“Red October” - Part Two, the Modules
By GReAT
Published: 2013-01-17 · Archived: 2026-04-05 17:24:01 UTC
Incidents
Incidents
17 Jan 2013
 1 minute read
https://securelist.com/red-october-part-two-the-modules/57645
Page 1 of 5

Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during
the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific
research organizations.
In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the
attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level
overview of the C&C infrastructure.
Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the
modules used in the operation.
When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that
occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why
our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions:
What happens to the victim after they’re infected?
What information is being stolen?
Why is “Red October” such a big deal compared to other campaigns like Aurora or Night Dragon?
According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed
in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is
compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not
understand the full purpose of the attack or what was stolen.
To get around these hiccups, we set up several fake victims around the world and monitored how the attackers
handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools.
In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique
insight into the attack.
https://securelist.com/red-october-part-two-the-modules/57645
Page 2 of 5

The research that we are publishing today is perhaps the biggest malware research paper ever. It is certainly the
most complex malware research effort in the history of our company and we hope that it sets new standards for
what anti-virus and anti-malware research means today.
Because of its size, we’ve split “part 2” in several pieces, to make reading easier:
First stage of attack
https://securelist.com/red-october-part-two-the-modules/57645
Page 3 of 5

1. 1 Exploits
2. 2 Dropper
3. 3 Loader Module
4. 4 Main component
Second stage of attack
1. 1 Modules, general overview
2. 2 Recon group
3. 3 Password group
4. 4 Email group
5. 5 USB drive group
6. 6 Keyboard group
7. 7 Persistence group
8. 8 Spreading group
9. 9 Mobile group
10. 10 Exfiltration group
Latest Posts
https://securelist.com/red-october-part-two-the-modules/57645
Page 4 of 5

Latest Webinars
Reports
Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka
Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.
Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a
kernel-mode rootkit to deliver and protect a ToneShell backdoor.
Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with
DPAPI and RC5, as well as the MgBot implant.
Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their
signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.
Source: https://securelist.com/red-october-part-two-the-modules/57645
https://securelist.com/red-october-part-two-the-modules/57645
Page 5 of 5