THREATOPS Actor Dossier
LIVE ← Dashboard

Sea Turtle

G10417 reports
aliases · Sea Turtle · Teal Kurma · Marbled Dust · Cosmic Wolf · SILICON
Export dossier:
7
Reports
6
Techniques
4
Tactics
6
Countries
50%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1553.002 (Code Signing).
  • Primary targeting: US, CN, AE, KR.
  • Resurgent after a quiet period: 1 report(s) in last 30d vs 0 prior (+100%).
  • Hunt coverage 50% of 6 observed techniques (3 gap(s)).
  • Assessment confidence: medium (62).

Activity & trend

ResurgentLast 30d: 1 vs 0 prior (+100%)· first reported 2025-09-10 · last 2026-07-09
1
7d
1
30d
5
90d
7
All
0.4
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1590.005T1552.004AML.T0016.002
Targeting gained
CN

Vulnerabilities in this actor's reporting · 3

Overview

Analyst triage
Intelligence summary

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected