The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Venomous Bear’s Lunar Toolset

May 28, 2024 1:05:05 PM / by The Hivemind

VENEMOUSBEARRelated Families: LunarMail, LunarLoader, LunarWeb
Verticals Targeted: Government 

Executive Summary

Venomous Bear was observed targeting a European Ministry of Foreign Affairs using a new toolset, dubbed the Lunar toolset.

Key Takeaways

  • Venomous Bear was observed targeting a European Ministry of Foreign Affairs using a new toolset, dubbed the Lunar toolset. 
  • The toolset includes LunarLoader, LunarWeb, and LunarMail.
  • LunarWeb backdoor is deployed on servers and uses HTTPs for C2 communications.
  • LunarMail backdoor is deployed on workstations and uses email for C2 communications. 
  • Both backdoors use LunarLoader. 

The Campaign 

Venomous Bear was observed targeting a European ministry of foreign affairs and its diplomatic missions in the Middle East using a new toolset, dubbed the Lunar toolset. The toolset, which has likely been in use since at least 2020, includes two backdoors, LunarWeb and LunarMail, and a loader dubbed LunarLoader. ESET reported on this activity. 

Initial Attack Vector

While the initial attack vector is uncertain, spearphishing and abuse of misconfigured Zabbix software are suspected. 


ESET discovered LunarWeb after detecting a loader decrypting and running a payload from an external file on a previously unknown server. The discovery of LunarWeb also led researchers to discover LunarMail. Both backdoors use the same loader, dubbed LunarLoader. LunarLoader has been observed as both a standalone loader and as part of trojanized software. LunarLoader uses three different persistence methods, which include use of a group policy extension, replacing a legitimate Windows DLL, and an Outlook add-in.


LunarWeb is deployed only on servers and uses HTTPs for C2 communication. It mimics legitimate requests. LunarWeb collects a variety of information about the victim machine, including the operating system version and serial number, BIOS version and serial number, and domain name. It also gathers additional information via shell commands, including the output of systeminfo.exe, environment variables, network adapters, a list of running processes, a list of services, and a list of installed security products. It then sends the information to the C2. LunarWeb can also receive commands from the C2. These include file and process operations, running shell and PowerShell commands, and running Lua code. Both LunarWeb and LunarMail backdoors use steganography to hide commands in images in order to evade detection.


LunarMail is deployed only on workstations. It uses an Outlook add-in for persistence and uses email for C2 communications. It shares similarities with LunarWeb, despite using a different method to communicate with the C2. LunarMail collects environment variables and the email addresses of all email recipients. Running inside Outlook, it uses email to receive commands and exfiltrate data. LunarMail’s capabilities include writing files, creating new processes, and screenshotting and modifying the C2 email address. It also supports Lua scripts, but unlike LunarWeb, it does not have the ability to run shell or PowerShell commands.

Who is Venomous Bear?

Venomous Bear, also known as Snake, Turla, Oroburos, Waterbug, Krypton, Hippo Team, Iron Hunter, and Blue Python, is a Russia nexus threat actor group known to target Eastern Bloc nations, as well as other targets worldwide. The group has been active since at least 2004 and may have been active as early as the 1990s. Industry researchers assess Venomous Bear is affiliated with the FSB.

Venomous Bear is believed to be responsible for a 2008 attack on US Central Command. Venomous Bear was also previously observed targeting defense and cybersecurity entities in the Baltic region using malicious documents. In the midst of the ongoing Russia-Ukraine conflict, Venomous Bear used malicious Android apps to target entities in Ukraine.


PolySwarm has a sample associated with this campaign.




You can use the following CLI command to search for all Venomous Bear samples in our portal:

$ polyswarm link list -t VenomousBear


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Russia, Threat Bulletin, Government, Venomous Bear, Turla, LunarMail, LunarWeb, LunarLoader

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts