A Turla backdoor targeted at Microsoft Exchange mail servers and controllable remotely via email attachments using steganography was discovered by researchers while used in attacks against multiple targets from around the world.
Turla is a Russian-backed cyber-espionage group (also known as Waterbug, Snake, WhiteBear, VENOMOUS BEAR, and Kypton) known for attacking a wide array of targets from more than 40 countries from various industries such as military, government, embassies, education, research, and pharmaceutical. [1, 2, 3]
The LightNeuron Turla implant was first brought into the light by Kaspersky Lab’s Global Research and Analysis Team (GReAT) on July 10, 2018, and it was observed while being used "intercept emails, exfiltrate data and even send mails on behalf of the victims."
As GReAT said at the time and confirmed by ESET's new report based on "code artefacts in the Windows version", the hacking group used this malware strain as part of its operations since as 2014, with a Unix variant also in the group's arsenal targeting Postfix and Sendmail servers.