Pensive

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pensive Ursa was chosen as the main focus for the MITRE ATT&CK evaluation due to its significant activities and arsenal which consistently raised multiple alerts in Cortex XDR, mapping to various MITRE ATT&CK tactics and techniques. During the tracking of Pensive Ursa's evolution, Unit 42 researchers discovered an upgraded variant of Kazuar, indicating the group's ongoing development of sophisticated cyber threats. An incident involving a combination of known Pensive Ursa tools and techniques scored a 91, a very high-risk level, highlighting the potential damage of falling victim to an attack by this group. It's important to note that the term "Pensive" is also associated with a company called Oasis Pensive Abacutors, founded by Gary Bowser in 1985, but this entity has no connection to the threat actor Pensive Ursa. Given the escalating threat posed by Advanced Persistent Threat (APT) groups like Pensive Ursa, it's crucial for organizations of all sizes and industries to prioritize comprehensive security strategies and invest in multilayered security measures. Palo Alto Networks' Cortex XDR and XSIAM customers are provided with protections against Pensive Ursa's arsenal of malware. The potential damage from a Pensive Ursa APT attack can be significant, emphasizing the need for robust cybersecurity defenses.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
2
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Uroburos
2
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Espionage
Windows
Encryption
Apt
Mitre
Exploit
Malware
Linux
Payload
Macos
Dropper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
KOPILUWAKUnspecified
1
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
GazerUnspecified
1
Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong simila
ComRATUnspecified
1
ComRAT, also known as Agent.BTZ, is a potent malware that has evolved over the years to become a significant threat in the cybersecurity landscape. Developed using C++ and employing a virtual FAT16 file system, ComRAT is often used to exfiltrate sensitive documents. The malware is a remote access tr
HyperStackUnspecified
1
HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since
Agent.btzUnspecified
1
Agent.btz, also known as ComRAT v4, is a remote access trojan (RAT) developed using C++ and employing a virtual FAT16 file system. This malicious software was one of the earliest backdoors used by Pensive Ursa, a cyber-espionage group. Notably, the malware is frequently used to exfiltrate sensitive
TinyTurlaUnspecified
1
TinyTurla is a new strain of malware linked to the Russia-sponsored threat actor, Turla APT (Advanced Persistent Threat). This group has been known for its long-running cyber espionage activities, typically targeting non-governmental organizations (NGOs), especially those supporting Ukraine. In this
Snake MalwareUnspecified
1
The infamous Snake malware, a complex and destructive tool utilized by Pensive Ursa, became the target of a significant cybersecurity operation in May 2023. Detailed in a CISA report, the Snake malware was known to infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst t
QUIETCANARYUnspecified
1
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
TopinambourUnspecified
1
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or de
SUNBURSTUnspecified
1
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
CapibarUnspecified
1
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Pensive UrsaUnspecified
2
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pensive Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Over the Kazuar’s nest: Cracking down on a freshly hatched backdoor used by Pensive Ursa - Cyber Security Review
CERT-EU
a year ago
How a 1980s Hacker Became Nintendo's Nemesis Decades Later * TorrentFreak | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)