{ "id": "3f9a9d1c-ead0-48f7-baa2-f3d4e803b3a7", "created_at": "2026-04-06T00:06:52.445059Z", "updated_at": "2026-04-10T03:29:45.250451Z", "deleted_at": null, "sha1_hash": "1e80a06ca2252fb83b1085d1d944e30da6826a1d", "title": "Flame (malware)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 201958, "plain_text": "Flame (malware)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2012-05-28 · Archived: 2026-04-05 17:57:42 UTC\r\nFrom Wikipedia, the free encyclopedia\r\n\"Skywiper\" redirects here. For the portable anti-drone device, see EDM4S.\r\nFlame\r\nMalware details\r\nAliases Flamer, sKyWIper, Skywiper\r\nType Malware\r\nAuthor Equation Group\r\nTechnical details\r\nPlatform Windows\r\nSize 20 MB\r\nWritten in C++, Lua\r\nFlame,\r\n[a]\r\n also known as Flamer, sKyWIper,\r\n[b]\r\n and Skywiper,\r\n[2]\r\n is modular computer malware discovered in\r\n2012[3][4] that attacks computers running the Microsoft Windows operating system.[5] The program is used for\r\ntargeted cyber espionage in Middle Eastern countries.[1][5][6]\r\nIts discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer\r\nEmergency Response Team (CERT),[5] Kaspersky Lab[6] and CrySyS Lab of the Budapest University of\r\nTechnology and Economics.\r\n[1]\r\n The last of these stated in its report that Flame \"is certainly the most sophisticated\r\nmalware we encountered during our practice; arguably, it is the most complex malware ever found.\"[1] Flame can\r\nspread to other systems over a local area network (LAN). It can record audio, screenshots, keyboard activity and\r\nnetwork traffic.\r\n[6]\r\n The program also records Skype conversations and can turn infected computers into Bluetooth\r\nbeacons which attempt to download contact information from nearby Bluetooth-enabled devices.[7] This data,\r\nalong with locally stored documents, is sent on to one of several command and control servers that are scattered\r\naround the world. The program then awaits further instructions from these servers.[6]\r\nAccording to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines,[7]\r\nwith victims including governmental organizations, educational institutions and private individuals.[6] At that time\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 1 of 7\n\n65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt,[3][6]\r\nwith a \"huge majority of targets\" within Iran.[8] Flame has also been reported in Europe and North America.[9]\r\nFlame supports a \"kill\" command which wipes all traces of the malware from the computer. The initial infections\r\nof Flame stopped operating after its public exposure, and the \"kill\" command was sent.[10]\r\nFlame is linked to the Equation Group by Kaspersky Lab. However, Costin Raiu, the director of Kaspersky Lab's\r\nglobal research and analysis team, believes the group only cooperates with the creators of Flame and Stuxnet from\r\na position of superiority: \"Equation Group are definitely the masters, and they are giving the others, maybe, bread\r\ncrumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.\"[11]\r\nRecent research has indicated that Flame is positioned to be remembered as one of the most significant and\r\nintricate cyber-espionage tools in history. Using a sophisticated strategy, Flame managed to penetrate numerous\r\ncomputers across the Middle East by falsifying an authentic Microsoft security certificate.[12]\r\nIn 2019, researchers Juan Andres Guerrero-Saade and Silas Cutler announced their discovery of the resurgence of\r\nFlame.[13][14] The attackers used 'timestomping' (changing timestamps and dates of files) to make the new\r\nsamples look like they were created before the 'suicide' command. However, a compilation error included the real\r\ncompilation date (c. 2014). The new version (dubbed 'Flame 2.0' by the researchers) includes new encryption and\r\nobfuscation mechanisms to hide its functionality.