Malware Profile Updated 25 days ago
Download STIX
Preview STIX
HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since at least 2004. The malware exploits systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. HyperStack creates a service for persistence and communicates over RPC with other infected machines within a compromised environment. The malware exhibits several similarities with Pensive Ursa’s Carbon backdoor, such as the encryption scheme, configuration file format, and logging convention. These resemblances suggest that updates to HyperStack found in September 2020 were inspired by Turla's other malware operations, potentially as a response to remediation activity taken by the victim. In addition to HyperStack, prevention and detection alerts have been raised for other malware types in Pensive Ursa's arsenal including Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, and TinyTurla. To mitigate the threat of HyperStack, alongside Carbon and Kazuar, ACTI recommends checking network logs for indicators related to these backdoors. Alerts for HyperStack execution prevention and service creation for persistence have been displayed in Cortex XDR in detect mode. As HyperStack continues to evolve and pose significant threats, ongoing vigilance, robust cybersecurity measures, and regular system checks are crucial for preventing potential breaches and minimizing damage.
What's your take? (Question 1 of 3)
d80ae277-a511-476b-9220-6d3963c7ee82 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HyperStack Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Turla/Belugasturgeon Compromises Government | Accenture
8 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)