Recent activity that Facebook associated with the group focused on military personnel, defense organizations, and aerospace entities primarily in the United States and, to a lesser extent, the U.K. and Europe, showing an escalation of the group’s cyberespionage activities.

Active since at least 2018, Tortoiseshell was previously observed targeting information technology organizations in the Middle East, mostly in Saudi Arabia, with the Syskit backdoor, which was designed to collect various information from the compromised machines and send it to its command and control (C&C) server.