Threat actor of in-Tur-est

27 January, 2022

By Jack Simpson, Cyber Threat Intelligence, PwC

In January 2021, PwC observed a phishing page that prompted an investigation into a new threat actor we now call ‘White Tur’. Per our in-house naming convention for threat actors, the use of the colour 'White' indicates that we have not yet formally attributed White Tur as being based in a specific geographic location.

Our journey began when hunting for newly registered domains with TLS certificates that use the term ‘qov’, spoofing the legitimate term ‘gov’. Spoofing the word ‘gov’ has previously been a favoured technique of several unrelated threat actors, such as Blue Athena (a.k.a. Sofacy, APT28)1. On 31st January 2021, we observed the subdomain mail[.]mod[.]qov[.]rs being used to phish for Serbian Ministry of Defence credentials. The phishing page shown in Figure 1 when visited not only logged credentials, but logged visits to the phishing page itself.

Figure 1 - Serbian Ministry of Defence phishing page mail[.]mod[.]qov[.]rs

When tracking domain registrations and domain resolutions to White Tur attributed infrastructure, we observed it to be a persistent threat actor operating over a number of years, from at least 2017 through to 2021, as shown in Figure 2.

Figure 2 - Timeline of domain registration and domain resolution activity by White Tur

The techniques used by White Tur included:

  • Weaponised documents - Ranging from documents containing macros to exploits such as CVE-2017-0199;
  • HTA scripts - Scripts that lead to the execution of PowerShell were often observed being used as an alternative to weaponised documents as an initial infection vector;
  • XSL Scripts - Used inside weaponised documents to execute a payload. From our observations the XSL scripts can be used to execute a JScript or Windows binary backdoor;
  • PowerShell Scripts - Part of the infection chain to download and execute the final payload;
  • JScript - One of the backdoors used by White Tur was developed in JScript (One of the interpreted languages used in Windows Script Host);
  • Windows binaries - Another backdoor used by White Tur was packaged as a Windows binary; and,
  • Phishing - Phishing activity with governmental, defence, research and development and telecommunications themes.

This blog is focused on our analysis of White Tur’s use of the open-source project OpenHardwareMonitor for payload execution. This project monitors temperature sensors, fan speeds, voltage and load and clock speeds of a computer2. We observed an archive named with patterns we commonly associate with White Tur.




File type

Zip archive

File size

2,810,227 bytes

First Observed

2021-05-26 17:50:34


After analysing the contents of the ZIP file, we assessed that White Tur was likely packaging the OpenHardwareMonitor project and backdooring parts of it to execute its payloads. There were three files that White Tur had modified or created inside the archive, listed in Table 1.

Table 1 - Malicious files in the OpenHardwareMonitor archive






Modified Visual Studio project through the pre-build event



Windows binary malware



PowerShell downloader


In the file OpenHardwareMonitorLib.csproj, White Tur modified the file to inject PowerShell code into the pre-build event, available in Visual Studio projects. This technique for gaining execution was discussed by Microsoft in January 2021, when they observed the North Korea-based threat actor ZINC (which we track as Black Artemis) using this method3. The PowerShell code retrieves environmental information from the victim using PowerShell WMI objects and utilises the BitsTransfer Module available in PowerShell to download a payload shown in Figure 3. The payload is downloaded and copied to \APPDATA\Local\Microsoft\OneDrive\WOFUTIL.dll - this filename has been observed in previous White Tur activity.4

Figure 3 - PowerShell code contained in the PreBuildEvent tag

The PowerShell script will generate a unique ID for the infected machine and name it a ‘UUID’. This unique identifier is sent to the C2 when the payload is downloaded through the URL: 



CWRITE.ps1 is a PowerShell downloader script; however, unlike the prebuild event, it uses a different technique for C2 communication and logs environmental information to a separate IP. The PowerShell script sends environmental information to the following URL via BitsTransfer:


The PowerShell script will then download the payload to the same folder via the same URL as the previous script:


However, its method for communication has been modified; in this sample, the PowerShell script initiates a COM object, specifically XML HTTP 3.05. The script uses the .Open() method to send a HTTP request shown in Figure 4.

Figure 4 - Payload being downloaded using XML HTTP 3.0 COM object in PowerShell


The binary command.dat is a DLL that contains exports previously observed in White Tur payloads. These exports are:

  • GetAdaptersAddresses;
  • GetAdaptersInfo;
  • GetLoaderInterface; and,
  • GetTeamViewerInterface.

The payload correctly functions by executing the default DLL entry point, DllEntrypoint. PwC assesses White Tur likely uses the name WOFUTIL.dll for payloads in a DLL search order hijacking attack. The Windows binary OneDriveStandAloneUpdater.exe is vulnerable to DLL side order hijacking and loads the DLL WOFUTIL.dll6. The DLL also makes use of the BitsTransfer COM objects, it calls CoCreateInstance with class identifiers (CLSIDs) related to the BitsTransfer control class shown in Figure 5.

Figure 5 - Malware utilising BitsTransfer control class COM objects

Like the PowerShell scripts, the Windows binary will generate a unique identifier for the victim. This is achieved by dynamically loading the library RPCRT4.dll and calling UuidCreateSequential(). The malware will use the following URL with the BitsTransfer COM object for C2 communication:


From our observations, this is the most functional backdoor we have observed from White Tur which is capable of:

  • File management;
  • Upload and download of files;
  • Execution of commands; and,
  • Set malware sleep time.

However, White Tur has been experimenting with malware development and open-source projects. For example, we identify an open-source malware project name present on the command.dat PDB path. “Storm Kitty” is an open-source C# stealer used to capture credentials and keylogs by the victim. 


This threat actor uses several techniques often observed by a wide variety of threats actors, such as DLL search order hijacking, phishing and use of COM objects. The unique feature this threat actor has is its victimology, targeting defence, governmental and research organisations based in Serbia and Republika Srpska. The full infection chain we observed with this technique is shown in Figure 6.

Figure 6 - Part of the infection chain used by White Tur


We are still in the technical phases of attribution with this threat actor; if we refer to the 4C model7 of attribution phases we are currently at the clustering phase. With some threat actors it is clear there are links to other APTs. However, from our assessment, this particular threat actor has a range of motivations with no clear links to well-known threat actors which are attributed to a government or organisation. 

The threat actor focuses attacks on a region where there is little coverage in threat intelligence blogs, in this blog we aim to encourage some public dialogue about who would want to backdoor OpenHardwareMonitor and target these regions? This blog complements a talk presented at the SANS CTI Summit on 27th January 2021, which explores the wider context of this technical analysis.


Command and Scripting Interpreter: PowerShell

User Execution: Malicious File

Exfiltration Over Command and Control Channel

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Bits Jobs

Deobfuscate/Decode Files or Information

XSL Script Processing

Template Injection

File and Directory Discovery

Query Registry

Software Discovery: Security Software Discovery

System Information Discovery

Indicators of Compromise

























[1] ‘APT28: A Window into Russia’s Cyber Espionage Operations?’, FireEye, (5th February 2010)

[2] 'Open Hardware Monitor - Core temp, fan speed and voltages in a free software gadget', OpenHardwareMonitor, (n.d)

[3] ‘ZINC attacks against security researchers’, Microsoft, (28th January 2021)

[4] CTO-TIB-20210903-01A - Darth Vladars under attack Part 3

[5] ‘MSXML 3.0 GUIDs and ProgIDs’, Microsoft, (27th October 2018)

[6] ‘Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon’, SecurityIntelligence, (18th August 2021)

[7] 'Attribution of Advanced Persistent Threats', Springer: Timo Steffens, 20th July 2020,

Contact us

Jack Simpson

Jack Simpson

Cyber Threat Intelligence Manager, PwC United Kingdom

Tel: +44 7730 598416

Louise Taggart

Louise Taggart

Cyber Threat Intelligence Senior Manager, PwC United Kingdom

Tel: +44 (0)7702 699119

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Kris  McConkey

Kris McConkey

Cyber Threat Operations Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360