analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ turla-snake
analyst@nohacky:~/turla-snake.html
active profile
type Nation-State
threat_level Critical
status Active
origin Russia — FSB Center 16
last_updated 2026-03-26
TU
turla-snake

Turla / Snake

also known as: Snake Uroburos Venomous Bear Waterbug Secret Blizzard Iron Hunter Krypton SUMMIT Pensive Ursa G0010

Russia's premier long-term espionage unit, active since at least 1996 and attributed to FSB Center 16 — the FSB's foreign intelligence directorate tracing its lineage to the KGB's 16th Directorate. Described by the US government as operating "the most sophisticated cyber-espionage tool in the FSB's arsenal" — the Snake implant, developed since 2003 and active for over 20 years. In May 2023, the FBI's Operation MEDUSA remotely neutralized Snake's peer-to-peer network globally using a court-authorized tool called PERSEUS, which caused the malware to overwrite its own vital components. Turla remains active: in 2025, ESET documented a joint Turla-Gamaredon operation targeting specific high-value Ukrainian machines.

attributed origin Russia — Ryazan, FSB Center 16 / Unit 71330
active since ~1996 (Moonlight Maze era); Snake since 2003
snake network Neutralized by FBI MEDUSA (PERSEUS) — May 9, 2023
snake victims Hundreds of systems in 50+ countries — NATO govts, journalists
2024–2025 status Active — Ukraine/Gamaredon; Storm-0156 South Asia hijack; ISP-level Moscow embassy AiTM (ApolloShadow)
signature tradecraft Satellite C2, P2P exfil routing, APT infrastructure hijacking
key operations Moonlight Maze, Agent.btz DoD, RUAG, Iranian APT hijack
lineage KGB 16th Directorate → FSB 16th Center → FSB Center 16
mitre att&ck group G0010

Overview

Turla is Russia's longest-running and most technically sophisticated state-sponsored espionage unit. Attributed to FSB Center 16 — the foreign signals intelligence and cyber operations arm of Russia's Federal Security Service — the group has been conducting computer intrusions against Western governments, military networks, and diplomatic targets since at least 1996. It is widely regarded as one of the top five threat actors in the world, distinguished not by aggression or destructive impact but by extraordinary patience, persistence, and technical innovation sustained across three decades of uninterrupted operation.

The group's name, Turla, comes from one of its core malware families. Its flagship implant — Snake, also known as Uroburos — takes its name from the ancient Ouroboros symbol of a serpent eating its own tail, which appeared as an embedded image in early versions of the code dating to 2003 or 2004. The FBI described Snake as the most sophisticated cyber-espionage tool in the FSB's arsenal. The code also contained the string "Ur0bUr()sGoTyOu#" — an early operator signature. Snake was actively maintained, upgraded, and deployed for over 20 years before being disabled by Operation MEDUSA in May 2023.

Turla's operational lineage traces directly to Moonlight Maze — one of the first documented nation-state cyber-espionage campaigns, active from 1996 through 1998 targeting U.S. military and government networks. In 2016, researchers at King's College London established that code artifacts in Penquin Turla — a Linux variant of the Snake rootkit — contained the same ancient LOKI2 ICMP-based backdoor tool published in a 1997 Phrack magazine article and used by Moonlight Maze operators. The same exploit appeared in Agent.btz samples from 2008 and Snake code from 2014, creating an unbroken technical lineage connecting Turla to one of the earliest documented state cyber operations in history.

The group operates with a characteristic that Mandiant's John Hultquist described as a "reliably quiet assault" — Turla focuses on classic espionage targets (government, military, diplomatic missions, defense sector) and conducts its work with a discipline that rarely draws attention. The occasional high-profile exposures — Agent.btz in 2008, Operation MEDUSA in 2023, the Iranian APT hijack in 2019 — are outliers against a background of sustained, low-visibility intelligence collection that goes largely unreported. FBI agents monitored Snake-infected machines for years at a time. The group's programmers worked regular business hours from an FSB facility in Ryazan, southeast of Moscow.

naming note

Turla holds more vendor-assigned designations than almost any documented threat actor. Mandiant uses APT designation overlap. CrowdStrike uses Venomous Bear. Microsoft uses Secret Blizzard. Palo Alto uses Pensive Ursa. Symantec uses Waterbug. CISA and FBI use Turla and Snake in official documentation. The FBI's Operation MEDUSA affidavit specifically identified the group as "Turla" and Center 16 as its organizational home. This profile uses Turla as the primary name consistent with US government and CISA usage.

The Snake Implant and Operation MEDUSA

Snake is not simply a backdoor. Over its two-decade lifespan, it became a full intelligence collection and exfiltration platform — designed explicitly for long-term, low-visibility presence in the world's highest-value network targets. Understanding Snake requires understanding how Turla used it: not as a tool to breach a target but as the capstone of an entire operational architecture.

  • What Snake Did: Snake established persistent, stealthy access on compromised hosts — persisting "indefinitely" per DOJ court documents, surviving even deliberate attempts by victims to remove it. It enabled operators to remotely deploy selective malware tools to steal sensitive documents from targeted machines. It worked across Windows, Linux, and macOS. Snake was deployed only on the highest-value targets — its presence indicated that Turla had specifically selected that system as worth the investment of their most sophisticated implant.
  • The Peer-to-Peer Exfiltration Network: Turla's most operationally sophisticated use of Snake was building a global peer-to-peer relay network from Snake-compromised machines. After stealing documents from a high-value target — a NATO government ministry, a diplomatic mission, a defense organization — Turla did not route the stolen data directly back to FSB infrastructure. Instead, the data traversed a chain of unwitting Snake-compromised computers in other countries, including in the United States. This made the exfiltration traffic appear to originate from legitimate organizations in friendly countries, defeating signals intelligence collection focused on direct attribution to Russian infrastructure.
  • 20 Years of Near-Constant Development: Snake was first developed in 2003 or 2004 and was under continuous development until its disruption in 2023. "The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment," CISA's advisory noted. The code embedded the Uroboros symbol — a serpent eating its own tail — in its earliest versions, a rare instance of operators embedding conceptual self-description in their malware. Despite multiple public disclosures and technical analyses over the years, Turla continued developing and deploying Snake because the P2P network architecture was too valuable to abandon.
  • Operation MEDUSA — May 9, 2023: The FBI's neutralization of Snake was a landmark law enforcement and intelligence operation. Working under a court-authorized warrant from the Eastern District of New York, the FBI developed a tool called PERSEUS — named for the Greek hero who slew monsters — that could establish communication sessions with the Snake implant by mimicking its session authentication protocol. PERSEUS issued commands that caused Snake to overwrite its own vital components, disabling the implant without affecting the host computer or legitimate applications. The operation was executed simultaneously across multiple countries in coordination with allied foreign governments. The FBI had been monitoring Snake-infected machines in the US with their owners' consent for years prior to MEDUSA — identifying eight compromised computers across California, Georgia, Connecticut, New York, Oregon, South Carolina, and Maryland. Critically, Operation MEDUSA disabled the Snake P2P network but did not remove other Turla tools that may have been deployed on compromised machines, and victims were warned that Turla could still have access through stolen credentials or secondary implants.

Signature Tradecraft

Turla's tradecraft innovations span three decades and have influenced how the industry thinks about advanced persistent threats. Several techniques documented in Turla operations became blueprints studied by other nation-state actors.

  • Satellite-Based C2: Turla's signature evasion technique. The group identified satellite internet providers offering unencrypted broadband downlinks — particularly prevalent in Africa, the Middle East, and parts of Eastern Europe — and hijacked the IP addresses of legitimate satellite subscribers. By sending malicious traffic to the satellite's uplink frequency that was received by any satellite dish in the geographic broadcast footprint, Turla could communicate with implants using IP addresses that appeared to belong to legitimate civilian businesses or home users. The actual Turla operators in Russia never transmitted to the satellite — they only received downlink traffic — making the C2 channel essentially invisible to standard network attribution.
  • APT Infrastructure Hijacking: Turla has on multiple documented occasions taken over the operational infrastructure of other nation-state threat actors rather than building its own. In the most remarkable documented case, a 2019 NSA/NCSC joint advisory and Symantec research revealed that Turla had infiltrated the computer network operations infrastructure of APT34 (an Iranian threat group also known as Crambus/OilRig). Turla scanned APT34's existing victim networks for the group's specific web shells, gained access to APT34's Poison Frog C2 panels, exfiltrated APT34's victim lists and stolen credentials, and then deployed its own implants directly to APT34's existing victims — gaining access to targets in at least 35 countries that it might not have reached otherwise. From December 2022 to mid-2024, Turla infiltrated the C2 servers of SideCopy and Transparent Tribe (Pakistani APT groups) to penetrate Afghan government networks. In 2025, ESET documented Turla leveraging Gamaredon's initial access to reach specific high-value Ukrainian targets.
  • Cloud Service C2 Abuse: Turla uses legitimate cloud services as C2 channels to blend traffic with normal enterprise communications. ComRAT v4 uses the Gmail web interface for C2 — operators communicate with the implant by composing and reading draft emails in a compromised Gmail account, with commands embedded in email content. The Crutch backdoor used Dropbox API calls for data staging and exfiltration. LightNeuron specifically targets Microsoft Exchange transport agents to intercept, read, create, and block email at the server level.
  • Redundant Persistence: Turla does not rely on a single implant. After establishing access, multiple backdoors are deployed at different privilege levels, in different processes, with different C2 channels. TinyTurla serves as a fallback — a minimal implant designed to maintain access if the primary malware is discovered and removed. Finding one Turla tool in an environment should be treated as evidence of multiple footholds, not a complete picture of the compromise.
  • Targeting Dissidents and Journalists: British intelligence specifically noted that Center 16 conducts hacking and cyber operations targeting Russian dissidents, political opponents, and Russian citizens. The FBI documented that Turla used Snake malware to target a journalist at a U.S. news media company who had reported on the Russian government — extending the group's operations beyond government espionage into domestic political monitoring of overseas critics.

