Threat Watch

Tortoiseshell Group Using Custom Malware in Suspected Supply Chain Attacks

Tortoiseshell: A group that has been being tracked since mid 2018 is using custom and publicly-available malware to target IT providers in suspected supply chain attacks. The main targets have been in Saudi Arabia, and it is believed that the group is trying to use their victims in order to gain access to their clients. By using custom malware that is written in Delphi and .NET, the group managed to evade certain detection advancements that their targets had in place. The group reportedly gained access to the network by a compromised web server, which is easier than doing recon on an individual and trying to trick them with a phishing email. In one instance, the group had infected over 200 machines on a network before their campaign was done, which is a large amount to infect. It is likely that the group had to infect such a mass number of machines to find the one that had the domain admin-level privileges that they were looking for. The custom malware that is used by Tortoiseshell is called Backdoor.Syskit. This basic backdoor allows the group to download and execute other files and malware onto an infected machine, making it a crucial part of their attack. The backdoor will send the C&C server the computer’s IP address, operating system and mac address–this way the attacker knows which files to distribute to the particular infected device.


At least 12 companies are mitigating an attack from the group, and in one instance malware was found on a machine that can be linked to the threat actor group APT34 (Oilrig). However, the malware was leaked on telegram this year which makes it hard for researchers to determine if it actually was the Oilrig that used the malware. Tortoiseshell has no current link to any nation-state actor, and just because a machine was found with other malware on it, it is not likely that the two instances are connected.