Turla: Researchers from ESET have discovered a new watering hole attack being carried out by Turla targeting several high-profile Armenian websites. Turla is a well-known Russian espionage group that has been tracked for over ten years; researchers stated that several aspects of their research led to the attribution. Similar to previous campaigns by Turla, this campaign’s targets included government and military organizations. Some of the JavaScript used in the watering hole attack was very similar to the ones that have been used by Turla in the past. Four Armenian websites were found to be compromised since 2019. By using unknown access methods, the group managed to infect users when they visited one of the websites by a second stage malicious JavaScript code which fingerprints the victim’s browser. If the script detects this is the victim’s first visit to the page, it will inject an evercookie into the browser to track if the victim visits one of the websites for a second or third time. The script collects information about the user’s machine and if they are deemed interesting another script will load a fake Adobe Flash update page in an iframe. If the install is prompted, Adobe Flash will install on the victim’s computer as well as the malware. Before August 2019, Turla’s backdoor known as skipper would be downloaded with Adobe Flash, but since September 2019, the server has delivered NetFlash and PyFlash.