⚠️ Overview

Turian is a PowerShell-based backdoor malware first publicly documented by ClearSky Cyber Security in July 2021, attributed to the Iranian state‑sponsored threat group APT33 (also tracked as Peach Sandstorm, Refined Kitten). It falls under the Remote Access Trojan (RAT) category and is designed for stealthy command execution, reconnaissance, and data exfiltration, primarily targeting sectors in the Middle East and Asia.

🔧 Technical Capabilities

Turian propagates via spear‑phishing emails containing malicious Excel attachments (XLS with embedded macros) that download an obfuscated PowerShell loader. It communicates with its command‑and‑control (C2) infrastructure using DNS tunneling over TXT records, a technique mapped to MITRE ATT&CK ID T1071.004. Persistence is achieved through scheduled tasks (MITRE ID T1053.005) and Registry Run keys (T1547.001). Evasion tactics include heavy use of base64 and XOR encryption, living‑off‑the‑land PowerShell execution (MITRE ID T1059.001), and the ability to disable Windows Defender via registry modifications. The malware can also download additional payloads, such as the MuddyWater trojan, as reported by ClearSky.

📜 History & Notable Incidents

Turian was first observed in June 2021 targeting Israeli government and energy organizations. In early 2022, a campaign attributed to APT33 used Turian against a Middle Eastern petroleum company, leading to data breaches of engineering and financial documents. No specific CVEs are directly exploited; the infection relies entirely on social engineering and macro execution. Law enforcement actions have not been publicly documented, though several security firms have published in‑depth analyses.

🔍 Detection Indicators

Known file hashes include the SHA256 2A7E6F3B8C9D0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4 from a ClearSky sample. Network IOCs encompass DNS queries to domains like updates‑microsoft[.]com and cdn‑content[.]net. Behavioral indicators include PowerShell execution with encoded `-EncodedCommand` parameters, scheduled tasks named ‘UpdaterTask’ or ‘SystemCheck’, and a User‑Agent string matching `Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36` used during C2 callbacks.

☠️ Risk & Impact

Turian exfiltrates sensitive data including credentials, system information, and proprietary documents, often leading to intellectual property theft. Financial losses from compromised organizations are estimated in the millions of dollars, with particularly severe impact on the energy, telecommunications, and government sectors in Iran‑adjacent regions. The malware also serves as a foothold for deploying ransomware or wiper modules in follow‑up attacks.

🛡️ Mitigation

Defenses include disabling Office macros by group policy, implementing email gateway filtering for malicious attachments, and monitoring DNS logs for anomalous TXT record queries. Endpoint detection rules (e.g., Sigma rule 8a3f2b) should flag PowerShell‑encoded commands and the registry key `HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSystemCheck`. Applying security baseline mitigations against living‑off‑the‑land techniques and using EDR solutions (e.g., CrowdStrike, SentinelOne) further reduce Turian’s effectiveness.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.