Turla APT group has been spotted co-opting two cyberweapons from an Iranian APT (APT 34) and deploying them against targets in the Middle East. Turla, also known as Venomous Bear, Waterbug and Uroboros, is a Russian-speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. The tools are Iranian in origin and borrowed from another APT and Turla was merely trying them out on victims they had already infiltrated with Snake. The NSA and NCSC said that in order to make use of the tools, Turla s commands were passed to the ASPX shell in encrypted HTTPS Cookie values.
Source: https://threatpost.com/turla-compromises-iranian-apt/149375/