TURLA’s new phishing-based reconnaissance campaign in Eastern Europe

Keypoints

• Turla (aka Uroburos, Snake, Venomous Bear) is the threat actor behind the phishing-based reconnaissance campaign described.
• The targets include the Baltic Defense College (BALTDEFCOL) and the Austrian Federal Economic Chamber (WKO), with implications for defense and economic sanction decision-making in Europe.
• Infrastructure components exposed by SEKOIA.IO include several domains and associated IPs used in the operation, such as baltdefcol.webredirect.org, wkoinfo.webredirect.org, and jadlactnato.webredirect.org.
• The campaign uses a Word document with a remote file inclusion pattern that references an external PNG (logo.png), suggesting reconnaissance rather than laden malware delivery.
• The HTTP-based PNG request helps identify victim’s Word version and IP, which can be used for tailored exploits and SIGINT collection.
• MITRE ATT&CK techniques identified in the article include Spearphishing Link, Gather Victim Network Information (IP addresses), and Gather Victim Host Information (Software).
• IoCs provided include specific IPs, domains, and document hashes that pinpoint the campaign infrastructure and artifacts (e.g., f6e755e2af0231a614975d64ea3c8116, f223e046dd4e3f98bfeb1263a78ff080).