{
	"id": "185718f0-d3a5-4751-bfeb-932d9dec8a55",
	"created_at": "2026-04-06T00:21:17.884331Z",
	"updated_at": "2026-04-10T03:30:01.756132Z",
	"deleted_at": null,
	"sha1_hash": "0c27ccc1c091068776e0048135e12664335410da",
	"title": "Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42717,
	"plain_text": "Researchers Uncover ‘TeamSpy’ Attack Campaign Against\r\nGovernment, Research Targets\r\nBy Dennis Fisher\r\nPublished: 2013-03-20 · Archived: 2026-04-05 13:53:01 UTC\r\nResearchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate\r\nsoftware packages and commodity malware tools to target a variety of heavy industry, government intelligence\r\nagencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate\r\nTeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years,\r\nresearchers say.\r\nResearchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate\r\nsoftware packages and commodity malware tools to target a variety of heavy industry, government intelligence\r\nagencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate\r\nTeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years,\r\nresearchers say.\r\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile,\r\nmalware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the\r\nattackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they\r\nhave specific people in mind as targets.\r\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack\r\nagainst a high-profile target in the country and began looking into the campaign. They quickly discovered that\r\nsome of the infrastructure being used in the attack had been in use for some time and that the target they were\r\ninvestigating was by no means the only one.\r\n“During our investigation of the incident, we discovered a number of C\u0026C servers, and a large number of\r\nmalware samples that have been used in multiple attacks campaigns in the last couple of years. Indeed, the\r\ncollected evidences suggest that part of the attack toolkit we discovered was used back in 2010. It seems that the\r\nmain objective of the attackers was information gathering from the infected computers. Many of the victims\r\nappear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets,\r\nincluding the case that triggered our investigation,” Boldizsár Bencsáth, assistant professor at at Budapest\r\nUniversity of Technology and Economics and member of the CrySyS Lab said in an analysis.\r\nAs they dug into the attack against the Hungarian target, the researchers found that the toolset used included some\r\nmodules that were designed specifically to retrieve certain kinds of documents. Specifically, the modules would\r\nlook for files with extensions such as .pgp, or where keywords such as “secret” or the Russian equivalent were\r\nfound.\r\nhttps://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/\r\nPage 1 of 3\n\nBy observing the C2 activities of the malware, the CrySyS researchers were able to identify a number of other\r\ntargets that the attackers were going after, including the embassy of a NATO country inside Russia, a\r\nmanufacturer in Russia, educational institutions in France and Belgium and a government-connected electronics\r\ncompany in the Middle East.\r\n“The telemetry revealed additional high-profile victims outside Hungary. Indeed, multiple victims were found in\r\nIran, including victims at http://www.sashiraz.co.ir, which is an electronics company with government\r\nbackground. The possible date of infection for this victim is from 2010,” CrySyS said.\r\nThe TeamSpy crew relies on watering-hole attacks, trying to attract their intended victims to various Web sites that\r\nare of interest to the targeted organizations. Researchers say that the attackers have used multiple sites as bait over\r\nthe years, and have employed several C2 servers as well, including two that were analyzed at “politnews.org” and\r\n“bannetwork.org”. After analyzing the malware and toolsets used in the attacks, experts say that there are some\r\nsimilarities between the TeamSpy attackers and the Red October attack campaign discovered earlier this year. \r\nThere are a number of indications that the attackers are Russian-speakers, and researchers say that the highest\r\nnumber of targets was found in Russia and Turkey. When victims hit one of the attacker-controlled watering-hole\r\nsites, they were greeted with a variety of typical drive-by download infection methods, such as iframe redirections\r\nand exploits from the notorious Eleonore exploit pack.\r\n“Over the past years, the attackers added exploit packs like Eleonore on their news aggregation sites. Then, the\r\nattackers injected iframes into carefully selected web sites frequently visited by their target victims. The iframes\r\nredirect these target visitors (and some extras) to their previously-prepared malicious sites. For instance,\r\nredirections from “konflikt.ru” to the attackers’ “bannetwork.org” started in October 2005. In February 2006,\r\nusers were redirected from “daymohk.org” to “bannetwork.org”, followed by “www.turkmenistan.gov.tm” and\r\n“chechentimes.net” in March. The list of infected watering hole sites continued to grow from there,” Kaspersky\r\nLab researchers, who did a separate investigation, said in an analysis.