Topinambour

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Notably, it has been found hidden in anti-internet censorship software, reflecting the sophisticated tactics employed by the perpetrators. The emergence of Topinambour was first noted in 2019 when the threat actor Pensive Ursa began using it as a dropper to deliver another malware, Kopiluwak. This activity was detected by security platforms like Cortex XDR, which displayed execution prevention and detection alerts related to Topinambour. The malware shares code similarities with other malicious tools such as TunnusSched and RocketMan, specifically the same RC4 implementation, indicating interconnectedness among these implants. Furthermore, there's strong evidence suggesting that Topinambour, along with other tools like Tunnus, TunnusSched (QUIETCANARY), and RocketMan, may have been used exclusively by another threat actor, Tomiris. This assumption is based on the discovery of government victims in Russia in 2019. The intricate web of connections between these various pieces of malware and their shared attributes underscores the complexity of the cybersecurity threats posed by groups like Turla.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
KOPILUWAK
2
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
Tunnussched
1
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
Tunnus
1
Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour
Rocketman
1
RocketMan is a type of malware, short for malicious software, which is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains access, RocketMan can steal personal information, dis
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dropper
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
PensiveUnspecified
1
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Topinambour RocketmanUnspecified
1
None
Topinambour TunnusschedUnspecified
1
None
Source Document References
Information about the Topinambour Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
9 months ago
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU
a year ago
Tomiris called, they want their Turla malware back