Sea Turtle
G10417 reportsaliases · Sea Turtle · Teal Kurma · Marbled Dust · Cosmic Wolf · SILICON
7
Reports
6
Techniques
4
Tactics
6
Countries
50%
Hunt coverage
5
Aliases
Analyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1553.002 (Code Signing).
- Primary targeting: US, CN, AE, KR.
- Resurgent after a quiet period: 1 report(s) in last 30d vs 0 prior (+100%).
- Hunt coverage 50% of 6 observed techniques (3 gap(s)).
- Assessment confidence: medium (62).
Activity & trend
ResurgentLast 30d: 1 vs 0 prior (+100%)· first reported 2025-09-10 · last 2026-07-09
1
7d
1
30d
5
90d
7
All
0.4
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
Dropped (90d+)
T1590.005T1552.004AML.T0016.002Targeting gained
CNVulnerabilities in this actor's reporting · 3
- CVE-2024-545291 rpt
- CVE-2025-312351 rpt
- CVE-2025-549571 rpt
Overview
Analyst triage
Intelligence summary
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1588.006 · Vulnerabilitiesconf 704
- T1589.001 · Credentialsconf 652
- T1553.002 · Code Signingconf 601evidence: Quantum Risk Explained
- T1590.005 · IP Addressesconf 601
- T1552.004 · Private Keysconf 601
- AML.T0016.002 · Generative AIconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|