https://www.epicturla.com/blog daily 0.75 2024-01-19 https://www.epicturla.com/blog/acidbox-clustering monthly 0.5 2023-10-19 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1593451779646-NZOR6FC6HOV66C7THO7X/Clustering+Tweets.png Epic Turla - ACIDBOX Clustering https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1593217025996-QJ5ULFW0B08R7G3AW774/ACIDBOX+and+Turla+Nautilus.png Epic Turla - ACIDBOX Clustering ACIDBOX (left) and Turla Nautilus Payload (right) https://www.epicturla.com/blog/sysinturla monthly 0.5 2020-06-11 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1590623038406-4669O43O6KB0O1JZGN52/original+debugview.png Epic Turla - SysInTURLA https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1590623038547-P6ZQMCG95QWGQ9MD78IV/fake+debug+view.png Epic Turla - SysInTURLA https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1589269502461-AFJPUP10UNEP986IBRWN/cassowary.jpg Epic Turla - SysInTURLA Cassowary – ‘The World’s Most Dangerous Bird’ https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1590621303570-11481PP486EWWHFGUGA3/hiew_candy.png Epic Turla - SysInTURLA PE Version Info for 2019 Kazuar (1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c) https://www.epicturla.com/blog/the-lost-nazar monthly 0.5 2020-08-28 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1587579509855-FA1F6KUCMUQR328GUIVR/eyservice%2Bswitch%2Bpseudocode.jpg Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1587579690833-49442Y1379PNMX3O6DQE/eyservice+switch+full.png Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1584775226491-PJ4WD0I9MMC3AT09LNVU/Community+Comment.png Epic Turla - Nazar: A Lost Amulet Automated community comment with the misleading detection https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1587579259623-3BNWVOKBV9I86I81R3E3/drv_list_microOLAPpacketSniffer.png Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1583008527796-JUX0DRMQD74JRRFUAZRP/farsi+resources.png Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1583009835814-4Y829IDDOKBL48FJPNFX/Screen+Shot+2020-02-29+at+3.56.21+PM.png Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1583784920290-N0PSMBEG1OYZX0P5ZSZ4/248px-WPVA-khamsa.svg.png Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1583785312004-UZD671ROSDXRW1808957/Nazar-Amulet-Nazar-Amulet-Popular-Belief-Free-Imag-2745.jpg Epic Turla - Nazar: A Lost Amulet https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1584665067104-E0GHILH0VUY6E90ETC08/nazar+dropper.png Epic Turla - Nazar: A Lost Amulet Nazar component structure https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1583007807542-4JNJFYBET0IJVAPLMGIP/godown+sig.png Epic Turla - Nazar: A Lost Amulet SIG37 function from ‘sigs.py’ https://www.epicturla.com/blog/kicking-off monthly 0.5 2024-01-19 https://www.epicturla.com/blog/category/Research monthly 0.5 https://www.epicturla.com/blog/category/Blurb monthly 0.5 https://www.epicturla.com/about daily 0.75 2025-12-16 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/fcdd6f94-c142-43d9-84f2-0aa95bc7a5e2/Binding+Hook+Live+1.jpg https://www.epicturla.com/recommended-material daily 0.75 2024-10-11 https://www.epicturla.com/podcasts daily 0.75 2021-11-15 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/08be3e95-25a0-4814-b08a-0044f2dcd329/go-time-original.png Podcasts - Make it stand out Go Time: Reverse engineering Go malware https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621545506880-45RD727FE2FFFF0AG679/hackchat.png Podcasts HackChat with Marco Figueroa https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621545024054-FWZQBCQOL90VO41ALW2K/el_metodo.jpeg Podcasts El Metodo (Spanish) https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621547046761-HICQP1UH23E5ISE0JQYJ/glasshouse2.png Podcasts GlassHouse OpenCall: CyberPower https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621544590964-NL512RZ1G7VZ5X9YYYXG/SecurityConversations.jpg Podcasts Security Conversations with Ryan Naraine https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621546963436-Q1UTQP6UCIVYUQNFNKCF/GlassHouse1.jpg Podcasts - Make it stand out GlassHouse OpenCall: Cyber Espionage Targeting Security Researchers https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621547195111-03IP6RXY9ZTFIX8EP9QH/hague.jpg Podcasts - Make it stand out The Hague Program of Cyber Norms: Threat intel and cyber research – a troubled relationship? https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621547178785-XY07TFS4KE1JPZV4TT24/juan-andres.jpg Podcasts Threatpost