Tactics, Techniques & Procedures

mitre id technique description
T1090.004 Proxy — Multi-Hop & Satellite C2 Turla's signature attribution evasion technique. For satellite C2, Turla hijacked IP addresses of legitimate satellite internet subscribers by exploiting unencrypted broadband downlinks — transmitting commands on the satellite uplink frequency, received by any dish in the broadcast footprint, while never directly transmitting to the implant from Russian infrastructure. For P2P, Snake-compromised computers globally served as relay nodes, routing exfiltrated data from high-value targets through chains of unwitting victim machines before reaching Russian C2 infrastructure. Both techniques defeat source attribution in standard network forensics.
T1563 Remote Service Session Hijacking — APT Infrastructure Turla's documented hijacking of APT34 (Iranian), SideCopy, Transparent Tribe (Pakistani), Storm-0156, and Gamaredon (Russian) infrastructure to gain access to their existing victim networks. The technique allows Turla to reach targets through another threat actor's established presence — avoiding the cost of new intrusion operations and complicating attribution by leaving forensic evidence pointing to a different nation-state actor. NSA/NCSC assessed the APT34 operation as involving direct access to APT34's C2 panels and victim management interfaces.
T1505.002 Transport Agent — LightNeuron Exchange Backdoor LightNeuron is a backdoor specifically designed to operate as a Microsoft Exchange mail transport agent — code that runs within the Exchange process itself, intercepting all email traffic that passes through the server. LightNeuron can read, modify, block, and create emails — giving Turla operators complete control of a target organization's email communications. Commands are received embedded in seemingly normal email attachments (PDF files, JPG images with steganographic payload). Detection requires Exchange-level monitoring for unexpected transport agents; standard endpoint detection may not surface it.
T1102 Web Service — Gmail, Dropbox, Pastebin C2 ComRAT v4 uses the Gmail web interface to receive commands and send responses via draft email messages in a controlled Gmail account — operator communications appear as legitimate Google email traffic. The Crutch backdoor uses Dropbox's official API for data exfiltration. Carbon uses Pastebin to distribute task configurations to compromised hosts. These legitimate-service C2 channels are specifically designed to blend with normal enterprise cloud traffic and evade firewall and proxy controls that do not inspect the content of connections to Google, Dropbox, or Pastebin.
T1546.004 Event Triggered Execution — Windows Management Instrumentation Turla uses WMI subscriptions and registry persistence mechanisms to maintain implants across reboots. TinyTurla masquerades as a legitimate scheduled task — the w64time.dll service DLL impersonates the legitimate w32time.dll Windows Time Service. Kazuar adds an LNK file to the Windows startup folder. Multiple persistence mechanisms are deployed simultaneously so that removing one implant leaves others dormant and ready for re-escalation of the compromise.
T1091 Replication Through Removable Media — Agent.btz Agent.btz spread through DoD networks via USB thumb drives — a self-replicating worm that copied itself to any removable media inserted into an infected machine. In 2008 this technique spread the malware from an infected USB drive (origin unknown) into the classified networks of US Central Command, including SIPRNET. The infection took the Department of Defense 14 months to fully eradicate, triggered the creation of US Cyber Command, and led to the Buckshot Yankee remediation initiative — the most consequential single piece of malware deployed against US military networks.
T1071.004 DNS C2 — KopiLuwak KopiLuwak is a JavaScript-based reconnaissance and C2 tool that uses DNS requests for communications — encoding C2 commands and victim profiling data in DNS queries to attacker-controlled nameservers. Used for initial profiling of victims before deploying heavier tools, KopiLuwak has appeared in Turla G20-themed campaigns and multiple government-sector intrusions. The DNS-based channel exploits the same detection blind spot used by Aoqin Dragon's Heyoka tool — DNS traffic is widely permitted and rarely inspected at content level.
T1557 Adversary-in-the-Middle — Outlook Backdoor Turla's Outlook backdoor integrates into the Microsoft Outlook client (and The Bat! email client, popular in Eastern Europe) to intercept email communications — receiving C2 commands and sending exfiltrated data via specially crafted emails that do not appear in the user's outbox. Commands are received in emails with a specific Subject line or body content structure; the backdoor parses and acts on them invisibly. This technique turns victims' own email accounts into covert C2 channels, making traffic indistinguishable from legitimate email.

Known Campaigns and Operations

Moonlight Maze — U.S. Military and Government Networks 1996 – 1998

One of the first documented nation-state cyber-espionage campaigns and the operational ancestor of what became Turla. Moonlight Maze systematically harvested classified information from U.S. military networks, NASA, the Department of Energy, and research institutions using compromised Solaris/Unix servers as staging nodes. The attackers used multiple proxy servers to cover their tracks — an architectural approach that would later become Turla's signature P2P relay technique. In 2016, researchers at King's College London analyzed server logs recovered from one of the compromised intermediate systems and identified the LOKI2 ICMP backdoor technique from Phrack magazine issue 51 (1997) — the same technique found in Turla's Penquin Linux rootkit and Agent.btz samples from 2008–2014, establishing Turla as Moonlight Maze's direct operational successor.

Agent.btz — U.S. Department of Defense Breach 2008

In 2008, the Agent.btz worm was discovered beaconing from inside the classified networks of U.S. Central Command — networks that were supposed to be air-gapped and physically isolated from the internet. The worm had spread via infected USB thumb drives, though the origin of the initial infection remains unclear. Once inside, Agent.btz spread across both unclassified and classified DoD networks including SIPRNET. One Pentagon official described it as "the worst breach of U.S. military computers in history." The Department of Defense took 14 months to fully eradicate Agent.btz from its systems — a remediation effort called Buckshot Yankee — and the breach directly led to the creation of U.S. Cyber Command in 2009. Agent.btz is the direct predecessor of ComRAT, Turla's long-running remote access trojan that continued evolving through ComRAT v4 in 2020.

Operation Epic Turla — Global Government Campaign 2012 – 2014

A global, multifaceted cyber-espionage campaign documented by Kaspersky in 2014 after ten months of analysis. Epic Turla infected hundreds of computers in more than 45 countries using watering-hole attacks and spear-phishing with Microsoft Office and Adobe PDF exploits. Targets included government ministries, embassies, military organizations, research and educational institutes, and pharmaceutical companies. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were compromised. A prime minister's office in a former Soviet republic was infected, leading to 60 further machines being compromised from that initial foothold. Epic Turla used a separate module (the Epic backdoor) for initial reconnaissance before deploying Carbon or Snake on selected high-value targets.

RUAG Espionage — Swiss Defense Contractor 2014 – 2016

Turla's sustained intrusion into RUAG — Switzerland's state-owned defense and aerospace technology contractor — was documented in a 2016 report by Switzerland's government security agency MELANI. The attackers maintained persistent access for approximately two years, exfiltrating sensitive defense technology and research data. The RUAG compromise exemplifies Turla's classic operational model: extended dwell time in a defense sector target, careful lateral movement, and systematic exfiltration through the Snake P2P relay network rather than direct connections to Russian infrastructure.