\r\n[15]\r\nFlame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT,\r\nKaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of\r\nTechnology and Economics when Kaspersky Lab was asked by the United Nations International\r\nTelecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.[7] As\r\nKaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines\r\nfrom Middle Eastern nations. After discovering more pieces, researchers dubbed the program \"Flame\" after one of\r\nthe main modules inside the toolkit [FROG.DefaultAttacks.A-InstallFlame].\r\n[7]\r\nAccording to Kaspersky, Flame had been operating in the wild since at least February 2010.[6] CrySyS Lab\r\nreported that the file name of the main component was observed as early as December 2007.[1] However, its\r\ncreation date could not be determined directly, as the creation dates for the malware's modules are falsely set to\r\ndates as early as 1994.[7]\r\nComputer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their\r\noil terminals from the Internet.[16] At the time the Iranian Students News Agency referred to the malware that\r\ncaused the attack as \"Wiper\", a name given to it by the malware's creator.\r\n[17]\r\n However, Kaspersky Lab believes\r\nthat Flame may be \"a separate infection entirely\" from the Wiper malware.[7] Due to the size and complexity of\r\nthe program—described as \"twenty times\" more complicated than Stuxnet—the Lab stated that a full analysis\r\ncould require as long as ten years.[7]\r\nOn 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and\r\nhad been distributing these to \"select organizations\" for several weeks.[7] After Flame's exposure in news media,\r\nSymantec reported on 8 June that some Flame command and control (C\u0026C) computers had sent a \"suicide\"\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 2 of 7\n\ncommand to infected PCs to remove all traces of Flame.[10]\r\n All copies of the program and any related files were\r\ndeleted.[18]\r\nAccording to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines,[7]\r\nwith victims including governmental organizations, educational institutions and private individuals.[6] At that time\r\nthe countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and\r\nEgypt.[3][6] A sample of the Flame malware is available at GitHub.\r\nList of code names for various families of modules in Flame's source code and their possible purpose[1]\r\nName Description\r\nFlame Modules that perform attack functions\r\nBoost Information gathering modules\r\nFlask A type of attack module\r\nJimmy A type of attack module\r\nMunch Installation and propagation modules\r\nSnack Local propagation modules\r\nSpotter Scanning modules\r\nTransport Replication modules\r\nEuphoria File leaking modules\r\nHeadache Attack parameters or properties\r\nFlame is an uncharacteristically large program for malware at 20 megabytes. It is written partly in the Lua\r\nscripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial\r\ninfection.[6][19] The malware uses five different encryption methods and an SQLite database to store structured\r\ninformation.[1] The method used to inject code into various processes is stealthy, in that the malware modules do\r\nnot appear in a listing of the modules loaded into a process and malware memory pages are protected with READ,\r\nWRITE and EXECUTE permissions that make them inaccessible by user-mode applications.[1] The internal code\r\nhas few similarities with other malware, but exploits two of the same security vulnerabilities used previously by\r\nStuxnet to infect systems.[c][1] The malware determines what antivirus software is installed, then customises its\r\nown behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by\r\nthat software.[1] Additional indicators of compromise include mutex and registry activity, such as installation of a\r\nfake audio driver which the malware uses to maintain persistence on the compromised system.