on Ethics and Perils of APT Research https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1632415648074-NL296AAZLO07SUOHGV5X/ForcepointPt1.jpg Podcasts ForcePoint Podcast: Roided-Out Sitting Duck, Part 1 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1632416341853-Z6D15F15P66WIRAGS1G5/image-asset.png Podcasts - Make it stand out GlassHouse Open Call: 06.18.2021 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1621544761895-25Z841CE0FT9OI5R1OXP/cyberwire.jpg Podcasts CyberWire on GOSSIPGIRL https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/09e04bd3-5048-4bed-9d19-daf372302106/glasshouse.jpg Podcasts - Make it stand out GlassHouse Open Call: 10.22.2021 – Dmitry Alperovitch and the Gang https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/e459a659-825b-46d1-b689-bdb921d69758/RoidedOutPt2.png Podcasts - Make it stand out ForcePoint Podcast: Roided-Out Sitting Duck, Part 2 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1632416600419-UVNRJ1YZYM2V1PCZUS74/hultquist.png Podcasts - Make it stand out GlassHouse Open Call: 07.16.2021 – The One Where Hultquist Shows Up https://www.epicturla.com/previous-works daily 1.0 2023-03-13 https://www.epicturla.com/previous-works/hackerhunter-olympic-destroyer monthly 0.5 2020-11-14 https://www.epicturla.com/previous-works/vb2019 monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579067940940-ZFO9L6AVRY6J2F6NDU77/kingOfTheHill.png Talks, Blogs, and Publications - VB2019: King of the Hill - Read the Paper A study of techniques mature cyber threat actors use to deconflict their targeting as witnessed in operations in-the-wild. https://www.epicturla.com/previous-works/vb2015-the-ethics-and-perils-of-apt-research monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579060994080-Y2Z5DC8AJJEO55095A2P/VB2015.jpg Talks, Blogs, and Publications - VB2015: The Ethics and Perils of APT Research - Read the Paper A discussion of the private sector’s transition from analyzing criminal malware to witnessing nation-state espionage operations –effectively embracing intelligence brokerage in all of its complexity. The organic development of a contentious nascent space resulted in misaligned incentives, half-baked production processes, and predictable validation crises playing out in front of our eyes to this day. https://www.epicturla.com/previous-works/hitb2020-voltron-sta monthly 0.5 2021-02-03 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1612461293580-QJJW1K3JJINXM6CEPHMX/voltron.png Talks, Blogs, and Publications - HITB2020: Voltron STA - The Work of Cyber in the Age of Mechanical Reproduction This talk covers the interesting case of ‘0xFancyFilter’, an amalgam between what could be referred to as Regin 1.5 and Equation Group’s MISTYVEAL. This rare piece of malware is the only documented instance of code overlap between the Regin and Equation Group frameworks and is used to illustrate the difference between stating a relationship between threat actors from public documents vs. being able to show that relationship based on technical findings. The rare –but not at all surprising– collaboration is dubbed the Voltron Supra Threat Actor (STA) as suggested early on by a friendly researcher. https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1612384362115-BR02FRF1ZMP52II2WQOS/fvey.jpeg Talks, Blogs, and Publications - HITB2020: Voltron STA - Technical Indicators In lieu of a proper write up, the following hashes should help replicate the work by any interested researchers. All samples discussed are available on VirusTotal :) 0xFancyFilter or Regin 1.5 (‘htmlfiltxx64.dll’ or ‘Microsoft\Internet Explorer\iesrch32.dat’) cd3ee807e349abae65d93e421176f302528b739e9e1d77a6ce4e57caeec91b4e Older 0xFF samples (‘httpfilt.dll’, ‘htmlfilt.dll’) 369145c6f366f25a4e8878ad1ffec73d680cdc2da4380b221d1d7cdf3a90c930 ef35705696d78cc9f4de6adad2cbe5ed22fd50da0ce4180c1d47cf0536aebc87 df4bc387181ffaabe0be39e66ef5eb838ed638e0ae2b82e9a7daa83647e38bb1 Old EQGRP ‘nethdlr’ (MISTYVEAL) for comparison d8bab0b79bafec3a41db0dd4ae1703c2ab55de5af261e1881d62bde0d9033690 Regin’s Hopscotch with shared RC4 implementation d83428779b0c0ebfa08c6b50f34e0f1ae7812eeb9ed78b86610517d8208b6cb3 YARA A broad YARA rule focused on 0xFF features is available HERE https://www.epicturla.com/previous-works/blackhat-22-modified-elephant monthly 0.5 2023-03-13 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/98aa9c0f-55b6-4f96-8044-07059eedd87b/ModifiedElephantReport.png