Iranian APT34 Infrastructure Hijack 2017 – 2019

The most extraordinary documented instance of nation-state-on-nation-state infrastructure hijacking. Turla infiltrated the operational infrastructure of APT34 (OilRig/Crambus/HelixKitten) — an Iranian threat group — in operations spanning 2017 through 2019. A 2019 joint NSA/NCSC advisory and independent Symantec research revealed the full extent of the operation. Turla used APT34's existing victim networks to scan for the group's TwoFace web shells across IP addresses in at least 35 countries. Upon finding them, Turla gained direct access to APT34's Poison Frog C2 panels, exfiltrated APT34's victim lists, stolen credentials, and operational information — including keylogger output recording APT34's own operators' activities. Turla then deployed its own tools directly to APT34's existing victims, gaining access to targets in the Middle East it might not have reached independently. The operation has been described as unprecedented in documented threat intelligence history: the effective hostile takeover of one nation-state's offensive cyber operations by another.

Andromeda Botnet C2 Hijack — Ukraine Targeting 2022

In 2022, Mandiant documented Turla registering expired C2 domains previously associated with the Andromeda commodity malware botnet — a cybercrime tool unrelated to Russian state intelligence. By re-registering lapsed domains that Andromeda-infected machines were still attempting to contact, Turla gained command-and-control access to thousands of pre-existing Andromeda infections without conducting any initial access operations itself. Turla used this access to profile the Andromeda victims and selectively deploy its own Kopiluwak and QUIETCANARY tools to targets of intelligence interest — specifically identified Ukrainian systems. The technique represents Turla's application of its infrastructure hijacking philosophy to commodity cybercrime infrastructure rather than other APT groups.

Operation MEDUSA — FBI Snake Network Disruption May 2023

The US government's most significant offensive cyber operation against Russian FSB infrastructure. Working under court authorization from the Eastern District of New York, the FBI developed PERSEUS — a tool that reverse-engineered Snake's session authentication protocol and could send commands to the Snake implant from outside the FSB's infrastructure. On approximately May 8-9, 2023, PERSEUS was deployed simultaneously across Snake-infected machines globally in coordination with allied governments, issuing commands that caused Snake to overwrite its own vital components — effectively self-destructing without affecting host computers or legitimate applications. The FBI had been monitoring infected U.S. machines with owners' consent for years in preparation for the operation. DOJ warrants were obtained to remotely access eight confirmed U.S. Snake infections. Attorney General Merrick Garland announced the operation had "dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades."

Gamaredon Joint Operation — Ukraine High-Value Targeting January – June 2025

ESET documented the first confirmed operational cooperation between Turla and Gamaredon — two separate FSB-affiliated threat groups — targeting Ukraine. ESET researcher Matthieu Faou detected Turla on seven specific machines in Ukraine across the six-month period. Since Gamaredon compromises hundreds or thousands of machines, the extreme selectivity of Turla's targeting within Gamaredon's broad access footprint suggests Turla was specifically interested in machines containing highly sensitive intelligence. The joint operation represents a shift: rather than conducting its own initial access operations in Ukraine, Turla used Gamaredon's widespread commodity access as a screening platform to identify and then selectively reach the highest-value targets. "We believe with high confidence that both groups — separately associated with the FSB — are cooperating and that Gamaredon is providing initial access to Turla," ESET stated.

Storm-0156 Pakistani APT Infrastructure Hijack — Afghanistan and India December 2022 – 2024

In December 2024, Microsoft Threat Intelligence and Lumen Technologies' Black Lotus Labs jointly disclosed Turla's two-year campaign infiltrating the C2 infrastructure of Storm-0156 — a Pakistan-based threat actor also tracked as SideCopy, Transparent Tribe, and APT36. Beginning in December 2022, Turla gained access to Storm-0156 C2 servers and by mid-2023 had expanded control to 33 nodes. In Afghanistan, Turla used Storm-0156's pre-existing access to deploy its own tools — TwoDash (a .NET backdoor) and Statuezy (a Windows clipboard logger) — on Afghan government networks including the Ministry of Foreign Affairs, the General Directorate of Intelligence, and foreign consulates. In India, Turla took a more careful approach, accessing Storm-0156 servers hosting data already exfiltrated from Indian military and defense institutions rather than deploying backdoors directly to Indian devices. By April 2023, Turla moved laterally into Storm-0156 operator workstations themselves — gaining Storm-0156's own tools, C2 credentials, and data from prior operations. By mid-2024, Turla appropriated Storm-0156's CrimsonRAT malware to target Indian government and military entities independently. Microsoft described the frequency of this behavior as "an intentional component" of Turla's tactics. This is the fourth documented case of Turla embedding itself in another nation-state's offensive cyber operations since 2019.

