Wednesday, May 7, 2025
HomeCyber AttackTinyTurla Evolved TTPs To Stealthly Attack Enterprise Organizations

TinyTurla Evolved TTPs To Stealthly Attack Enterprise Organizations

Published on

SIEM as a Service

Follow Us on Google News

Staying ahead of security measures and exploiting new vulnerabilities requires hackers to change their tactics.

By doing so, they manage to bypass better defenses, maximize success rates, and keep on with their illegal activities. 

The adaptation of techniques by hackers enables them to continue compromising systems by targeting emerging technologies and adjusting to changes in the digital landscape, which ensures the persistence of their relevance and effectiveness.

- Advertisement - Google News

Cybersecurity researchers at Cisco Talos recently discovered that TinyTurla evolved their TTPs to stealthily attack enterprise organizations.

TinyTurla Evolved Their TTPs

Cisco Talo in coordination with CERT.NGO has uncovered new details on the entire kill chain used by the Russian espionage group Turla in an ongoing campaign deploying their TinyTurla-NG (TTNG) implant.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

The analysis reveals Turla compromised multiple systems within a European NGO’s network, establishing persistence, disabling anti-virus protections, and using Chisel for data exfiltration and lateral movement to other accessible hosts after the initial breach. 

The updated findings provide insights into the tactics, techniques, and procedures employed by this threat actor to steal sensitive information and propagate through infected enterprises.

Turla, a threat group, employs advanced tactics. It configures anti-virus exclusions before deploying the TinyTurla-NG backdoor.

Post-deployment establishes persistence via malicious service. Turla adds exclusions in anti-virus software like Microsoft Defender at locations hosting implants. 

Batch file contents (Source – Cisco Talos)

It uses batch files creating “sdm” service masquerading as “System Device Manager” for TinyTurla-NG persistence, mirroring 2021 TinyTurla technique. The dual batch file usage seems unnecessarily convoluted for evasion.

Chisel uses asymmetric encryption in an attacker-controlled system to set up a reverse proxy tunnel.

Attackers leverage this initial chisel connection to pivot laterally via WinRM remote sessions, likely facilitated by proxy chains and evil-winrm. 

Turla tactics, tools and procedures flow (Source – Cisco Talos)

On newly compromised systems, they repeat the cycle – configuring Microsoft Defender exclusions, dropping malware components, and establishing persistence. This adheres to Turla’s methodical cyber kill chain playbook.

Cyber kill chain (Source – Cisco Talos)

Traffic analysis showed Chisel beaconed its C2 server hourly. Though systems were compromised in October 2023 and Chisel deployed by December 2023, Turla operators primarily exfiltrated data over the Chisel C2 channel much later on January 12, 2024.

IOCS

Hashes

  • 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
  • d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40
  • ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc
  • 13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346
  • b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044 

Domains

  • hanagram[.]jpthefinetreats[.]com
  • caduff-sa[.]chjeepcarlease[.]com
  • buy-new-car[.]com
  • carleasingguru[.]com

IP Addresses

  • 91[.]193[.]18[.]120

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...