Uroburos
MITREOther
Unknown
Unknown
[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)
Associated Techniques (36)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1001.001 | Junk Data | - |
| T1001.003 | Protocol or Service Impersonation | - |
| T1005 | Data from Local System | - |
| T1008 | Fallback Channels | - |
| T1012 | Query Registry | - |
| T1014 | Rootkit | - |
| T1027.002 | Software Packing | - |
| T1027.009 | Embedded Payloads | - |
| T1027.011 | Fileless Storage | - |
| T1027.013 | Encrypted/Encoded File | - |
| T1036.004 | Masquerade Task or Service | - |
| T1055.001 | Dynamic-link Library Injection | - |
| T1057 | Process Discovery | - |
| T1059.003 | Windows Command Shell | - |
| T1070.004 | File Deletion | - |
Aliases (105)
Used by Actors (1)
Metadata
| ID: | 366 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |