analyst @ nohacky :~/threat-actors $
cat / threat-actors / sea-turtle
analyst@nohacky:~/sea-turtle.html
active threat profile
type Nation-State
threat_level High
status Active
origin Turkey (assessed)
last_updated 2026-03-27
ST
sea-turtle

Sea Turtle / Cosmic Wolf

also known as: Cosmic Wolf Marbled Dust Teal Kurma SILICON UNC1326

Sea Turtle is Turkey's primary assessed offensive cyber unit, distinguished by a signature technique that targets the internet's naming infrastructure rather than individual victims directly. The group compromises DNS registrars and ccTLD managers, then hijacks DNS resolution for actual targets — silently redirecting their traffic through actor-controlled servers to harvest credentials at scale. Active since 2017 and confirmed active through 2025, Sea Turtle has evolved from high-profile DNS hijacking into a persistent, low-signature espionage actor with a specific mandate to surveil Kurdish opposition, dissident communities, and geopolitical adversaries of Turkey across Europe and the Middle East.

attributed origin Turkey (assessed)
suspected sponsor Turkish government / intelligence (assessed)
first observed January 2017
primary motivation Political & economic espionage / Surveillance
primary targets Government, Telecom, ISPs, Media, Kurdish diaspora
known campaigns Multiple confirmed (2017–2025)
mitre att&ck group G1041
target regions Middle East, North Africa, Europe (Netherlands, Greece, Cyprus), North America
threat level HIGH

Overview

Sea Turtle was first publicly documented by Cisco Talos in April 2019, though activity is assessed to have begun as early as January 2017. The group gained immediate notoriety for a technique that distinguishes it from nearly all other nation-state actors: rather than attacking individual targets directly, it attacks the DNS infrastructure those targets depend on. By compromising DNS registrars and country-code top-level domain operators, Sea Turtle is able to reroute traffic intended for government ministries, military networks, and intelligence services through its own servers — capturing credentials in transit without the target ever detecting an intrusion into their own environment. Cisco Talos described the campaign as posing a more severe threat than comparable DNS-abuse groups at the time, specifically because of this upstream approach to compromise.

Attribution to Turkey is assessed based on consistent alignment with Turkish foreign policy interests. Targets have historically mapped to entities that represent geopolitical concerns for the Turkish government — Kurdish political and military organizations, Greek and Cypriot government infrastructure, and countries in conflict zones of strategic interest to Ankara including Iraq, Syria, and Armenia. Microsoft tracks the group as Marbled Dust and has formally assessed it as a Türkiye-affiliated espionage threat actor. CrowdStrike tracks the same activity as Cosmic Wolf. The MITRE ATT&CK framework formally assigned the group identifier G1041, with the entry last updated in March 2025.

After a period of reduced public visibility following the 2019 Cisco Talos reports, the group continued operating below the detection threshold of many organizations. Microsoft's Digital Defense Report 2021 identified the actor as SILICON and noted continued intelligence collection campaigns across Armenia, Cyprus, Greece, Iraq, and Syria. Dutch cybersecurity firm Hunt & Hackett documented active campaigns in the Netherlands between 2021 and 2023, targeting telecom operators, ISPs, IT service providers, media organizations, and Kurdish diaspora websites — findings that confirmed the group had meaningfully shifted its geographic focus toward Western Europe.

The most significant development since the initial DNS hijacking campaigns came in May 2025, when Microsoft disclosed that Marbled Dust had been exploiting a zero-day vulnerability in Output Messenger (CVE-2025-27920) since April 2024 — targeting Kurdish military forces in Iraq for over a year before the attack was detected and disclosed. Microsoft assessed with high confidence that the targets were associated with the Kurdish Peshmerga military. This represented a notable increase in technical sophistication, as the group had historically relied on infrastructure-level access and commodity tooling rather than purpose-built zero-day exploitation.

Target Profile

Sea Turtle's targeting is geopolitically directed and consistent with Turkish state intelligence priorities. The group pursues entities that hold information of strategic value to Turkish interests — particularly those related to Kurdish movements, regional adversaries, and diaspora communities abroad.

  • Kurdish Political and Military Organizations: The most consistent targeting priority across all observed campaign periods. This includes Kurdish news outlets, NGOs, TV channels, political websites, and — most recently — the Kurdish Peshmerga military forces operating in northern Iraq. Kurdish diaspora communities in Western Europe, particularly in the Netherlands, are also within scope.
  • Government Institutions: National security agencies, foreign affairs ministries, and defense departments in countries of strategic interest to Turkey. Greece, Cyprus, Iraq, Syria, and Armenia have all appeared in documented targeting. The 2018–2020 DNS hijacking campaigns directly impacted government IT systems in Greece and Cyprus.
  • DNS Registrars and ccTLD Operators: A unique targeting category that distinguishes Sea Turtle from other APT actors. By compromising the organizations that manage domain name resolution for entire country-code zones, the group acquires the ability to redirect traffic for any organization that relies on those registrars — enabling credential interception at scale.
  • Telecommunications and Internet Service Providers: Telecom operators and ISPs are targeted as upstream providers — compromising them grants access to downstream customers and enables traffic interception without direct penetration of the ultimate target network. This approach was documented in both the Middle East and North Africa campaigns and the Netherlands campaigns.
  • Media and IT Service Providers: Media organizations — particularly those serving Kurdish or minority audiences — and IT service companies are targeted for intelligence value and as supply chain entry points. Hunt & Hackett documented this sector focus in the Netherlands between 2021 and 2023.
  • Think Tanks and NGOs: Non-governmental organizations and policy research institutions associated with Kurdish affairs, regional geopolitics, or advocacy on issues where Turkey has strategic sensitivities.

Tactics, Techniques & Procedures

Sea Turtle's TTP set has evolved significantly across three distinct operational phases: the DNS hijacking era (2017–2020), the quiet expansion era (2021–2023), and the zero-day escalation observed in 2024–2025. The core methodology of gaining access upstream of the intended target — via infrastructure providers rather than the targets themselves — remains consistent throughout.

mitre id technique description
T1584.002 Compromise Infrastructure: DNS Server Sea Turtle's hallmark technique. The group compromises DNS registrars and ccTLD operators to gain the ability to alter DNS records for any domain under those registrars' management, enabling traffic interception for downstream targets without directly penetrating their networks.
T1557 Adversary-in-the-Middle After redirecting DNS resolution, Sea Turtle routes target traffic through actor-controlled servers. Login portals and applications are spoofed to capture credentials in transit. Victims reach their intended destination after credential capture, making the interception difficult to detect.
T1078 Valid Accounts Compromised credentials obtained via DNS interception or typosquatting are reused for authenticated access to target systems, including cPanel accounts and application logins such as Output Messenger Server Manager. The 2023 Netherlands campaign used a compromised cPanel credential as the primary initial access vector.
T1583.001 Acquire Infrastructure: Domains Sea Turtle registers typosquatted domains designed to impersonate legitimate government and organizational portals. These are used to intercept credentials and, in the 2024–2025 Output Messenger campaign, to deliver malicious payloads. The domain api.wordinfos[.]com was used as a C2 endpoint for Golang backdoors.
T1059.004 Command and Scripting Interpreter: Unix Shell Following initial access via compromised cPanel credentials, Sea Turtle uses Bash to execute malicious commands on Linux/Unix hosting environments. Source code for SnappyTCP was downloaded and compiled with GCC on the compromised server.
T1219 Remote Access Software SnappyTCP, a reverse TCP shell for Linux/Unix systems whose source code is publicly available on GitHub, is used to establish C2 channels. It provides command execution, data staging, and the ability to install additional tools such as Adminer for database access.
T1560 Archive Collected Data In the Netherlands campaigns, Sea Turtle used the tar utility to archive email data from compromised cPanel accounts, staging the resulting archive in the publicly accessible web directory for direct download and exfiltration.
T1190 Exploit Public-Facing Application CVE-2025-27920, a directory traversal vulnerability in Output Messenger Server Manager version 2.0.62, was exploited as a zero-day beginning April 2024. Exploitation allowed an authenticated user to drop malicious files — including VBScript launchers and Golang backdoors — into the server's startup directory, establishing persistence.
T1505.003 Server Software Component: Web Shell Adminer, a publicly available database management tool, was deployed to the public web directory of compromised cPanel accounts to enable remote MySQL access. Its presence in the same GitHub repository as SnappyTCP was used to attribute both tools to the same Sea Turtle-controlled account.
T1110 Brute Force Internet-facing services accessible via SSH and web login panels are targeted for credential brute-forcing. The group also exploits known vulnerabilities in internet-facing appliances to gain initial access to infrastructure providers — a technique noted by Microsoft in 2021 activity reporting.
upstream compromise model

Sea Turtle's DNS hijacking approach means organizations can be compromised without any intrusion into their own infrastructure. If an organization's DNS registrar or ccTLD operator is compromised, the organization itself may have no visibility into credential interception occurring in transit. Standard perimeter security does not address this threat vector.

Known Campaigns

Confirmed or highly attributed operations linked to Sea Turtle across all observed phases of activity.

Initial DNS Hijacking Wave — Middle East & North Africa 2017–2019

First documented by Cisco Talos in April 2019, this campaign phase spanned government organizations, energy companies, think tanks, NGOs, and at least one airport across Turkey, Syria, Iraq, Jordan, Lebanon, Libya, Egypt, and Sweden. Sea Turtle compromised DNS registrars and ccTLD operators to silently redirect traffic for target organizations through actor-controlled servers, capturing credentials in transit. A second Talos report in July 2019 confirmed Sea Turtle had also compromised ICS-FORTH, the operator of the .gr ccTLD for Greece, maintaining access for at least five days after public disclosure of the breach.

Greece, Cyprus, and Iraq Government Infrastructure 2018–2020

A series of DNS hijacking campaigns that intercepted traffic of government IT systems in Greece, Cyprus, and Iraq. The compromise of ICS-FORTH in Greece — which manages the .gr ccTLD — was confirmed by Cisco Talos and represented a significant escalation given the systemic access a ccTLD operator compromise provides. Microsoft's 2021 Digital Defense Report also documented activity targeting Armenia and Syria during this period, aligned with Turkish strategic interests in those countries.

Netherlands Espionage Campaigns — Telecom, ISP, Media & Kurdish Sites 2021–2023

Documented by Hunt & Hackett in January 2024, this campaign phase targeted telecommunications companies, media organizations, ISPs, and IT service providers in the Netherlands — with a specific focus on Kurdish-affiliated websites, PKK-associated content, and platforms serving Kurdish diaspora communities. Initial access was achieved via compromised cPanel credentials, with the SnappyTCP reverse TCP shell deployed for C2. Email archives were exfiltrated by staging compressed tar archives in publicly accessible web directories. PwC independently observed SnappyTCP usage and attributed it to Sea Turtle. The Greek National CERT also shared related IOCs in 2022. Infrastructure susceptibility to supply chain and island-hopping attacks was a common factor across victims.

Kurdish News and NGO Site Spoofing 2023

StrikeReady documented a Sea Turtle operation focused on spoofing Kurdish news sites, NGO sites, and TV channels in the Arab world. The operation used typosquatted or DNS-hijacked domains to present convincing replicas of legitimate Kurdish media properties, likely for credential harvesting and surveillance of politically active Kurdish individuals and communities.

Output Messenger Zero-Day — Kurdish Military Iraq (CVE-2025-27920) April 2024–2025

Disclosed by Microsoft in May 2025, this campaign represented a significant escalation in Sea Turtle's technical capability. Beginning in April 2024, the group exploited CVE-2025-27920 — a directory traversal zero-day in Output Messenger Server Manager version 2.0.62 — to target Kurdish military forces in Iraq, assessed with high confidence by Microsoft to include Peshmerga units. The attack chain began with authenticated access to the Output Messenger server, likely obtained via DNS hijacking or typosquatted domains. Exploitation of the directory traversal flaw allowed the attackers to drop malicious files (OM.vbs, OMServerService.vbs, OMServerService.exe) into the server's startup directory, establishing persistence. OMServerService.exe is a Golang backdoor that contacts api.wordinfos[.]com for data exfiltration. Output Messenger's developer, Srimax, patched the vulnerability on 25 December 2024; Microsoft continued to observe exploitation of unpatched installations into 2025. A second related vulnerability, CVE-2025-27921 (reflected XSS), was also identified, though no exploitation was observed.

Tools & Malware

Sea Turtle relies on a combination of infrastructure-level access techniques, commodity open-source tooling, and — more recently — purpose-built Golang backdoors. The group's historic preference for upstream compromise over custom malware has shifted in the 2024–2025 period to include zero-day exploitation and bespoke implants.

  • SnappyTCP: A reverse TCP shell for Linux and Unix systems written in C, whose source code is publicly available on GitHub from a repository attributed to Sea Turtle. Deployed via compromised cPanel accounts in the Netherlands campaigns, SnappyTCP provides command execution, data staging, and the ability to install additional tools. Independently documented by both Hunt & Hackett and PwC in late 2023.
  • Adminer: A legitimate, publicly available PHP-based database management tool. Sea Turtle installs Adminer in the public web directory of compromised cPanel accounts to enable remote MySQL database access. Its presence in the same Sea Turtle GitHub repository as SnappyTCP was used to establish attribution.
  • Golang Backdoors (OMServerService.exe / OMClientService.exe): Custom backdoors delivered as part of the 2024 Output Messenger campaign. The server-side component contacts a hardcoded C2 domain (api.wordinfos[.]com) for data exfiltration. The client-side counterpart connects to a separate Marbled Dust C2 domain, establishing persistent access on affected machines.
  • VBScript Launchers (OM.vbs / OMServerService.vbs): Malicious VBScript files dropped to the Output Messenger server startup directory via the CVE-2025-27920 directory traversal exploit. OMServerService.vbs is used to invoke both OM.vbs and the Golang backdoor upon system startup, ensuring persistence across reboots.
  • Actor-Controlled DNS Infrastructure: Sea Turtle has historically operated rogue nameservers including ns1[.]intersecdns[.]com and rootdnservers[.]com, used to receive hijacked DNS queries from compromised registrars. This infrastructure enables credential interception across any organization whose DNS resolution was redirected.
  • Socat: A network relay tool assessed to be used in conjunction with SnappyTCP for C2 communications, based on infrastructure characteristics observed by Hunt & Hackett.

