MurenShark

MurenShark, also known by the alias Müren, is a threat actor group based in Turkey that conducts cyber espionage operations. Its primary activity involves launching targeted phishing campaigns designed to compromise individuals associated with specific defence and research projects. In the August 2022 incident, the group focused on personnel linked to Turkey’s indigenous submarine management system, including members of the Naval Forces Command and TÜBİTAK staff. The phishing emails contained malicious documents that appeared to originate from these trusted institutions, delivering malware such as AgentTesla to victims’ systems. Beyond initial infection, MurenShark maintained long‑term access by using a compromised Cypriot university website as a command‑and‑control server for its operations. The group’s approach demonstrates a focus on stealth, employing techniques to obfuscate its origins and limit detectable footprints on compromised networks.

Distinguishing attributes of MurenShark include its specialization in espionage against high‑value defence projects and its ability to blend malicious infrastructure with legitimate‑looking web assets. The actor’s targeting of naval and scientific organisations suggests a strategic interest in acquiring sensitive technical data related to maritime technology. Analysts have noted the group’s advanced capabilities in concealing its operational trail, which complicates attribution efforts. While the exact size or internal structure of the organisation remains unspecified in public sources, its consistent focus on Turkish governmental and research entities highlights a clear sectoral orientation. No explicit information about ownership, parent companies, or subsidiary relationships is available in the provided material.