Amadey Botnet Hijack — Ukrainian Military Targeting January – April 2024

In December 2024, Microsoft disclosed that Turla used Amadey bot malware — a cybercriminal MaaS tool typically used to deploy cryptocurrency miners — to reach specifically selected Ukrainian military devices in early 2024. In January 2024, Turla used the backdoor of Storm-1837 (a Russia-based group targeting Ukrainian military drone pilots) to install Tavdig and KazuarV2 on a compromised Ukrainian device. Between March and April 2024, Turla used Amadey bots — either purchased as a service or accessed by covertly hijacking the Amadey C2 panels — to deliver a PowerShell dropper containing Tavdig on specifically selected devices associated with Ukrainian military targets, including devices linked to Starlink IP addresses commonly used by Ukrainian forces. Tavdig was then used to conduct reconnaissance and deploy KazuarV2. This was the second documented instance since 2022 of Turla using a cybercriminal campaign as a delivery mechanism into Ukraine — extending the infrastructure hijacking philosophy beyond nation-state actors to organized cybercrime infrastructure.

ApolloShadow — Moscow Embassy AiTM Campaign 2024 – 2025

In July 2025, Microsoft Threat Intelligence disclosed that Turla has been conducting an adversary-in-the-middle (AiTM) campaign against foreign embassies located in Moscow since at least 2024 — the first confirmed instance of Turla operating at the ISP level and the first confirmed capability to conduct espionage within Russia's own borders against foreign entities. The campaign deploys a previously undocumented malware called ApolloShadow, which installs a fake Kaspersky Anti-Virus trusted root certificate on targeted devices, enabling Turla to intercept TLS traffic and maintain persistent access for intelligence collection. Turla positions itself between embassy networks and the internet through Russia's legally mandated SORM intercept infrastructure or similar ISP-level access, likely leveraging its FSB relationship to exploit surveillance systems built for domestic law enforcement. Microsoft notes this capability to actively modify network traffic rather than simply observe it represents "a shift, or a kind of movement, toward the evolution" of the group's operational model. Organizations operating in Moscow and relying on local ISP or telecom infrastructure — particularly diplomatic missions — are assessed to be high-probability targets of this active capability.

Tools & Malware

Turla maintains one of the most extensive custom toolsets of any documented threat actor — spanning three decades of continuous development across Windows, Linux, macOS, and Android platforms. The list below covers primary tools; Malpedia documents over 40 distinct Turla malware families.

