From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

    Tuesday, January 6, 2026 In: Threat Research Print

    Date: 01/06/2026

    Severity: High

    Summary

    Tangerine Turkey utilizes VBScript-based worms that propagate laterally through removable media such as USB drives. The group relies on living-off-the-land binaries (LOLBins), including wscript.exe and printui.exe, to execute payloads and maintain persistence. To evade detection, they alter registry settings and disguise malicious executables as legitimate system files. The malware also conceals its operations by copying payloads into a newly created decoy directory. The campaign’s apparent objective is financial profit through illicit cryptocurrency mining.

    Indicators of Compromise (IOC) List

    File :

    E:\rootdir\x817994.vbs

    E:\rootdir\x966060.bat

    x209791.dat

    Processname : 

    C:\Windows\System32\printui.exe

    Schedule task : 

    schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f

    Service Creation : 

    sc create x665422 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch"

    Destructive command :  

    rmdir /s /q "C:\Windows\"

    Anti-Forensics : 

    del /q "C:\Windows\System32\svculdr64.dat"

    Hash :

    93d74ed188756507c6480717330365cede4884e98aeb43b38d707ed0b98da7cc

    4617cfd1e66aab547770f049abd937b46c4722ee33bbf97042aab77331aa6525

    4ffb3c0c7b38105183fb06d1084ab943c6e87f9644f783014684c5cb8db32e32
     

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("E:\rootdir\x817994.vbs","E:\rootdir\x966060.bat","x209791.dat")

    Detection Query 2 :

    resourcename = "Windows Security" AND eventtype = "4688" AND processname like "C:\Windows\System32\printui.exe"

    Detection Query 3 :

    sha256hash IN ("93d74ed188756507c6480717330365cede4884e98aeb43b38d707ed0b98da7cc","4ffb3c0c7b38105183fb06d1084ab943c6e87f9644f783014684c5cb8db32e32","4617cfd1e66aab547770f049abd937b46c4722ee33bbf97042aab77331aa6525")

    Detection Query 4 :

    resourcename = "Windows Security" AND (commandline like "rmdir" and commandline like "/s /q" and commandline like "C:\Windows\")

    Detection Query 5 :

    technologygroup = "EDR"  AND objectname IN ("E:\rootdir\x817994.vbs","E:\rootdir\x966060.bat","x209791.dat")

    Detection Query 6 :

    technologygroup = "EDR" AND processname like "C:\Windows\System32\printui.exe"

    Detection Query 7 :

    technologygroup = "EDR" AND (commandline like "rmdir" and commandline like "/s /q" and commandline like "C:\Windows\")

    Reference:     

    https://www.cybereason.com/blog/tangerine-turkey


    Tags

    MalwareTurkeyPyArmorcryptocurrencyCryptominingFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.