Topinambour

Malware updated 23 days ago (2024-11-29T13:32:59.213Z)
Download STIX
Preview STIX
Topinambour is a type of malware, malicious software designed to exploit and damage computer systems, typically delivered through suspicious downloads, emails, or websites. It was first associated with the hacking group Pensive Ursa in 2019, which utilized Topinambour as a dropper to deliver another malware known as Kopiluwak. The malware is typically dropped as a small .NET file in the %localappdata% folder and written as a scheduled task upon installation. Alerts for its execution prevention and detection have been shown in Cortex XDR, a cybersecurity platform. The Topinambour malware shares code similarities with other malicious programs like TunnusSched, Tunnus, and RocketMan, particularly in their RC4 implementation. This suggests a common origin or developer behind these tools. These similarities, along with its connection to KopiLuwak, indicate that all these implants are interconnected. Furthermore, there's evidence suggesting that these tools may be exclusively owned by another hacking group named Tomiris, considering the discovery of government victims in Russia in 2019. The Turla hacking group has also been linked to Topinambour. They have reportedly renewed their arsenal with this malware, using it to hide in anti-internet censorship software, as per Kaspersky's Securelist report. This strategy allows the malware to infect systems undetected, thus expanding its reach and potential impact. With these connections and shared characteristics, Topinambour represents a significant threat in the landscape of cyber threats.
Description last updated: 2024-10-08T11:32:59.700Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
KOPILUWAK is a possible alias for Topinambour. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Topinambour. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the Topinambour Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more