HyperStack

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since at least 2004. The malware exploits systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. HyperStack creates a service for persistence and communicates over RPC with other infected machines within a compromised environment. The malware exhibits several similarities with Pensive Ursa’s Carbon backdoor, such as the encryption scheme, configuration file format, and logging convention. These resemblances suggest that updates to HyperStack found in September 2020 were inspired by Turla's other malware operations, potentially as a response to remediation activity taken by the victim. In addition to HyperStack, prevention and detection alerts have been raised for other malware types in Pensive Ursa's arsenal including Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, and TinyTurla. To mitigate the threat of HyperStack, alongside Carbon and Kazuar, ACTI recommends checking network logs for indicators related to these backdoors. Alerts for HyperStack execution prevention and service creation for persistence have been displayed in Cortex XDR in detect mode. As HyperStack continues to evolve and pose significant threats, ongoing vigilance, robust cybersecurity measures, and regular system checks are crucial for preventing potential breaches and minimizing damage.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ComRAT
1
ComRAT, also known as Agent.BTZ, is a potent malware that has evolved over the years to become a significant threat in the cybersecurity landscape. Developed using C++ and employing a virtual FAT16 file system, ComRAT is often used to exfiltrate sensitive documents. The malware is a remote access tr
Snake
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Implant
Encryption
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
CapibarUnspecified
1
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
CrutchUnspecified
1
Crutch is a sophisticated malware attributed to the Turla group, first discovered by ESET researchers in December 2020. It's considered a second-stage backdoor, achieving persistence through DLL hijacking. One notable feature of Crutch v4 is its ability to automatically upload files found on local a
KOPILUWAKUnspecified
1
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
UroburosUnspecified
1
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
TinyTurlaUnspecified
1
TinyTurla is a sophisticated malware linked to the Russia-sponsored threat actor, Turla APT. This malicious software has been utilized in a targeted campaign against Polish Non-Governmental Organizations (NGOs), particularly those with connections to supporting Ukraine. TinyTurla operates as a backd
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
PensiveUnspecified
1
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Turla’sUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HyperStack Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)
MITRE
a year ago
Turla/Belugasturgeon Compromises Government | Accenture