Rootkit
Snake
aka Uroburos · Turla Snake
A sophisticated kernel-rootkit espionage implant used by Russia's Turla for nearly two decades, dismantled by the FBI's Operation MEDUSA in 2023.
Snake (Uroburos) is among the most sophisticated espionage implants ever documented — a rootkit and toolkit used by Russia's Turla group for roughly two decades. It quietly exfiltrated sensitive data from government, diplomatic and military targets across more than 50 countries.
Engineering
Snake combined a kernel-level rootkit for deep stealth with a custom, heavily encrypted peer-to-peer network that routed stolen data through chains of compromised machines, masking its true command infrastructure. Cross-platform versions ran on Windows, Linux and macOS.
Operation MEDUSA
In May 2023, the FBI executed Operation MEDUSA, using a purpose-built tool ("PERSEUS") to disable Snake implants worldwide — a rare technical takedown of a state implant. The operation is profiled on Cyber Breaches; a rootkit/P2P teardown lives on the Reverse Engineering Hub.
Defense
Kernel-driver allowlisting, Secure Boot, network anomaly detection, and forensic inspection — a rootkitted host can't be trusted to report on itself.