The sub-techniques beta is now live! Read the release blog post for more info.


Epic is a backdoor that has been used by Turla. [1]

ID: S0091
Associated Software: Tavdig, Wipbot, WorldCupSec, TadjMakhal
Platforms: Windows
Contributors: Martin Smolar, ESET
Version: 1.2
Created: 31 May 2017
Last Modified: 26 July 2019

Associated Software Descriptions

Name Description
Tavdig [1]
Wipbot [1]
WorldCupSec [1]
TadjMakhal [1]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Epic gathers a list of all user accounts, privilege classes, and time of last logon.[2]

Enterprise T1116 Code Signing

Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[1]

Enterprise T1002 Data Compressed

Epic compresses the collected data with bzip2 before sending it to the C2 server.[2]

Enterprise T1022 Data Encrypted

Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[1][2]

Enterprise T1181 Extra Window Memory Injection

Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.

Enterprise T1083 File and Directory Discovery

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[1][2]

Enterprise T1107 File Deletion

Epic has a command to delete a file from the machine.[2]

Enterprise T1027 Obfuscated Files or Information

Epic heavily obfuscates its code to make analysis more difficult.[1]

Enterprise T1069 Permission Groups Discovery

Epic gathers information on local group names.[2]

Enterprise T1057 Process Discovery

Epic uses the tasklist /v command to obtain a list of processes.[1][2]

Enterprise T1012 Query Registry

Epic uses the rem reg query command to obtain values from Registry keys.[1]

Enterprise T1018 Remote System Discovery

Epic uses the net view command on the victim’s machine.[1]

Enterprise T1063 Security Software Discovery

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[1]

Enterprise T1071 Standard Application Layer Protocol

Epic uses HTTP and HTTPS for C2 communications.[1][2]

Enterprise T1032 Standard Cryptographic Protocol

Epic encrypts commands from the C2 server using a hardcoded key.[1]

Enterprise T1082 System Information Discovery

Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.[2]

Enterprise T1016 System Network Configuration Discovery

Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.[1]

Enterprise T1049 System Network Connections Discovery

Epic uses the net use, net session, and netstat commands to gather information on network connections.[1][2]

Enterprise T1033 System Owner/User Discovery

Epic collects the user name from the victim’s machine.[2]

Enterprise T1007 System Service Discovery

Epic uses the tasklist /svc command to list the services on the system.[1]

Enterprise T1124 System Time Discovery

Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.[1]

Groups That Use This Software

ID Name References
G0010 Turla [1]