Threat Actor Profile
High APT
Description

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Confidence Score
90%
Known Aliases
Sea Turtle Teal Kurma Marbled Dust Cosmic Wolf SILICON
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (27)
T1074.002 - Remote Data Staging
Collection
T1114.001 - Local Email Collection
Collection
T1213.006 - Databases
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1557 - Adversary-in-the-Middle
Credential Access
T1027.004 - Compile After Delivery
Defense Evasion
T1070.002 - Clear Linux or Mac System Logs
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.003 - Local Accounts
Defense Evasion
T1562.003 - Impair Command History Logging
Defense Evasion
T1564.011 - Ignore Process Interrupts
Defense Evasion
T1059.004 - Unix Shell
Execution
T1203 - Exploitation for Client Execution
Execution
T1190 - Exploit Public-Facing Application
Initial Access
T1199 - Trusted Relationship
Initial Access
T1566 - Phishing
Initial Access
T1133 - External Remote Services
Persistence
T1505.003 - Web Shell
Persistence
T1583 - Acquire Infrastructure
Resource Development
T1583.001 - Domains
Resource Development
T1583.002 - DNS Server
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1584.002 - DNS Server
Resource Development
T1588.002 - Tool
Resource Development
T1588.004 - Digital Certificates
Resource Development
T1608.003 - Install Digital Certificate
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Sea Turtle',
             'Teal Kurma',
             'Marbled Dust',
             'Cosmic Wolf',
             'SILICON'],
 'created': '2024-11-20T18:21:28.242Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Sea Turtle](https://attack.mitre.org/groups/G1041) is a '
                'Türkiye-linked threat actor active since at least 2017 '
                'performing espionage and service provider compromise '
                'operations against victims in Asia, Europe, and North '
                'America. [Sea Turtle](https://attack.mitre.org/groups/G1041) '
                'is notable for targeting registrars managing ccTLDs and '
                'complex DNS-based intrusions where the threat actor '
                'compromised DNS providers to hijack DNS resolution for '
                'ultimate victims, enabling [Sea '
                'Turtle](https://attack.mitre.org/groups/G1041) to spoof log '
                'in portals and other applications for credential '
                'collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos '
                'Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: '
                'Hunt Sea Turtle 2024)',
 'external_references': [{'external_id': 'G1041',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1041'},
                         {'description': '(Citation: Microsoft Digital Defense '
                                         '2021)(Citation: Hunt Sea Turtle '
                                         '2024)',
                          'source_name': 'SILICON'},
                         {'description': '(Citation: PWC Sea Turtle '
                                         '2023)(Citation: Hunt Sea Turtle '
                                         '2024)',
                          'source_name': 'Teal Kurma'},
                         {'description': '(Citation: PWC Sea Turtle '
                                         '2023)(Citation: Hunt Sea Turtle '
                                         '2024)',
                          'source_name': 'Marbled Dust'},
                         {'description': '(Citation: PWC Sea Turtle '
                                         '2023)(Citation: Hunt Sea Turtle '
                                         '2024)',
                          'source_name': 'Cosmic Wolf'},
                         {'description': 'Cisco Talos. (2019, April 17). Sea '
                                         'Turtle: DNS Hijacking Abuses Trust '
                                         'In Core Internet Service. Retrieved '
                                         'November 20, 2024.',
                          'source_name': 'Talos Sea Turtle 2019',
                          'url': 'https://blog.talosintelligence.com/seaturtle/'},
                         {'description': 'Hunt & Hackett Research Team. (2024, '
                                         'January 5). Turkish espionage '
                                         'campaigns in the Netherlands. '
                                         'Retrieved November 20, 2024.',
                          'source_name': 'Hunt Sea Turtle 2024',
                          'url': 'https://www.huntandhackett.com/blog/turkish-espionage-campaigns'},
                         {'description': 'Microsoft. (2021, October). '
                                         'Microsoft Digital Defense Report. '
                                         'Retrieved November 20, 2024.',
                          'source_name': 'Microsoft Digital Defense 2021',
                          'url': 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi?id=101738'},
                         {'description': 'Paul Rascagneres. (2019, July 9). '
                                         'Sea Turtle keeps on swimming, finds '
                                         'new victims, DNS hijacking '
                                         'techniques. Retrieved November 20, '
                                         '2024.',
                          'source_name': 'Talos Sea Turtle 2019_2',
                          'url': 'https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming/'},
                         {'description': 'PwC Threat Intelligence. (2023, '
                                         'December 5). The Tortoise and The '
                                         'Malware. Retrieved November 20, '
                                         '2024.',
                          'source_name': 'PWC Sea Turtle 2023',
                          'url': 'https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html'}],
 'id': 'intrusion-set--56a05d27-4d47-418a-b330-781c5614f202',
 'modified': '2025-03-28T15:28:31.727Z',
 'name': 'Sea Turtle',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Inna Danilevich, U.S. Bank', 'Joe Gumke, U.S. Bank'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (27)
Remote Data Staging
Collection
Local Email Collection
Collection
Databases
Collection
Archive via Utility
Collection
Web Protocols
Command and Control
View All 27 TTPs
Back to Threat Actors
Dashboard Home