https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/f85b23f0-89ae-4207-a0fb-d6bdc820a98b/wired_andy_greenberg_modified_elephant.png https://www.epicturla.com/previous-works/project-four-l3zw3-c8tjk monthly 0.5 2022-05-31 https://images.squarespace-cdn.com/content/v1/5ec321c2af33de48734cc929/1589847904251-HVHUK3T1H2QCY05DRHU3/image-asset.jpeg https://images.squarespace-cdn.com/content/v1/5ec321c2af33de48734cc929/1589847904480-AXE2TZ6WH1YWOYJELYQQ/image-asset.jpeg https://images.squarespace-cdn.com/content/v1/5ec321c2af33de48734cc929/1589847904674-UXDT58LZUDAEN1C4LIKQ/image-asset.jpeg https://www.epicturla.com/previous-works/vb2018 monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579067426058-3H3OTAK1V8ARYVOCPUJ6/drawme.png Talks, Blogs, and Publications - VB2018: Draw Me Like One of Your French APTs - Read the Paper A highfalutin attempt to broaden our descriptive language for cyber threat actors and propose a behavioral profiling approach towards understanding their shifting compositions. https://www.epicturla.com/previous-works/enemys-shadow monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579066426627-DU4AK4WRDIBDZO7ZMX8S/Screen+Shot+2020-01-14+at+9.26.01+PM.png Talks, Blogs, and Publications - VB2017: Walking in Your Enemy's Shadow - Read the Paper A prescient discussion of complex dynamics that occur when APT’s hack APT’s to piggyback on their intelligence collection –referred to as ‘Fourth-Party Collection’. https://www.epicturla.com/previous-works/cylab-distinguished-seminar-spies-counterspies-and-the-missing-validators monthly 0.5 2020-01-18 https://www.epicturla.com/previous-works/sas2019-who-is-gg monthly 0.5 2020-02-11 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579069221242-V71N8PU5O16AHFBR9VY6/duqu15.png Talks, Blogs, and Publications - SAS2019: Who is GG? https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579071881376-5GEBFTS8GHV4FGXZF0SG/Screen+Shot+2020-01-14+at+11.04.31+PM.png Talks, Blogs, and Publications - SAS2019: Who is GG? https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579069138289-QZM0XS65ERFF22XIBELG/stuxshop.jpg Talks, Blogs, and Publications - SAS2019: Who is GG? https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579072327774-IANPE90UH2YVUJWIWZ4E/Screen+Shot+2020-01-14+at+11.11.55+PM.png Talks, Blogs, and Publications - SAS2019: Who is GG? https://www.epicturla.com/previous-works/sas2016-penquins-moonlit-maze monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579064047464-ALMO529S7CRS9O4I3LQP/penquins_moonlit_maze_03-1.jpg Talks, Blogs, and Publications - SAS2017: Penquin's Moonlit Maze - An Unlikely Discovery Thomas Rid’s contact with David Hedges, the administrator for ‘HRTEST’ –a company server compromised by state-sponsored hackers in the late ‘90s– enabled a modern day reconstruction of the infamous Moonlight Maze attacks against U.S. government, military, and university research networks. https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579064465288-34NHD4DJFJPMLIKQTJMH/hrtest%252Bspy%252Bmuseum.jpg Talks, Blogs, and Publications - SAS2017: Penquin's Moonlit Maze - A Piece of History ‘HRTEST’ is now a permanent part of the International Spy Museum’s cyber espionage exhibit. https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579065253194-HHH475C7UILQBHNWQORU/Screen+Shot+2020-01-14+at+9.13.52+PM.png Talks, Blogs, and Publications - SAS2017: Penquin's Moonlit Maze https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579065467227-KJFB8L8XXAJPJHT1TN55/Securelist.p+g Talks, Blogs, and Publications - SAS2017: Penquin's Moonlit Maze https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579065556006-C74B55EPK3XHBW173MW4/AppendixB.png Talks, Blogs, and Publications - SAS2017: Penquin's Moonlit Maze https://www.epicturla.com/previous-works/false-flags monthly 0.5 2020-01-18 https://images.squarespace-cdn.com/content/v1/5de22a19dcb2647c7904699e/1579062464749-16H9FGJDTDMI1X11J9DG/vb2016 Talks, Blogs, and Publications - VB2016: Wave Your False Flags - Read the Paper A timely discussion of the artifacts used to cobble together attribution and the ways in which threat actors are manipulating those indicators to throw us off their trail. The paper was written months before the ‘summer of Sofacy’ and provides an adequate conceptual framework to discuss realistic partial false flag operations. https://www.epicturla.com/previous-works/unsolved-mysteries-revisiting-the-apt-cold-case-files monthly 0.5 2020-01-18 https://www.epicturla.com/previous-works/vb2015-closing-keynote-guest-spot monthly 0.5 2020-06-28