Indicators of Compromise

Publicly reported IOCs associated with Sea Turtle campaigns. DNS infrastructure is rotated; verify currency before operational use.

warning

Sea Turtle's DNS infrastructure is regularly rotated. Historic nameserver and IP IOCs may be burned or reassigned. Behavioral and network-based detection is more reliable than static domain or IP blocklisting for this actor. Cross-reference with live threat intel feeds before operational use.

indicators of compromise — output messenger campaign (microsoft, 2025)
domain (c2) api.wordinfos[.]com
filename OMServerService.exe
filename OMClientService.exe
filename OMServerService.vbs
filename OM.vbs
exploited cve CVE-2025-27920 — Output Messenger Server Manager directory traversal (v2.0.62)
related cve CVE-2025-27921 — Output Messenger reflected XSS (patched, no observed exploitation)
indicators of compromise — netherlands / snappytcp campaigns (hunt & hackett / pwc, 2023–2024)
ip (historical) 193.34.167[.]245
ip (vpn pivot) 82.102.19[.]88 (M247 VPN range)
tool SnappyTCP — reverse C shell compiled from GitHub source
tool Adminer — PHP database management tool deployed to public web directory
indicators of compromise — dns infrastructure (cisco talos, historical)
nameserver ns1[.]intersecdns[.]com
nameserver rootdnservers[.]com

Mitigation & Defense

Sea Turtle's upstream compromise methodology means traditional endpoint-focused defenses are insufficient as a primary control. Organizations — particularly those in sectors and regions targeted by this actor — must extend defensive thinking to include the DNS infrastructure they depend on.

  • Enable DNSSEC and registry lock for all critical domains: DNSSEC provides cryptographic validation of DNS responses, making unauthorized record modification detectable. Registry lock prevents DNS record changes without a manual, out-of-band confirmation process — directly countering Sea Turtle's registrar-compromise approach. Both controls should be mandatory for any organization operating in the actor's target profile.
  • Monitor DNS records for unauthorized changes: Implement continuous monitoring of your organization's DNS records across all registrars. Unexpected changes to NS, A, or MX records — particularly those pointing to unfamiliar hosting providers — should trigger immediate incident response.
  • Patch Output Messenger immediately (CVE-2025-27920): Any organization running Output Messenger must upgrade to version 2.0.63 or later. The directory traversal vulnerability was exploited as a zero-day for at least seven months before disclosure. Unpatched instances remain exposed.
  • Enforce MFA on all externally exposed accounts: Compromised credentials are central to Sea Turtle's operations at every stage — from registrar access to cPanel logins to application authentication. Multi-factor authentication on all internet-facing accounts, particularly web hosting control panels and domain management portals, directly degrades the group's ability to leverage stolen credentials.
  • Restrict and monitor SSH access: Sea Turtle uses SSH extensively following initial cPanel compromise. Limiting SSH access by IP allowlist, deploying key-based authentication, and monitoring SSH session activity — including source IPs associated with VPN providers — can surface active intrusions.
  • Centralize log storage and deploy EDR: Hunt & Hackett specifically recommended centralized log storage as a detection measure, as Sea Turtle uses anti-forensic techniques to clean evidence from individual hosts. EDR solutions monitoring file creation, process execution, and network connections provide visibility that host-based logging alone cannot.
  • Rate-limit login attempts and enforce strong credential policies: Brute-force access to cPanel and similar hosting management interfaces is an observed initial access vector. Login rate-limiting and mandatory complex passwords for hosting accounts reduce the risk of credential-based compromise.
  • Audit self-hosted application deployments: The Output Messenger campaign exploited a vulnerability in a self-hosted enterprise messaging server. Organizations self-hosting applications in regions targeted by Sea Turtle should formally assess patch management cadences and consider whether cloud-hosted alternatives with vendor-managed patching reduce operational risk.
analyst note

The shift to zero-day exploitation in 2024–2025 marks a meaningful escalation in Sea Turtle's technical ceiling. Historically, the group relied on infrastructure-level access and commodity tooling — techniques that do not require sophisticated vulnerability research. The development or acquisition of CVE-2025-27920 and the deployment of custom Golang backdoors suggests either growing internal capability or access to external zero-day procurement. Microsoft characterized this as "a notable shift in Marbled Dust's capability" and indicated it may reflect escalating targeting priorities rather than purely technical evolution.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile