HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)

HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.(Citation: Accenture HyperStack October 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d)	Attack Pattern	1
HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	1
HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	1
HyperStack - S0537 (2cf7dec3-66fc-423f-b2c7-58f1de243b4e)	Malware	Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2