  • Snake / Uroburos: Flagship implant, under development since 2003, described by the US government as the most sophisticated cyber-espionage tool in the FSB's arsenal. Modular rootkit/backdoor operating across Windows, Linux, and macOS. Provides persistent access, file operations, remote shell, and served as the foundation of Turla's global P2P relay network for exfiltrating stolen data. Disrupted by Operation MEDUSA in May 2023 but Turla continues adapting.
  • ComRAT v4 (Agent.btz successor): Dating to 2007 as Agent.btz and evolving through four major versions to ComRAT v4 in 2020. A Remote Access Trojan deployed by PowerShell implants and using the Gmail web interface for C2 communication — receiving commands and exfiltrating documents via Gmail draft folders. Employs a virtual FAT16 file system to stage stolen documents internally before exfiltration. Targets high-value government and diplomatic organizations for document theft.
  • Carbon: Modular backdoor framework in use since approximately 2014. Provides peer-to-peer C2 capability across infected machines on a network, distributing tasks through a Carbon "blotter" component without requiring direct operator connections to every infected host. Uses compromised WordPress sites as C2 infrastructure and Pastebin for task distribution. Second-stage implant deployed after initial access is established via lighter tools.
  • Kazuar / KazuarV2: A .NET backdoor first documented in 2017 with a comprehensive command set including remote plugin loading, system and process information collection, credential harvesting, and screenshot capture. KazuarV2, the updated version, was deployed in 2024 against Ukrainian military targets via Amadey bots and Tavdig. Code overlaps between Kazuar and the SUNBURST backdoor used in the 2020 SolarWinds supply chain attack were identified by researchers in 2021 — suggesting possible code sharing or common developers, though definitive attribution of SolarWinds to Turla specifically was not established.
  • LightNeuron: A backdoor that operates as a Microsoft Exchange mail transport agent — running inside the Exchange process to intercept, read, modify, block, and create email on the server. Commands are delivered embedded in attached PDF or JPG files. Detection requires Exchange-specific monitoring; standard endpoint tools typically do not inspect Exchange transport agent DLLs.
  • TinyTurla / TinyTurla-NG: A minimal, lightweight backdoor deployed as a fallback when primary malware is discovered and removed. Masquerades as the w64time.dll Windows Time Service. Provides basic remote shell capability. TinyTurla-NG is an updated version with expanded capabilities deployed in later campaigns against Ukrainian and European targets. A TinyTurla variant was also deployed during the Storm-0156 hijack campaign.
  • HyperStack: An RPC (Remote Procedure Call) backdoor using named pipes for communications — sharing encryption scheme and configuration format with Carbon, indicating shared development. Provides control over compromised machines in local networks without requiring external network connections from each infected host.
  • KopiLuwak: A JavaScript-based reconnaissance utility providing C2 communication and victim profiling via DNS requests. Used in early-stage operations to profile victims and determine which deserve deployment of heavier second-stage tools.
  • QUIETCANARY (TunnusSched): A lightweight .NET backdoor used since 2019 for targeted Ukrainian operations. Executes commands from C2, downloads additional payloads, and uses RC4 encryption for C2 communications. Deployed alongside KopiLuwak in coordinated operations.
  • Crutch: A second-stage backdoor using Dropbox API for C2 and data exfiltration. Persistence via DLL hijacking. Used against European diplomatic targets. First documented in December 2020 by ESET.
  • Capibar (DeliveryCheck / GAMEDAY): A backdoor first observed in 2022 targeting Ukrainian defense forces via malicious macro-embedded documents. Installs as a scheduled task for persistence and can be deployed on compromised Exchange servers as a MOF file.
  • TwoDash: A .NET backdoor downloader deployed during the Storm-0156 infrastructure hijack campaign (2022–2024) against Afghan government networks. Can DLL-sideload into the Windows msdtc.exe process using the filename oci.dll, masquerading as a legitimate system component.
  • Statuezy: A trojan that logs data saved to the Windows clipboard, deployed alongside TwoDash in Afghan government networks during the Storm-0156 hijack campaign. Used to capture clipboard contents including credentials, documents, and communications copied by operators.
  • ApolloShadow: A custom implant first documented in July 2025 as the payload deployed in Turla's ISP-level AiTM campaign against foreign embassies in Moscow. Installs a fake Kaspersky Anti-Virus trusted root certificate, enabling TLS interception and persistent access to targeted diplomatic devices. The first Turla tool confirmed to operate via ISP-level network position rather than endpoint compromise.

Indicators of Compromise

IOCs from CISA's May 2023 Snake advisory, FBI Operation MEDUSA affidavit, Recorded Future Turla infrastructure analysis, and vendor research from ESET, Symantec, and Palo Alto Unit 42. Turla actively monitors security publications and adapts — behavioral indicators are more reliable than static hashes or domains across this group's long operational lifetime.

critical warning

Operation MEDUSA disabled the Snake P2P network but did not remove other Turla tools from compromised machines, did not patch vulnerabilities, and did not remove keyloggers or credential theft tools deployed alongside Snake. Any machine previously identified as Snake-compromised should be treated as potentially still Turla-accessible through stolen credentials or secondary implants. MEDUSA was a network disruption, not a full remediation.

behavioral and technical indicators
service w64time.dll service DLL — TinyTurla impersonating legitimate w32time.dll Windows Time Service; check for unexpected DLLs in system32 with similar names to legitimate time-service components
exchange Unexpected Exchange transport agents — LightNeuron deploys as a transport agent DLL; audit registered Exchange transport agents for any non-Microsoft, non-standard components
network Gmail API calls from server-class assets or non-browser processes — ComRAT v4 C2 via Gmail draft folders; Dropbox API calls from non-user-context processes — Crutch exfiltration
network WordPress-themed URLs for payload delivery — Turla has used wp-themed C2 URL patterns since 2014; Carbon uses compromised WordPress sites as C2; profiling by these URL patterns can surface Turla infrastructure
string "Ur0bUr()sGoTyOu#" — Uroburos/Snake operator signature string embedded in early Snake code versions; presence in any binary is strong Turla attribution indicator
satellite Anomalous inbound-only satellite IP communications — Turla satellite C2 uses hijacked satellite subscriber IPs; traffic appears legitimate but is one-way (downlink only from compromised machine's perspective)
dns High-frequency DNS queries with encoded subdomains from non-browser processes — KopiLuwak DNS C2 channel; behavioral detection for DNS tunnel patterns
persistence Multiple simultaneous persistence mechanisms across different processes and privilege levels — Turla's redundant persistence model means single-implant removal is insufficient; hunt for all known Turla persistence artifact types in parallel

Mitigation & Defense

Turla is active, technically innovative, and has demonstrated the ability to adapt through multiple major exposures over 30 years. Standard security controls are necessary but insufficient for a tier-one actor with this operational history. The following mitigations are ordered by their assessed impact against Turla's documented tradecraft.

