Wednesday, April 9, 2025
HomeMalwareTrula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government...

Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Published on

SIEM as a Service

Follow Us on Google News

Trula, a sophisticated hacking group also known as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research organizations.

The group knows for conducting various spear-phishing techniques and watering-hole attacks to infect targeted victims. The group knows to be active since at least 2014.

Accenture threat researchers identified the group typical targeting European government organizations using their custom tools, albeit with some updates.

- Advertisement - Google News

Trula Group Attack

In the attack against European government organization, Trula used a combination of remote procedure call (RPC)-based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.

The RPC backdoors are developed by Trula based on the relying RPC protocol, by using these backdoors they can perform lateral movement and take control of other machines in the local network without relying on the C&C server.

Accenture Cyber Threat Intelligence researchers identified that one of the RPC backdoors used HyperStack functionality.

“HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials.”

Also, another version of HyperStack observed in this campaign that allows Trula operators to run a command via a named pipe from the controller without implementing IPC$ enumeration activity.

For C&C communication as like other cyber-espionage groups, Trula uses legitimate web services. In the case of the Carbon modular backdoor framework Pastebin used for C&C.

Kazuar uses to connect with the target C2 network that resides outside of the victim network, the C2 network is probably a compromised legitimate website.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft April 2025 Patch Tuesday: Fixing 121 Vulnerabilities, Including a Critical Zero-Day

Microsoft has rolled out its April 2025 Patch Tuesday update, addressing 121 security vulnerabilities...

Hackers Conceal NFC Carders Behind Apple Pay and Google Wallet

In a disturbing evolution of financial fraud, cybercriminals are leveraging advanced techniques to exploit...

Shopware Security Plugin Vulnerability Enables SQL Injection Attacks

A recently disclosed SQL injection vulnerability in older versions of the Shopware platform has...

Attackers Exploit SourceForge Platform to Distribute Malware

A recent malware distribution scheme has been uncovered on SourceForge, the popular software hosting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Attackers Exploit SourceForge Platform to Distribute Malware

A recent malware distribution scheme has been uncovered on SourceForge, the popular software hosting...

Vidar Stealer Uses New Deception Technique to Hijack Browser Cookies and Stored Credentials

Vidar Stealer a notorious information-stealing malware has adopted a deceptive method to disguise itself...

Threat Actors Use VPS Hosting Providers to Deliver Malware and Evade Detection

Cybercriminals are intensifying phishing campaigns to spread the Grandoreiro banking trojan, targeting users primarily...