article featured image


Turla Russian espionage group delivers KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Cyber researchers track the operation as UNC4210.

Turla is also known as Iron Hunter, Krypton, Uroburos, Venomous Bear, or Waterbug and is thought to be sponsored by the Russian state. The malicious group`s principal targets are governmental, diplomatic, and military institutions. It has been connected to a number of credential phishing and reconnaissance operations targeted at organizations in Ukraine since Russia’s military invasion.

Cyber researchers say it is unusual for hacking groups to target victims of other malware campaigns to launch their own attacks on and warn that:

As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims.


The Timeline of the Discovered Attack

December 2021 – an infected USB stick is inserted at a Ukrainian organization`s endpoint and a legacy ANDROMEDA artifact is deployed, after a malicious link (.LNK) file disguised as a folder within the USB drive is double-clicked.

January 19th, 2022 – one of ANDROMEDA`s C2 domains was discovered to be freshly re-registered. The domain was used by UNC4210 to outline interesting potential victims

September 6th, 2022 – UNC4210 downloads and deploys KOPILUWAK, a JavaScript-based reconnaissance tool, to the victim machine. The tool is used for streamlining C2 conversations and victim profiling.

September 8th, 2022 – On the final phase of the attack, threat actors downloaded the QUIETCANARY .NET backdoor on the victim and used it for data exfiltration of files that were created after January 1, 2021.


Russian State-Sponsored Threat Groups Extremely Active

Another series of Russian adversary groups` attacks on public institutions was recently reported by cyber researchers. At the beginning of 2022, COLDRIVER launched cyberattacks on three nuclear research labs in the U.S.

Threat actors attempted to trick nuclear scientists into revealing their passwords, by spoofing login pages for Brookhaven, Argonne, and Lawrence Livermore National Labs.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *