top of page
Clipeus

Russian Espionage and US-Led Botnet Disruption


On February 15, 2024, Cisco Talos released a report detailing features of a newly identified backdoor attributed to the Russia-nexus Turla Group. According to the Talos' assessment, the backdoor appears to be a "small" implant with coding similarities to the TinyTurla backdoor, hence the name "TinyTurla-NG" assigned to the new one.


The backdoor has been observed in events targeting a Polish non-governmental organization at least since late 2023 up to late January 2024. It is believed this backdoor constitutes a residual tooling option for the Turla Group; the trojan was possibly deployed after other more complex malware became detectable by major security solutions.


  • The backdoor presents itself as a service dynamic link library (DLL) which starts via svchost.exe and leverages PowerShell and command prompt to execute arbitrary commands on the victim's host.

  • The backdoor prevents the host to log the PowerShell activity, thus attempting to reduce the attack footprint.

  • Persistence is created via manipulating Windows registry and file system through a batch script, ensuring the malicious DLL continues to run even after system reboots or user logouts.

  • The backdoor filters out files believed to be either uninteresting or too large in size to exfiltrate such as MP4 files. Targeted files are added to a ZIP archive and exfiltrated to the C2.


While Russian state-sponsored cyber threats impact Europe, on the other shore of the Atlantic, an operation of the US law enforcement disbands a network of Russia-controlled devices with capabilities to carry out espionage and other nefarious activities. On February 15, 2024, the US Department of Justice announced that, in January 2024, law enforcement neutralized a Russia-attributed botnet consisting of compromised Ubiquiti Edge OS routers. According to the press release, the Russian actor did not set up the botnet but rather acquired control of a network of devices compromised via Moobot, a Mirai variant.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page