Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0587: Penquin

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[1][2]

EnterpriseS0587MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Penquin matters because ATT&CK describes it as a Linux remote access trojan used by Turla, with relationships spanning persistence, discovery, stealth, command-and-control, network sniffing, and exfiltration over C2. For leaders, the decision point is whether Linux systems are treated as first-class monitored assets, not just infrastructure assumed to be stable or low-risk.

Executive priority

Prioritize this as a Linux monitoring and resilience gap check. The ATT&CK relationships show behavior that can support long-running access, environmental reconnaissance, concealed communications, and data movement. Security leaders should ask whether Linux servers, network appliances where applicable, and high-value workloads have adequate endpoint logging, privileged access control, egress visibility, cron/change auditing, and incident response evidence retention. This is not primarily a vulnerability-prioritization object; it is a control-coverage and detection-readiness object.

Technical view

SOC and IR teams should validate coverage around the Linux behaviors linked to Penquin: cron-based execution or persistence, Unix shell activity, system/network/file/storage discovery, file deletion, permission changes, masquerading as legitimate resources, encoded or encrypted files, tool indicator changes, network sniffing, socket filters, traffic signaling, non-application-layer C2, asymmetric cryptography for C2, ingress tool transfer, and exfiltration over an existing C2 channel. ATT&CK provides no official detection text for this malware, so detection engineering should be relationship-driven and environment-baselined rather than relying on malware-name signatures alone.

Likely telemetry

  • Linux process execution telemetry for shells, discovery utilities, permission changes, and file deletion activity
  • Cron and scheduled task configuration/change logs
  • File integrity, path, ownership, permission, and metadata changes on sensitive Linux directories
  • Endpoint evidence of packet capture, promiscuous-mode activity, raw socket use, or socket filters where available
  • Network flow and packet metadata for unusual ICMP, UDP, SOCKS, or other non-application-layer communications

Detection direction

  • Do not depend only on static indicators; ATT&CK links this object to indicator removal, encoded/encrypted files, and masquerading.
  • Baseline legitimate Linux administration because shell commands, cron, discovery, file deletion, and permission changes can be normal in operations.
  • Correlate suspicious cron changes with shell execution, discovery commands, file transfers, network connections, and subsequent cleanup activity.
  • Hunt for packet capture or socket-filter behavior on systems that do not normally perform network monitoring.
  • Review egress controls and monitoring for protocols below the application layer, traffic-signaling patterns, and encrypted C2-like communications where payload inspection is limited.

Mitigation priorities

  • Treat Linux servers and workloads as monitored endpoints with sufficient process, file, scheduled-task, and network telemetry.
  • Restrict privileged capabilities that enable packet sniffing, raw socket access, permission tampering, and unauthorized service or cron changes.
  • Implement change control and alerting for cron entries, sensitive file paths, ownership/permission changes, and unexpected executable placement.
  • Use least privilege and administrative separation to reduce the chance that a RAT can perform sniffing, persistence, and broad discovery.
  • Apply egress filtering and network monitoring for unusual non-application-layer traffic and unexpected external file transfers.
Analyst notes and limits

The most important practical lesson is coverage validation for Linux RAT tradecraft. The Turla relationship increases threat-intelligence relevance, but local prioritization should be based on whether the organization has Linux assets that hold sensitive data, support critical operations, or have weak telemetry. Detection content should be mapped to the related ATT&CK techniques rather than to the malware name alone.

ATT&CK does not provide official detection guidance, aliases are not listed, and the malware platform is specified as Linux. The relationship list supplies behavioral context, but it does not prove current activity, customer exposure, or detection efficacy in any specific environment. Local asset inventory, logging coverage, and network architecture are required to assess risk.

Official MITRE ATT&CK definition

Penquin

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Enterprise T1059.004 Unix Shell Sub-technique

Penquin can execute remote commands using bash scripts.[2]
Enterprise T1016 System Network Configuration Discovery

Penquin can report the IP of the compromised host to attacker controlled infrastructure.[2]
Enterprise T1205 Traffic Signaling

Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[2][1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Penquin has mimicked the Cron binary to hide itself on compromised systems.[2]
Enterprise T1105 Ingress Tool Transfer

Penquin can execute the command code do_download to retrieve remote files from C2.[2]
Enterprise T1680 Local Storage Discovery

Penquin can report the disk space of a compromised host to C2.[2]
Enterprise T1053.003 Cron Sub-technique

Penquin can use Cron to create periodic and pre-scheduled background jobs.[2]
Enterprise T1040 Network Sniffing

Penquin can sniff network traffic to look for packets matching specific conditions.[2][1]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.[2]
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

Penquin can remove strings from binaries.[2]
Enterprise T1222.002 Linux and Mac Permissions Sub-technique

Penquin can add the executable flag to a downloaded file.[2]
Enterprise T1041 Exfiltration Over C2 Channel

Penquin can execute the command code do_upload to send files to C2.[2]
Enterprise T1205.002 Socket Filters Sub-technique

Penquin installs a `TCP` and `UDP` filter on the `eth0` interface.[2]
Enterprise T1095 Non-Application Layer Protocol

The Penquin C2 mechanism is based on TCP and UDP packets.[1][2]
Enterprise T1083 File and Directory Discovery

Penquin can use the command code do_vslist to send file names, size, and status to C2.[2]
Enterprise T1082 System Information Discovery

Penquin can report the file system type of a compromised host to C2.[2]
Enterprise T1070.004 File Deletion Sub-technique

Penquin can delete downloaded executables after running them.[2]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Penquin has encrypted strings in the binary for obfuscation.[2]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1205: Traffic Signaling Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1053.003: Cron Enterprise uses · Technique T1040: Network Sniffing Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1027.005: Indicator Removal from Tools Enterprise uses · Technique T1222.002: Linux and Mac Permissions Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1205.002: Socket Filters Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Group G0010: Turla Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
2ce8ccca6c2bbb0f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle 2ce8ccca6c2b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Turla Penquin December 2014

    Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.

    Open source URL
  2. [2]
    Leonardo Turla Penquin May 2020

    Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.

    Open source URL
  3. [3]
    Penquin 2.0

    (Citation: Leonardo Turla Penquin May 2020)

  4. [4]
    Penquin_x64

    (Citation: Leonardo Turla Penquin May 2020)

  5. [5]
    mitre-attack S0587
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use