After conducting an initial compromise in October, Turla deployed custom Chisel tunneling software to expand infections across other systems in December before proceeding with data exfiltration activities a month later, according to a report from Cisco Talos. Further examination of the attack campaign, which was found to be mostly targeted at Poland-based entities, revealed that initial access exploitation has been performed by Turla to facilitate Microsoft Defender antivirus exclusion configurations and deploy TinyTurla-NG, which then enables reconnaissance efforts.

Source: SC Magazine