>samit_hota
Back to adversary profiles
G1041HighActive

Sea Turtle (G1041): Persistent State-Aligned Espionage

Samit Hota·
Suspected Origin
Turkey
Motivation
Espionage, Information Theft, Political Intelligence
Aliases
Teal Kurma, Marbled Dust, Cosmic Wolf, SILICON
Target Sectors
Government, Telecommunications, ISPs, IT Service Providers, NGOs, Media & Entertainment, Kurdish Political Groups, Aerospace, Defense, Energy, Think Tanks
Associated Malware
SnappyTCP, Adminer, Socat, Drupalgeddon
#threat-actor#g1041

Overview

Sea Turtle (G1041), also tracked under aliases like Teal Kurma, Marbled Dust, Cosmic Wolf, and SILICON, is a highly capable, state-linked advanced persistent threat (APT) actor operating out of Türkiye. Active since at least 2017, this group is primarily motivated by cyber espionage, aiming to acquire economic and political intelligence aligned with Turkish strategic interests. Their operations involve a broad targeting scope, spanning victims in Asia, Europe, and North America, with a particular focus on the Middle East and North Africa.

Initially, from 2017 to 2019, Sea Turtle gained notoriety for its sophisticated DNS hijacking campaigns, which involved compromising DNS providers and registrars managing country code Top-Level Domains (ccTLDs). These attacks allowed them to redirect internet traffic to actor-controlled infrastructure, enabling credential harvesting and unauthorized access. Since 2021, the group has demonstrably evolved its tactics, shifting to exploit known vulnerabilities, leverage exposed credentials, and increasingly engage in cloud-focused intrusions in an effort to evade detection and maintain persistence.

Sea Turtle’s typical targets are diverse but strategically chosen. They frequently compromise governmental bodies, Kurdish political groups (such as PKK), non-governmental organizations (NGOs), telecommunication entities, Internet Service Providers (ISPs), IT service providers (including security companies), and media and entertainment organizations. This targeting consistently points to an objective of obtaining sensitive data for surveillance or intelligence gathering.

Tactics & Techniques

Sea Turtle employs a range of sophisticated tactics and techniques to achieve its espionage objectives, demonstrating an adaptability to security defenses.

For Initial Access, their historical reliance on DNS hijacking remains a significant technique. This involves manipulating DNS records at service providers to redirect legitimate traffic to malicious, actor-controlled servers, often to capture credentials. They’ve also been observed exploiting multiple known vulnerabilities (such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847) to gain initial footholds. Spear phishing has also been a method for initial compromise. More recently, Sea Turtle has compromised cPanel accounts, often by leveraging Secure Shell (SSH) access, sometimes originating from VPN service provider networks. A notable development since April 2024 includes the exploitation of a zero-day vulnerability (CVE-2025-27920) in the enterprise messaging application Output Messenger.

Once inside, for Credential Access, beyond the DNS hijacking method, they’ve been seen employing phishing or brute-force attacks to steal credentials. In cloud environments, they leverage stolen AWS IAM keys or Azure Entra ID credentials for unauthorized access.

Defense Evasion is a priority for Sea Turtle. They overwrite Linux system logs and unset Bash and MySQL history files to hinder forensic analysis and detection. They also use SSH sessions over secure protocols to blend with legitimate network traffic. Their continuous alteration of capabilities is a deliberate strategy to remain undetected.

For Persistence, Sea Turtle deploys custom reverse shells like SnappyTCP, often using the nohup command to keep the malware running on systems even after attacker sessions terminate. In cloud environments, they modify security group rules to allow persistent SSH access from their infrastructure.

Discovery and Collection often involve collecting email archives, which they then stage in publicly accessible web directories for subsequent exfiltration. They also query and download sensitive data from cloud storage and compute services using stolen credentials and command-line interface (CLI) access. The group uses the tar utility to archive data before exfiltration.

Command and Control (C2) is typically established via their custom SnappyTCP malware, which communicates over TCP/HTTP, sometimes using TLS for encrypted channels. They register specific domains for their authoritative name servers, which are used for both DNS hijacking and C2 infrastructure.

Sea Turtle is also adept at Island Hopping and Supply Chain Attacks, targeting third-party entities like DNS registrars, telecommunication companies, and IT service providers to establish an upstream foothold, ultimately achieving access to their primary, more sensitive targets.

Notable Campaigns

Sea Turtle has been involved in several significant campaigns since its emergence. From 2017 to 2019, they executed widespread DNS hijacking operations that compromised at least 40 organizations across 13 countries, predominantly in the Middle East and North Africa. A specific instance of this involved the compromise of the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), Greece’s ccTLD, in April 2019.

In 2021, Microsoft identified Sea Turtle’s activities under the designation “SILICON,” noting their pursuit of intelligence gathering aligned with strategic Turkish interests, with targets spanning countries like Armenia, Cyprus, Greece, Iraq, and Syria. More recent campaigns, observed between 2021 and 2023, particularly impacted organizations in the Netherlands. These operations focused on telecommunication, media, ISPs, IT service providers, and Kurdish websites, often involving the compromise of cPanel accounts and the deployment of their SnappyTCP malware. As of April 2024, the group was observed exploiting a zero-day vulnerability (CVE-2025-27920) in Output Messenger, indicating continued development and use of advanced capabilities.

Associated Malware & Tools

Sea Turtle utilizes a blend of custom tools, publicly available utilities, and legitimate software in their operations.

  • SnappyTCP: This is a custom-developed, simple reverse TCP shell specifically designed for Linux/Unix systems. It possesses basic command-and-control capabilities and is crucial for maintaining persistence and facilitating data collection from compromised systems. Its source code has been observed as publicly available on GitHub.
  • Adminer: A legitimate, lightweight database management tool that Sea Turtle has been seen deploying in the public web directories of compromised cPanel accounts. This allows them persistent access to databases and the ability to execute SQL commands.
  • NoHup: A standard Unix utility, nohup is leveraged by Sea Turtle to execute their SnappyTCP malware, ensuring it continues to run in the background even after the threat actors exit their shell or terminal session, thereby maintaining persistence.
  • Bash/GCC: The group uses the Bash Unix shell for executing malicious commands and custom shell scripts during post-exploitation phases. They also compile downloaded source code, such as SnappyTCP, locally in victim environments using GCC.
  • Tar utility: A common archiving tool used to compress and package collected data, specifically email archives, before exfiltration.
  • Socat: A modified version of this versatile command-line relay tool has been observed in use by Sea Turtle to establish command-and-control channels.
  • Drupalgeddon: In their earlier DNS hijacking operations, particularly around 2018, Sea Turtle was linked to the use of exploits related to the Drupalgeddon vulnerabilities.

Current Status

Sea Turtle remains an active and persistent threat actor, continually adapting its methodologies to achieve its state-aligned espionage objectives. Recent intelligence, including reports from 2023 and early 2024, confirms their ongoing campaigns and evolution of tactics, moving beyond their foundational DNS hijacking techniques to include advanced vulnerability exploitation and cloud environment compromises. The detection of their exploitation of a zero-day vulnerability in Output Messenger since April 2024 further underscores their current activity and sophisticated capabilities. While some public information may have been limited at times, recent analyses by security vendors like Hunt & Hackett and PwC have provided valuable, updated insights into their current modus operandi and associated tooling. Organizations in their target sectors, particularly those with critical infrastructure or sensitive political information in Europe, the Middle East, and North America, should consider Sea Turtle a significant and evolving threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call