
Examining the Activities of the Turla APT Group
======================================================================================================================================================================================================================
*Attacks using Capibar and Kazuar - July,2023*

-------------------------------------------------------------------------------------------------------------------------------
SHA256 
-------------------------------------------------------------------------------------------------------------------------------
1c97f92a144ac17e35c0e40dc89e12211ef5a7d5eb8db57ab093987ae6f3b9dc
5cf64f37fac74dc8f3dcb58831c3f2ce2b3cf522db448b40acdab254dd46cb3e
07f9b090172535089eb62a175e5deaf95853fdfd4bcabf099619c60057d38c57
bd7dbaf91ba162b6623292ebcdd2768c5d87e518240fe8ca200a81e9c7f01d76
1c1bb64e38c3fbe1a8f0dcb94ded96b332296bcbf839de438a4838fb43b20af3
01c5778be73c10c167fae6d7970c0be23a29af1873d743419b1803c035d92ef7
ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39
aaf7642f0cab75240ec65bc052a0a602366740b31754156b3a0c44dccec9bebe
d4d7c12bdb66d40ad58c211dc6dd53a7494e03f9883336fa5464f0947530709f
19b7ddd3b06794abe593bf533d88319711ca15bb0a08901b4ab7e52aab015452
4ef8db0ca305aaab9e2471b198168021c531862cb4319098302026b1cfa89947
64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a
5e122ff3066b6ef2a89295df925431c151f1713708c99772687a30c3204064bd
91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233
b8ee794b04b69a1ee8687daabfe4f912368a500610a099e3072b03eeb66077f8
8168dc0baea6a74120fbabea261e83377697cb5f9726a2514f38ed04b46c56c8

-------------------------------------------------------------------------------------------------------------------------------
Network
-------------------------------------------------------------------------------------------------------------------------------

hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-plugins.php
hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-config-themes.php
hXXps://www.adelaida[.]ua/plugins/vmsearch/wp-file-script.js
hXXps://atomydoc[.]kg/src/open_center/
hXXps://atomydoc[.]kg/src/open_center/?page=ccl
hXXps://atomydoc[.]kg/src/open_center/?page=fst
hXXps://atomydoc[.]kg/src/open_center/?page=snd
hXXps://atomydoc[.]kg/src/open_center/?page=trd
hXXps://aleimportadora[.]net/images/slides_logo/
hXXps://aleimportadora[.]net/images/slides_logo/?page=
hXXps://aleimportadora[.]net/images/slides_logo/fg/message
hXXps://aleimportadora[.]net/images/slides_logo/fg/music
hXXps://aleimportadora[.]net/images/slides_logo/fg/video
hXXps://aleimportadora[.]net/images/slides_logo/index.php
hXXps://octoberoctopus.co[.]za/wp-includes/sitemaps/web/
hXXps://sansaispa[.]com/wp-includes/images/gallery/
hXXps://www.pierreagencement[.]fr/wp-content/languages/index.php
hXXps://mail.aet.in[.]ua/outlook/api/logon.aspx
hXXps://mail.kzp[.]bg/outlook/api/logon.aspx
hXXps://mail.numina[.]md/owa/scripts/logon.aspx (CAPIBAR C2URL)
hXXps://mail.aet.in[.]ua/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.arlingtonhousing[.]us/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.kzp[.]bg/outlook/api/logoff.aspx (CAPIBAR C2URL)
hXXps://mail.lechateaudelatour[.]fr/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC (CAPIBAR C2URL)
hXXps://mail.lebsack[.]de/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC (CAPIBAR C2URL)

======================================================================================================================================================================================================================

*Turla (AKA PENSIVE URSA) - September,2023*

-------------------------------------------------------------------------------------------------------------------------------
SHA1 
-------------------------------------------------------------------------------------------------------------------------------

902b27a5fd2e5f17e5340e350afa037549ce9faa
02c37ccdfccfe03560a4bf069f46e8ae3a5d2348
b627963a9bac33fa6e3de0f9469b2fa5ecdef6ae
36bba4d26ecf02623a51c6241133c4290551e27f
d117643019d665a29ce8a7b812268fb8d3e5aadb
6239b4d374539c940cffa698e0993d199918a2fc
7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c
a4aff23b9a58b598524a71f09aa67994083a9c83
c30af6fa5df14e1ba9355b60a9214937f6f18990
ca16a95cd38707bad2dc524bb3086b3c0cb3e372

======================================================================================================================================================================================================================