\r\nAs part of the infection routine, the attackers install a Russian-localized version of the TeamViewer software\r\npackage, an application that’s used as a legitimate remote support tool. The installation of this application may\r\nhelp to fool security systems and curious users into thinking that the attack tools are benign. However, the CrySyS\r\nteam said that the TeamSpy crew appears to have two separate and distinct missions.\r\n“During our investigations, we detected two radically different types of activities of the TeamSpy\r\nattackers. In the actual targeted attack detected by the Hungarian National Security Agency, they used components\r\nof the TeamViewer tool combined with other malware modules. In other cases, they used “traditional” self-made\r\nmalware tools to form a botnet and perform their attacks. For the TeamViewer-based activities, we have traces in\r\nthe past until September 2012. The forensics material on other malware campaigns suggests that the attackers’\r\nactivities may go back as far as 2004,” the lab’s technical analysis says.\r\nIn addition to the C2 servers at bannetwork.org and politnews.org, researchers also identified severall\r\nothers: planetanews.org, newslite.org, bulbanews.org, r2bnetwork.org and kortopla.org. The latter two servers\r\nhave been sinkholed by Kaspersky Lab.\r\nhttps://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/\r\nPage 2 of 3\n\nBy looking through the databases on some of the C2 servers the researchers found that they contained not just\r\ndetails of the current TeamSpy attack campaign but also data related to older attacks, suggesting a long-term\r\noperation by this same group.\r\n“It seems that the C\u0026C servers are used for longer duration and contain data not just relevant to current attacks,\r\nbut also historical information. This reveals the incremental work method of the attackers: reuse of code, reuse of\r\nservers, and only make incremental changes on the existing material,” CrySyS said.\r\n“The database tables contain information about different attack campaigns and their related log information and\r\nstatistics. The numbers 5057, 5058, 5016, etc. might be campaign IDs or version (build) numbers. We observed\r\nsimilar numbers in the malware samples we collected from this and other C\u0026C servers. The string “TV” refers to\r\nTeamViewer, so these tables probably contain statistics of attacks that used TeamViewer as the command channel\r\nbetween the attackers and the victim.”\r\nSome of the data that the researchers found indicates that older attack campaigns had targeted victims inside the\r\nUnited States, Canada, China, Brazil and many other countries, as well. Many of the malicious modules\r\ndiscovered in the investigation are disguised as text files or JPEGs.\r\nWhile cyber-espionage campaigns like the TeamSpy attacks have been going on for years now, it’s unusual to find\r\none that has lasted as long as this one. CrySyS researchers said that they believe this same group has been active\r\nfor as long as 10 years.\r\n“Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections\r\nbetween samples used in different years and campaigns. Interestingly, the attacks began to gain new momentum in\r\nthe second half of 2012,” they said. “The attackers use distinct tools for nearly every simple activity – this means\r\nthat most likely the group is small and technically professional people carry out all types of activities, including\r\nstrategic planning and executing the attacks.”\r\nSource: https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/\r\nhttps://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/"
	],
	"report_names": [
		"77646"
	],
	"threat_actors": [
		{
			"id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6",
			"created_at": "2023-01-06T13:46:38.408359Z",
			"updated_at": "2026-04-10T02:00:02.962242Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"TeamSpy",
				"Team Bear",
				"Anger Bear",
				"IRON LYRIC"
			],
			"source_name": "MISPGALAXY:TeamSpy Crew",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4a2aaa17-e108-4a3f-8b0f-8c6bcba3db49",
			"created_at": "2022-10-25T16:07:24.30783Z",
			"updated_at": "2026-04-10T02:00:04.930235Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"Anger Bear",
				"Iron Lyric",
				"SIG39",
				"Team Bear"
			],
			"source_name": "ETDA:TeamSpy Crew",
			"tools": [
				"SpY-Agent",
				"TVRAT",
				"TVSpy",
				"TeamSpy",
				"TeamViewer",
				"TeamViewerENT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434877,
	"ts_updated_at": 1775791801,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c27ccc1c091068776e0048135e12664335410da.pdf",
		"text": "https://archive.orkl.eu/0c27ccc1c091068776e0048135e12664335410da.txt",
		"img": "https://archive.orkl.eu/0c27ccc1c091068776e0048135e12664335410da.jpg"
	}
}