  • Exchange Transport Agent Auditing: LightNeuron operates as a transport agent inside the Exchange process itself. Regularly audit registered Exchange transport agents using Get-TransportAgent and verify that every agent is expected, documented, and from a legitimate vendor. Any unexpected transport agent DLL should be treated as a potential LightNeuron deployment. This audit should be part of routine Exchange security reviews for any organization that could be of interest to Russian intelligence.
  • Cloud Service C2 Detection: ComRAT v4 (Gmail), Crutch (Dropbox), and Carbon (Pastebin) use legitimate cloud services for C2. Build SIEM/EDR rules that alert on API calls to Gmail, Dropbox, Pastebin, and similar services from server-class assets, service accounts, and non-user-context processes. TLS inspection for cloud service traffic is essential — without it, these C2 channels are completely invisible to perimeter controls. Flag and investigate any server-originated cloud service API calls that do not correspond to known legitimate application functions.
  • Network Segmentation and Lateral Movement Detection: Carbon's P2P architecture and Snake's relay network both rely on lateral movement through internal networks. Implement strict network segmentation between sensitive systems and general enterprise networks, between IT and OT environments, and between organizational departments. Deploy east-west traffic monitoring capable of detecting anomalous RPC (HyperStack) and named-pipe communications between internal hosts. Turla moves through networks methodically — east-west anomaly detection is often the only way to surface a Turla compromise that has passed the perimeter.
  • Assume Multiple Footholds: Turla's documented redundant persistence strategy means finding one implant is never finding all of them. Any confirmed Turla indicator in an environment should trigger a full threat hunt for all known Turla persistence mechanisms simultaneously — scheduled tasks impersonating system services (TinyTurla/w64time.dll), LNK files in startup folders (Kazuar), DLL sideloading chains (Crutch), transport agent DLLs (LightNeuron), and P2P relay components. Assume the visible implant was the one designed to be found.
  • Credential Isolation for High-Value Targets: Operation MEDUSA neutralized the Snake network but warned explicitly that Turla could re-access previously compromised machines using stolen credentials. After a confirmed Turla incident, assume all credentials used on affected machines are compromised and conduct a full credential rotation — including service accounts, administrative credentials, and any SSO or federation tokens that authenticated through affected systems. Implement phishing-resistant MFA (hardware security keys) on all privileged accounts as a baseline measure.
  • Monitor for Expired Domain Re-registration: Turla's Andromeda botnet campaign demonstrated the group's practice of registering expired C2 domains of other malware to gain access to pre-existing infections. Organizations with legacy malware infections that were not fully remediated — even commodity malware like Andromeda — may have Turla-accessible C2 paths that were never closed. Audit threat intelligence for any historical malware infections in the environment, verify they are fully remediated, and monitor for DNS lookups to any domains associated with those infections.
analyst note

Turla's Iranian APT34 infrastructure hijack is one of the most consequential documented events in cyber threat intelligence history — not because of its specific target outcomes, but because of what it revealed about Turla's operational philosophy. This is a group willing and able to compromise other nation-states' offensive cyber infrastructure, exploit the access they have already established, exfiltrate their intelligence, and then operate through their foothold against those nations' existing victims. It simultaneously expands Turla's reach, complicates attribution for forensic investigators, and provides Russian intelligence with insight into Iranian operations — a trifecta of intelligence gain at zero additional operational risk. The 2025 Gamaredon cooperation extends this philosophy domestically: use another FSB team's broad access to screen for the specific targets worth Turla's investment. After 30 years of operation through multiple public exposures, CISA advisories, FBI disruption operations, and industry disclosure, Turla continues adapting. Operation MEDUSA was described as neutralizing Snake — not Turla. The group's breadth of tooling, its satellite C2 techniques, its cloud service abuse, and its infrastructure hijacking capabilities exist entirely independent of the Snake network. Turla's next chapter is already underway.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile