Carbon is a sophisticated backdoor trojan known for its use by the advanced persistent threat (APT) Turla, an alleged Russian government-associated espionage group. Carbon is deployed after the group has conducted initial reconnaissance via a less-sophisticated backdoor, such as Skipper, deployed by a spearphishing email or compromised website. The Turla group then determines if the target is worth injecting with Carbon or other sophisticated malware. This trojan is used to steal sensitive information from targets and provides encrypted communication channels between the different malware components. It uses encryption for files and names of modules, functions, and processes.

The Carbon framework:

  • The dropper: to install the trojan's components and configuration file.
  • The component: communicates with the C2 server.
  • The orchestrator: handles tasks, pushes them to other nodes on the network, and injects the malicious DLL into a legitimate process.
  • The loader: executes the orchestrator.

The files associated with the framework processes:

  • The dropper: SERVICE.EXE
  • The loader: SERVICE.DLL or KmSvc.DLL
  • The orchestrator: MSIMGHLP.DLL
  • The injected library: MSXIML.DLL


  • March 2017: Turla Group Improves Carbon Backdoor. (Security Week)

Technical Analysis

  • ESET provides technical details and analysis of the Carbon trojan, here.