A notorious Russia-linked threat actor has been observed piggybacking on attack infrastructure used by a decade-old malware to install its own backdoors and steal useful information from targets in Ukraine, according to a new report from Madiant.

The cybersecurity firm said it discovered a suspected Turla Team (UNC4210) operation last year that distributed the Kopiluwak reconnaissance tool and Quietcanary backdoor to victims in Ukraine previously hit by the Andromeda malware. According to the report, UNC4210 re-registered at least three expired Andromeda command and control (C&C) domains and began profiling victims to selectively deploy Kopiluwak and Quietcanary in September 2022.

Andromeda (also known as Gamarue and Wauchos) is a modular and HTTP-based botnet that was discovered in late 2011. The Andromeda botnet was associated with 80 different malware families and grew so large that it was at one point infecting a million new machines a month, distributing itself via social media, instant messaging, spam emails, exploit kits, and more. Andromeda was also used in the infamous Avalanche network, which was dismantled in 2016. The Andromeda botnet was dismanted in 2017 as a result of an international law enforcement operation led by Europol.

Mandiant says that the particular Andromeda version whose C&C infrastructure was hijacked by Turla was first uploaded to VirusTotal in 2013 and spreads from infected USB keys. The researchers noted that they only observed suspected Turla payloads delivered in Ukraine and that this is the first time they have seen Turla targeting organizations in Ukraine since the start of Russia’s invasion in February.

“In this case, the extensive profiling achieved since January possibly allowed the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities. However, we note some elements of this campaign that appear to be a departure from historical Turla operations. Both Kopiluwak and Quietcanary were downloaded in succession at various times, which may suggest the group was operating with haste or less concern for operational security, experiencing some aspect of operational deficiency, or using automated tools,” Mandiant concluded.