[19]\r\nFlame is not designed to deactivate automatically, but supports a \"kill\" function that makes it eliminate all traces\r\nof its files and operation from a system on receipt of a module from its controllers.[7]\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 3 of 7\n\nFlame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate\r\nPCA certificate authority.\r\n[20]\r\n The malware authors identified a Microsoft Terminal Server Licensing Service\r\ncertificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm,\r\nthen produced a counterfeit copy of the certificate that they used to sign some components of the malware to make\r\nthem appear to have originated from Microsoft.[20] A successful collision attack against a certificate was\r\npreviously demonstrated in 2008,[21] but Flame implemented a new variation of the chosen-prefix collision attack.\r\n[22]\r\nProperty Value\r\nLike the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade\r\ncurrent security software through rootkit functionality. Once a system is infected, Flame can spread to other\r\nsystems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network\r\ntraffic.\r\n[6]\r\n The program also records Skype conversations and can turn infected computers into Bluetooth beacons\r\nwhich attempt to download contact information from nearby Bluetooth enabled devices.[7] This data, along with\r\nlocally stored documents, is sent on to one of several command and control servers that are scattered around the\r\nworld. The program then awaits further instructions from these servers.[6]\r\nUnlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely\r\nfor espionage.\r\n[23]\r\n It does not appear to target a particular industry, but rather is \"a complete attack toolkit designed\r\nfor general cyber-espionage purposes\".[24]\r\nUsing a technique known as sinkholing, Kaspersky demonstrated that \"a huge majority of targets\" were within\r\nIran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files.\r\n[8]\r\n Computing experts said\r\nthat the program appeared to be gathering technical diagrams for intelligence purposes.[8]\r\nA network of 80 servers across Asia, Europe and North America has been used to access the infected machines\r\nremotely.\r\n[25]\r\nOn 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S.\r\nNational Security Agency, CIA and Israel's military at least five years prior. The project was said to be part of a\r\nclassified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a\r\ncyber-sabotage campaign aimed at slowing Iranian nuclear efforts.[26]\r\nAccording to Kaspersky's chief malware expert, \"the geography of the targets and also the complexity of the threat\r\nleaves no doubt about it being a nation-state that sponsored the research that went into it.\"[3] Kaspersky initially\r\nsaid that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned\r\nby the same attackers.[27] After analysing the code further, Kaspersky later said that there is a strong relationship\r\nbetween Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is\r\nnearly identical to a Flame module that exploits the same zero-day vulnerability.\r\n[28]\r\nIran's CERT described the malware's encryption as having \"a special pattern which you only see coming from\r\nIsrael\".[29] The Daily Telegraph reported that due to Flame's apparent targets—which included Iran, Syria, and the\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 4 of 7\n\nWest Bank—Israel became \"many commentators' prime suspect\". Other commentators named the U.S. as possible\r\nperpetrators.[27] Richard Silverstein, a commentator critical of Israeli policies, claimed that he had confirmed with\r\na \"senior Israeli source\" that the malware was created by Israeli computer experts.[27] The Jerusalem Post wrote\r\nthat Israel's Vice Prime Minister Moshe Ya'alon appeared to have hinted that his government was responsible,[27]\r\nbut an Israeli spokesperson later denied that this had been implied.[30] Unnamed Israeli security officials\r\nsuggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other\r\nWestern nations.[31] The U.S. has officially denied responsibility.\r\n[32]\r\nA leaked NSA document mentions that dealing with Iran's discovery of FLAME is an NSA and GCHQ jointly-worked event.[33]\r\nCybercrime\r\nCyberwarfare\r\nCyber security standards\r\nCyberterrorism\r\nDigital privacy\r\nOperation High Roller\r\n1. ^ \"Flame\" is one of the strings found in the code, a common name for attacks, most likely by exploits[1]\r\n2. ^ The name \"sKyWIper\" is derived from the letters \"KWI\" which are used as a partial filename by the\r\nmalware[1]\r\n3. ^ MS10-061 and MS10-046\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \"sKyWIper: A Complex Malware for Targeted Attacks\" (PDF). Budapest\r\nUniversity of Technology and Economics. 28 May 2012. Archived from the original (PDF) on 28 May\r\n2012. Retrieved 29 May 2012.\r\n2. ^ \"Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East\". Symantec. Archived from\r\nthe original on 31 May 2012. Retrieved 30 May 2012.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Lee, Dave (28 May 2012). \"Flame: Massive Cyber-Attack Discovered, Researchers\r\nSay\". BBC News. Archived from the original on 30 May 2012. Retrieved 29 May 2012.\r\n4. ^ McElroy, Damien; Williams, Christopher (28 May 2012). \"Flame: World's Most Complex Computer\r\nVirus Exposed\". The Daily Telegraph. Archived from the original on 30 May 2012. Retrieved 29 May 2012.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Identification of a New Targeted Cyber-Attack\". Iran Computer Emergency Response\r\nTeam. 28 May 2012. Archived from the original on 29 May 2012. Retrieved 29 May 2012.\r\n6. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n \r\nl\r\n Gostev, Alexander (28 May 2012). \"The Flame: Questions and Answers\".\r\nSecurelist. Archived from the original on 30 May 2012. Retrieved 16 March 2021.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n \r\ng\r\n \r\nh\r\n \r\ni\r\n \r\nj\r\n \r\nk\r\n Zetter, Kim (28 May 2012). \"Meet 'Flame,' The Massive Spy Malware\r\nInfiltrating Iranian Computers\". Wired. Archived from the original on 30 May 2012. Retrieved 29 May\r\n2012.\r\n8. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Lee, Dave (4 June 2012). \"Flame: Attackers 'sought confidential Iran data'\". BBC\r\nNews. Archived from the original on 4 June 2012. Retrieved 4 June 2012.\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 5 of 7\n\n9. ^ Murphy, Samantha (5 June 2012). \"Meet Flame, the Nastiest Computer Malware Yet\". Mashable.com.\r\nArchived from the original on 8 June 2012. Retrieved 8 June 2012.\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \"Flame malware makers send 'suicide' code\". BBC News. 8 June 2012. Archived from the\r\noriginal on 24 August 2012. Retrieved 8 June 2012.\r\n11. ^ Kaspersky Labs Global Research \u0026 Analysis Team (16 February 2015). \"Equation: The Death Star of\r\nMalware Galaxy\". SecureList. Archived from the original on 17 February 2015, Costin Raiu (director of\r\nKaspersky Lab's global research and analysis team): \"It seems to me Equation Group are the ones with the\r\ncoolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are\r\noriginally available only to the Equation Group people. Equation Group are definitely the masters, and they\r\nare giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to\r\nintegrate into Stuxnet and Flame.\"\r\n12. ^ Munro, Kate (1 October 2012). \"Deconstructing Flame: the limitations of traditional defences\".\r\nComputer Fraud \u0026 Security. 2012 (10): 8–11. doi:10.1016/S1361-3723(12)70102-1. ISSN 1361-3723.\r\n13. ^ Zetter, Kim (9 April 2019). \"Researchers Uncover New Version of the Infamous Flame Malware\".\r\nVice.com. Vice Media. Retrieved 6 August 2020.\r\n14. ^ Chronicle Security (12 April 2019). \"Who is GOSSIPGIRL?\". Medium. Archived from the original on 22\r\nJuly 2020. Retrieved 15 July 2020.\r\n15. ^ Guerrero-Saade, Juan Andres; Cutler, Silas (9 April 2019). Flame 2.0: Risen from the Ashes (PDF)\r\n(Report). Chronicle Security. Archived (PDF) from the original on 1 June 2023. Retrieved 17 May 2024.\r\n16. ^ Hopkins, Nick (28 May 2012). \"Computer Worm That Hit Iran Oil Terminals 'Is Most Complex Yet'\". The\r\nGuardian. Archived from the original on 31 May 2012. Retrieved 29 May 2012.\r\n17. ^ Erdbrink, Thomas (23 April 2012). \"Facing Cyberattack, Iranian Officials Disconnect Some Oil\r\nTerminals From Internet\". The New York Times. Archived from the original on 31 May 2012. Retrieved 29\r\nMay 2012.\r\n18. ^ \"Flame\". www.radware.com. Retrieved 25 September 2024.\r\n19. ^ Jump up to: a\r\n \r\nb\r\n Kindlund, Darien (30 May 2012). \"Flamer/sKyWIper Malware: Analysis\". FireEye.\r\nArchived from the original on 2 June 2012. Retrieved 31 May 2012.\r\n20. ^ Jump up to: a\r\n \r\nb\r\n \"Microsoft releases Security Advisory 2718704\". Microsoft. 3 June 2012. Archived from\r\nthe original on 7 June 2012. Retrieved 4 June 2012.\r\n21. ^ Sotirov, Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar, David; Osvik, Dag Arne;\r\nde Weger, Benne (30 December 2008). MD5 considered harmful today: creating a rogue CA certificate.\r\n25th Annual Chaos Communication Congress in Berlin. Archived from the original on 25 March 2017.\r\nRetrieved 4 June 2011.\r\n22. ^ Stevens, Marc (7 June 2012). \"CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame\r\nSpy Malware\". Centrum Wiskunde \u0026 Informatica. Archived from the original on 28 February 2017.\r\nRetrieved 9 June 2012.\r\n23. ^ Cohen, Reuven (28 May 2012). \"New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive\r\nInformation'\". Forbes. Archived from the original on 31 May 2012. Retrieved 29 May 2012.\r\n24. ^ Albanesius, Chloe (28 May 2012). \"Massive 'Flame' Malware Stealing Data Across Middle East\". PC\r\nMagazine. Archived from the original on 30 May 2012. Retrieved 29 May 2012.\r\n25. ^ \"Flame virus: Five facts to know\". The Times of India. Reuters. 29 May 2012. Retrieved 30 May 2012.\r\n{{cite news}} : CS1 maint: deprecated archival service (link)\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 6 of 7\n\n26. ^ Nakashima, Ellen (19 June 2012). \"U.S., Israel developed Flame computer virus to slow Iranian nuclear\r\nefforts, officials say\". The Washington Post. Archived from the original on 18 July 2012. Retrieved 20 June\r\n2012.\r\n27. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \"Flame Virus: Who is Behind the World's Most Complicated Espionage Software?\".\r\nThe Daily Telegraph. 29 May 2012. Archived from the original on 31 May 2012. Retrieved 29 May 2012.\r\n28. ^ \"Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected\".\r\nKaspersky Lab. 11 June 2012. Archived from the original on 16 November 2021. Retrieved 13 June 2012.\r\n29. ^ Erdbrink, Thomas (29 May 2012). \"Iran Confirms Attack by Virus That Collects Information\". The New\r\nYork Times. Archived from the original on 6 June 2012. Retrieved 30 May 2012.\r\n30. ^ Tsukayama, Hayley (31 May 2012). \"Flame cyberweapon written using gamer code, report says\". The\r\nWashington Post. Archived from the original on 2 June 2012. Retrieved 31 May 2012.\r\n31. ^ Dareini, Ali Akbar; Murphy, Dan; Satter, Raphael; Federman, Josef (30 May 2012). \"Iran: 'Flame' virus\r\nfight began with oil attack\". Yahoo! News. Associated Press.\r\n32. ^ \"Flame: Israel rejects link to malware cyber-attack\". BBC News. 31 May 2012. Archived from the\r\noriginal on 5 June 2014. Retrieved 3 June 2012.\r\n33. ^ \"Visit Précis: Sir Iain Lobban, KCMG, CB; Director, Government Communications Headquarters\r\n(GCHQ) 30 April 2013 – 1 May 2013\" (PDF). Archived (PDF) from the original on 2 May 2014. Retrieved\r\n1 May 2014.\r\nSource: https://en.wikipedia.org/wiki/Flame_(malware)\r\nhttps://en.wikipedia.org/wiki/Flame_(malware)\r\nPage 7 of 7\n\n1. ^ Jump up University to: a b c d e f g of Technology h i j k \"sKyWIper: and Economics. A Complex Malware 28 May 2012. for Targeted Archived from the Attacks\" (PDF). original (PDF) Budapest on 28 May\n2012. Retrieved 29 May 2012. \n2. ^ \"Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East\". Symantec. Archived from\nthe original on 31 May 2012. Retrieved 30 May 2012. \n3. ^ Jump up to: a b c d Lee, Dave (28 May 2012). \"Flame: Massive Cyber-Attack Discovered, Researchers\nSay\". BBC News. Archived from the original on 30 May 2012. Retrieved 29 May 2012. \n4. ^ McElroy, Damien; Williams, Christopher (28 May 2012). \"Flame: World's Most Complex Computer\nVirus Exposed\". The Daily Telegraph. Archived from the original on 30 May 2012. Retrieved 29 May 2012.\n5. ^ Jump up to: a b c \"Identification of a New Targeted Cyber-Attack\". Iran Computer Emergency Response\nTeam. 28 May 2012. Archived from the original on 29 May 2012. Retrieved 29 May 2012. \n6. ^ Jump up to: a b c d e f g h i j k l Gostev, Alexander (28 May 2012). \"The Flame: Questions and Answers\".\nSecurelist. Archived from the original on 30 May 2012. Retrieved 16 March 2021. \n7. ^ Jump up to: a b c d e f g h i j k Zetter, Kim (28 May 2012). \"Meet 'Flame,' The Massive Spy Malware\nInfiltrating Iranian Computers\". Wired. Archived from the original on 30 May 2012. Retrieved 29 May\n2012. \n8. ^ Jump up to: a b c Lee, Dave (4 June 2012). \"Flame: Attackers 'sought confidential Iran data'\". BBC\nNews. Archived from the original on 4 June 2012. Retrieved 4 June 2012. \n Page 5 of 7 \n\n https://en.wikipedia.org/wiki/Flame_(malware) \n9. ^ Murphy, Samantha (5 June 2012). \"Meet Flame, the Nastiest Computer Malware Yet\". Mashable.com. \nArchived from the original on 8 June 2012. Retrieved 8 June 2012. \n10. ^ Jump up to: a b \"Flame malware makers send 'suicide' code\". BBC News. 8 June 2012. Archived from the\noriginal on 24 August 2012. Retrieved 8 June 2012. \n11. ^ Kaspersky Labs Global Research \u0026 Analysis Team (16 February 2015). \"Equation: The Death Star of\nMalware Galaxy\". SecureList. Archived from the original on 17 February 2015, Costin Raiu (director of\nKaspersky Lab's global research and analysis team): \"It seems to me Equation Group are the ones with the\ncoolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are\noriginally available only to the Equation Group people. Equation Group are definitely the masters, and they\nare giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to\nintegrate into Stuxnet and Flame.\" \n12. ^ Munro, Kate (1 October 2012). \"Deconstructing Flame: the limitations of traditional defences\". \nComputer Fraud \u0026 Security. 2012 (10): 8-11. doi:10.1016/S1361-3723(12)70102-1. ISSN 1361-3723. \n13. ^ Zetter, Kim (9 April 2019). \"Researchers Uncover New Version of the Infamous Flame Malware\". \nVice.com. Vice Media. Retrieved 6 August 2020. \n14. ^ Chronicle Security (12 April 2019). \"Who is GOSSIPGIRL?\". Medium. Archived from the original on 22\nJuly 2020. Retrieved 15 July 2020. \n15. ^ Guerrero-Saade, Juan Andres; Cutler, Silas (9 April 2019). Flame 2.0: Risen from the Ashes (PDF)\n(Report). Chronicle Security. Archived (PDF) from the original on 1 June 2023. Retrieved 17 May 2024.\n16. ^ Hopkins, Nick (28 May 2012). \"Computer Worm That Hit Iran Oil Terminals 'Is Most Complex Yet'\". The\nGuardian. Archived from the original on 31 May 2012. Retrieved 29 May 2012. \n17. ^ Erdbrink, Thomas (23 April 2012). \"Facing Cyberattack, Iranian Officials Disconnect Some Oil\nTerminals From Internet\". The New York Times. Archived from the original on 31 May 2012. Retrieved 29\nMay 2012. \n18. ^ \"Flame\". www.radware.com. Retrieved 25 September 2024. \n19. ^ Jump up to: a b Kindlund, Darien (30 May 2012). \"Flamer/sKyWIper Malware: Analysis\". FireEye.