Trusted Design

Carbon Paper: Peering into Turlas second stage backdoor

概要

The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past. This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.

Created: 2026-02-23

Indicators

• FileHash-SHA1 - 4636dccac5acf1d95a474747bb7bcd9b1a506cc3 -
• FileHash-SHA1 - 311f399c299741e80db8bec65bbf4b56109eedaf -
• URL - http://www.lasac.eu/credit_payment/url/ -
• YARA - eea6496fb733c41747bab2a3249152a6047ef3b2 -
• YARA - 6ce8d8d04fd4164b4bb2d65bcf3130cf8727b6a5 -
• FileHash-SHA1 - 1ad46547e3dc264f940bf62df455b26e65b0101f -
• FileHash-SHA1 - 56b5627debb93790fdbcc9ecbffc3260adeafbab -
• FileHash-SHA1 - 87d718f2d6e46c53490c6a22de399c13f05336f0 -
• FileHash-SHA1 - 7c43f5df784bf50423620d8f1c96e43d8d9a9b28 -
• FileHash-SHA1 - a08b8371ead1919500a4759c2f46553620d5a9d9 -
• FileHash-SHA1 - fbc43636e3c9378162f3b9712cb6d87bd48ddbd3 -
• FileHash-SHA1 - 554f59c1578f4ee77dbba6a23507401359a59f23 -
• FileHash-SHA1 - a28164de29e51f154be12d163ce5818fceb69233 -
• YARA - d408993e89ae915e098f4add190af396ed424842 -
• FileHash-SHA1 - 1dbfcb9005abb2c83ffa6a3127257a009612798c -
• URL - http://61paris.fr/wp-includes/ms-set.php -
• YARA - 44469d350582f24359e198d9c85587baf9193700 -
• FileHash-SHA1 - 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b -
• FileHash-SHA1 - bcf52240cc7940185ce424224d39564257610340 -
• FileHash-SHA1 - 678d486e21b001deb58353ca0255e3e5678f9614 -
• YARA - 3faae883959bf47d68f12566504090760c8419da -
• FileHash-SHA1 - 1b233af41106d7915f6fa6fd1448b7f070b47eb3 -
• YARA - f9a7abf804ab8a399194b6f17609723f70f30b63 -
• FileHash-SHA256 - 23b45f45be1cab6984df4a772e651aa4c4a08faa011eeef7f4e1345cbaebbd09 -
• FileHash-SHA1 - 744b43d8c0fe8b217acf0494ad992df6d5191ed9 -
• FileHash-SHA1 - 2f7e335e092e04f3f4734b60c5345003d10aa15d -
• URL - http://soheylistore.ir/modules/mod_feed/feed.php -
• FileHash-SHA1 - 20393222d4eb1ba72a6536f7e67e139aadfa47fe -
• FileHash-SHA1 - 851e538357598ed96f0123b47694e25c2d52552b -
• YARA - 4c790578d98d48ae86a3b1ebc9c23e728827c2f5 -
• FileHash-SHA256 - 6842e17f170f7e887e8f1cf9591f371e07522d0bb94aca8349835a8b34eea846 -
• FileHash-SHA1 - 777e2695ae408e1578a16991373144333732c3f6 -
• URL - http://jucheafrica.com/wp-includes/class-wp-edit.php -
• FileHash-SHA1 - 7ce746bb988cb3b7e64f08174bdb02938555ea53 -
• FileHash-SHA1 - 2227fd6fc9d669a9b66c59593533750477669557 -
• URL - http://tazohor.com/wp-includes/feed-rss-comments.php -
• FileHash-SHA1 - cbde204e7641830017bb84b89223131b2126bc46 -
• URL - http://doctorshand.org/wp-content/about/ -

類似Pulses

• Analysis of Project Cobra (2015) (score: 0.54)
• Satellite Turla: APT Command and Control in the Sky (score: 0.53)
• Sphinx Moth: New IOC's on Wild Neutron/Morpho APT (score: 0.50)
• Backdoor.Cadelspy and Backdoor.Remexi (score: 0.50)
• New traces of Hacking Team in the wild (score: 0.49)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る