facing environments, and repositories of sensitive documents.
Analyst notes and limits

This take is based on the official ATT&CK Turla intrusion-set object, its aliases, description, external references, and listed software relationships. The relationship set is valuable for defensive planning because it spans custom espionage malware, backdoors, public frameworks, and legitimate administrative utilities. Use this as a readiness and hunting guide, not as proof that any observed activity is Turla.

The supplied ATT&CK object does not specify group-level platforms, tactics, or detection guidance. Related software includes platform information, but local asset exposure and telemetry quality must determine actual coverage. No active exploitation, current targeting, customer exposure, or guaranteed detection is inferred from the supplied fields.

Official MITRE ATT&CK definition

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

56 rows
Domain ID Name Relationship / procedure
Enterprise T1584.006 Web Services Sub-technique

Turla has frequently used compromised WordPress sites for C2 infrastructure.CitationRecorded Future Turla Infra 2020
Enterprise T1112 Modify Registry

Turla has modified Registry values to store payloads.[6]CitationSymantec Waterbug Jun 2019
Enterprise T1069.001 Local Groups Sub-technique

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.CitationESET ComRAT May 2020
Enterprise T1140 Deobfuscate/Decode Files or Information

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[6]
Enterprise T1588.002 Tool Sub-technique

Turla has obtained and customized publicly-available tools like Mimikatz.CitationSymantec Waterbug Jun 2019
Enterprise T1059.007 JavaScript Sub-technique

Turla has used various JavaScript-based backdoors.[4]
Enterprise T1134.002 Create Process with Token Sub-technique

Turla RPC backdoors can impersonate or steal process tokens before executing commands.[6]
Enterprise T1059.005 Visual Basic Sub-technique

Turla has used VBS scripts throughout its operations.CitationSymantec Waterbug Jun 2019
Enterprise T1546.013 PowerShell Profile Sub-technique

Turla has used PowerShell profiles to maintain persistence on an infected machine.[6]
Enterprise T1583.006 Web Services Sub-technique

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.CitationESET Crutch December 2020
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.CitationESET Turla Mosquito May 2018CitationGithub Rapid7 Meterpreter Elevate
Enterprise T1105 Ingress Tool Transfer

Turla has used shellcode to download Meterpreter after compromising a victim.CitationESET Turla Mosquito May 2018
Enterprise T1555.004 Windows Credential Manager Sub-technique

Turla has gathered credentials from the Windows Credential Manager tool.CitationSymantec Waterbug Jun 2019
Enterprise T1090 Proxy

Turla RPC backdoors have included local UPnP RPC proxies.[6]
Enterprise T1068 Exploitation for Privilege Escalation

Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.CitationUnit42 AcidBox June 2020
Enterprise T1615 Group Policy Discovery

Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.CitationESET ComRAT May 2020
Enterprise T1049 System Network Connections Discovery

Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1]CitationESET ComRAT May 2020 Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.[6]
Enterprise T1106 Native API

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[6]
Enterprise T1071.003 Mail Protocols Sub-technique

Turla has used multiple backdoors which communicate with a C2 server via email attachments.CitationCrowdstrike GTR2020 Mar 2020
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Turla used net use commands to connect to lateral systems within a network.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4]CitationESET Turla Mosquito May 2018CitationESET Turla Lunar toolset May 2024
Enterprise T1005 Data from Local System

Turla RPC backdoors can upload files from victim machines.[6]
Enterprise T1012 Query Registry

Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[6]
Enterprise T1007 System Service Discovery

Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]
Enterprise T1110 Brute Force

Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]
Enterprise T1570 Lateral Tool Transfer

Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.[6]CitationSymantec Waterbug Jun 2019
Enterprise T1189 Drive-by Compromise

Turla has infected victims using watering holes.CitationESET ComRAT May 2020[8]
Enterprise T1584.004 Server Sub-technique

Turla has used compromised servers as infrastructure.CitationRecorded Future Turla Infra 2020[9][10]
Enterprise T1087.002 Domain Account Sub-technique

Turla has used net user /domain to enumerate domain accounts.CitationESET ComRAT May 2020
Enterprise T1685 Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[6]
Enterprise T1564.012 File/Path Exclusions Sub-technique

Turla has placed LunarWeb install files into directories that are excluded from scanning.CitationESET Turla Lunar toolset May 2024
Enterprise T1120 Peripheral Device Discovery

Turla has used fsutil fsinfo drives to list connected drives.CitationESET ComRAT May 2020
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Turla has used WebDAV to upload stolen USB files to a cloud drive.CitationSymantec Waterbug Jun 2019 Turla has also exfiltrated stolen files to OneDrive and 4shared.CitationESET ComRAT May 2020
Enterprise T1102.002 Bidirectional Communication Sub-technique

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4]CitationESET Turla Mosquito May 2018
Enterprise T1071.001 Web Protocols Sub-technique

Turla has used HTTP and HTTPS for C2 communications.[4]CitationESET Turla Mosquito May 2018
Enterprise T1124 System Time Discovery

Turla surveys a system upon check-in to discover the system time by using the net time command.[1]
Enterprise T1087.001 Local Account Sub-technique

Turla has used net user to enumerate local accounts on the system.CitationESET ComRAT May 2020CitationESET Crutch December 2020
Enterprise T1204.001 Malicious Link Sub-technique

Turla has used spearphishing via a link to get users to download and run their malware.[4]
Enterprise T1090.001 Internal Proxy Sub-technique

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.[10]
Enterprise T1546.003 Windows Management Instrumentation Event Subscription Sub-technique

Turla has used WMI event filters and consumers to establish persistence.[6]
Enterprise T1560.001 Archive via Utility Sub-technique

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.CitationSymantec Waterbug Jun 2019
Enterprise T1059.003 Windows Command Shell Sub-technique

Turla RPC backdoors have used cmd.exe to execute commands.[6]CitationSymantec Waterbug Jun 2019
Enterprise T1057 Process Discovery

Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[1] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[6]
Enterprise T1016 System Network Configuration Discovery

Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[1]CitationSymantec Waterbug Jun 2019CitationESET ComRAT May 2020 Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[6]
Enterprise T1587.001 Malware Sub-technique

Turla has developed its own unique malware for use in operations.CitationRecorded Future Turla Infra 2020
Enterprise T1025 Data from Removable Media

Turla RPC backdoors can collect files from USB thumb drives.[6]CitationSymantec Waterbug Jun 2019
Enterprise T1518.001 Security Software Discovery Sub-technique

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.CitationESET ComRAT May 2020
Enterprise T1059.001 PowerShell Sub-technique

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.CitationESET Turla Mosquito May 2018[6]CitationSymantec Waterbug Jun 2019 Turla has also used PowerShell scripts to load and execute malware in memory.
Enterprise T1027.010 Command Obfuscation Sub-technique

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.[6]
Enterprise T1059.006 Python Sub-technique

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.CitationUnit 42 IronNetInjector February 2021
Enterprise T1213.006 Databases Sub-technique

Turla has used a custom .NET tool to collect documents from an organization's internal central database.CitationESET ComRAT May 2020
Enterprise T1018 Remote System Discovery

Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group "Domain Computers" /domain, net group "Domain Controllers" /domain, and net group "Exchange Servers" /domain to enumerate domain computers, including the organization's DC and Exchange Server.[1]CitationESET ComRAT May 2020
Enterprise T1588.001 Malware Sub-technique

Turla has used malware obtained after compromising other threat actors, such as OilRig.CitationNSA NCSC Turla OilRigCitationRecorded Future Turla Infra 2020
Enterprise T1069.002 Domain Groups Sub-technique

Turla has used net group "Domain Admins" /domain to identify domain administrators.CitationESET ComRAT May 2020
Enterprise T1027.011 Fileless Storage Sub-technique

Turla has used the Registry to store encrypted and encoded payloads.[6]CitationSymantec Waterbug Jun 2019
Enterprise T1547.004 Winlogon Helper DLL Sub-technique

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Malware Enterprise

S0126: ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[1][2][3]

Windows
Tool Enterprise

S0104: netstat

netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [1]

Tool Enterprise

S0160: certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

Windows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S0256: Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

Windows
Tool Enterprise

S0099: Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [1]

LinuxWindowsmacOS
Relationship explorer

All related ATT&CK context

uses · Technique T1584.006: Web Services Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1069.001: Local Groups Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Tool S0029: PsExec Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1134.002: Create Process with Token Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1546.013: PowerShell Profile Enterprise uses · Technique T1583.006: Web Services Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Tool S0102: nbtstat Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1555.004: Windows Credential Manager Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1615: Group Policy Discovery Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Malware S0126: ComRAT Enterprise uses · Technique T1071.003: Mail Protocols Enterprise uses · Tool S0104: netstat Enterprise uses · Tool S0160: certutil Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
5.1
Created
Modified
Raw hash
b67d6f0bd02810a6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 5.1 Current bundle b67d6f0bd028…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Turla

    Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

    Open source URL
  2. [2]
    ESET Gazer Aug 2017

    ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.

    Open source URL
  3. [3]
    CrowdStrike VENOMOUS BEAR

    Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.

    Open source URL
  4. [4]
    ESET Turla Mosquito Jan 2018

    ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

    Open source URL
  5. [5]
    Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023

    FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.

    Open source URL
  6. [6]
    ESET Turla PowerShell May 2019

    Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

    Open source URL
  7. [7]
    Symantec Waterbug

    Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.

    Open source URL
  8. [8]
    Secureworks IRON HUNTER Profile

    Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.

    Open source URL
  9. [9]
    Accenture HyperStack October 2020

    Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.

    Open source URL
  10. [10]
    Talos TinyTurla September 2021

    Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

    Open source URL
  11. [11]
    BELUGASTURGEON

    (Citation: Accenture HyperStack October 2020)

  12. [12]
    Group 88

    (Citation: Leonardo Turla Penquin May 2020)

  13. [13]
    IRON HUNTER

    (Citation: Secureworks IRON HUNTER Profile)

  14. [14]
    Krypton

    (Citation: CrowdStrike VENOMOUS BEAR)

  15. [15]
    Leonardo Turla Penquin May 2020

    Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.

    Open source URL
  16. [16]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  17. [17]
    Secret Blizzard

    (Citation: Microsoft Threat Actor Naming July 2023)

  18. [18]
    Securelist WhiteBear Aug 2017

    Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

    Open source URL
  19. [19]
    Snake

    (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)

  20. [20]
    Turla

    (Citation: Kaspersky Turla)

  21. [21]
    Venomous Bear

    (Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)

  22. [22]
    Waterbug

    Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)

  23. [23]
    WhiteBear

    WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)

  24. [24]
    mitre-attack G0010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use