\nArchived from the original on 2 June 2012. Retrieved 31 May 2012. \n20. ^ Jump up to: a b \"Microsoft releases Security Advisory 2718704\". Microsoft. 3 June 2012. Archived from\nthe original on 7 June 2012. Retrieved 4 June 2012. \n21. ^ Sotirov, Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar, David; Osvik, Dag Arne;\nde Weger, Benne (30 December 2008). MD5 considered harmful today: creating a rogue CA certificate.\n25th Annual Chaos Communication Congress in Berlin. Archived from the original on 25 March 2017.\nRetrieved 4 June 2011. \n22. ^ Stevens, Marc (7 June 2012). \"CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame\nSpy Malware\". Centrum Wiskunde \u0026 Informatica. Archived from the original on 28 February 2017.\nRetrieved 9 June 2012. \n23. ^ Cohen, Reuven (28 May 2012). \"New Massive Cyber-Attack an 'Industrial Vacuum Cleaner for Sensitive\nInformation'\". Forbes. Archived from the original on 31 May 2012. Retrieved 29 May 2012. \n24. ^ Albanesius, Chloe (28 May 2012). \"Massive 'Flame' Malware Stealing Data Across Middle East\". PC\nMagazine. Archived from the original on 30 May 2012. Retrieved 29 May 2012. \n25. ^ \"Flame virus: Five facts to know\". The Times of India. Reuters. 29 May 2012. Retrieved 30 May 2012.\n{{cite news}} : CS1 maint: deprecated archival service (link) \n Page 6 of 7 \n\n https://en.wikipedia.org/wiki/Flame_(malware) \n26. ^ Nakashima, Ellen (19 June 2012). \"U.S., Israel developed Flame computer virus to slow Iranian nuclear\nefforts, officials say\". The Washington Post. Archived from the original on 18 July 2012. Retrieved 20 June\n2012. \n27. ^ Jump up to: a b c d \"Flame Virus: Who is Behind the World's Most Complicated Espionage Software?\".\nThe Daily Telegraph. 29 May 2012. Archived from the original on 31 May 2012. Retrieved 29 May 2012.\n28. ^ \"Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected\".\nKaspersky Lab. 11 June 2012. Archived from the original on 16 November 2021. Retrieved 13 June 2012.\n29. ^ Erdbrink, Thomas (29 May 2012). \"Iran Confirms Attack by Virus That Collects Information\". The New\nYork Times. Archived from the original on 6 June 2012. Retrieved 30 May 2012. \n30. ^ Tsukayama, Hayley (31 May 2012). \"Flame cyberweapon written using gamer code, report says\". The\nWashington Post. Archived from the original on 2 June 2012. Retrieved 31 May 2012. \n31. ^ Dareini, Ali Akbar; Murphy, Dan; Satter, Raphael; Federman, Josef (30 May 2012). \"Iran: 'Flame' virus\nfight began with oil attack\". Yahoo! News. Associated Press. \n32. ^ \"Flame: Israel rejects link to malware cyber-attack\". BBC News. 31 May 2012. Archived from the\noriginal on 5 June 2014. Retrieved 3 June 2012. \n33. ^ \"Visit Précis: Sir Iain Lobban, KCMG, CB; Director, Government Communications Headquarters \n(GCHQ) 30 April 2013-1 May 2013\" (PDF). Archived (PDF) from the original on 2 May 2014. Retrieved\n1 May 2014. \nSource: https://en.wikipedia.org/wiki/Flame_(malware) \n Page 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://en.wikipedia.org/wiki/Flame_(malware)" ], "report_names": [ "Flame_(malware)" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d7c5a1bf-85c9-4d2f-bdbd-1455f5f2ae65", "created_at": "2022-10-25T16:07:23.978074Z", "updated_at": "2026-04-10T02:00:04.817311Z", "deleted_at": null, "main_name": "Operation Olympic Games", "aliases": [ "GOSSIPGIRL" ], "source_name": "ETDA:Operation Olympic Games", "tools": [ "Stuxnet", "W32.Stuxnet" ], "source_id": "ETDA", "reports": null }, { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434012, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e80a06ca2252fb83b1085d1d944e30da6826a1d.pdf", "text": "https://archive.orkl.eu/1e80a06ca2252fb83b1085d1d944e30da6826a1d.txt", "img": "https://archive.orkl.eu/1e80a06ca2252fb83b1085d1d944e30da6826a1d.jpg" } }