{
	"id": "8611e6e9-0f02-4250-a8d2-65a29f93ddfd",
	"created_at": "2026-04-06T00:13:35.850516Z",
	"updated_at": "2026-04-10T03:20:58.573603Z",
	"deleted_at": null,
	"sha1_hash": "2821c2f96899ef863724cb1c9a1f321bc6dcaba2",
	"title": "The Flame: Questions and Answers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 457528,
	"plain_text": "The Flame: Questions and Answers\r\nBy Alexander Gostev\r\nPublished: 2012-05-28 · Archived: 2026-04-02 10:51:48 UTC\r\nDuqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found\r\nwhat might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to\r\nthe attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us\r\nfor help in finding an unknown piece of malware which was deleting sensitive information across the Middle East.\r\nWhile searching for that code – nicknamed Wiper – we discovered a new malware codenamed\r\nWorm.Win32.Flame.\r\nFlame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are\r\ndifferent, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities\r\nseems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown\r\nperpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and\r\nincredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.\r\nFor the full low-down on this advanced threat, read on…\r\nGeneral Questions\r\nWhat exactly is Flame? A worm? A backdoor? What does it do?\r\nFlame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it\r\nhas worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so\r\nby its master.\r\nThe initial point of entry of Flame is unknown – we suspect it is deployed through targeted attacks; however, we\r\nhaven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033\r\nvulnerability, but we cannot confirm this now.\r\nOnce a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking\r\nscreenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the\r\noperators through the link to Flame’s command-and-control servers.\r\nLater, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20\r\nmodules in total and the purpose of most of them is still being investigated.\r\nHow sophisticated is Flame?\r\nFirst of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because\r\nof this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 1 of 9\n\nincludes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation\r\n(sqlite3), together with a Lua virtual machine.\r\nLua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many\r\nparts of Flame have high order logic written in Lua – with effective attack subroutines and libraries compiled from\r\nC++.\r\nThe effective Lua code part is rather small compared to the overall code. Our estimation of development ‘cost’ in\r\nLua is over 3000 lines of code, which for an average developer should take about a month to create and debug.\r\nAlso, there are internally used local databases with nested SQL queries, multiple methods of encryption, various\r\ncompression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.\r\nRunning and debugging the malware is also not trivial as it’s not a conventional executable application, but\r\nseveral DLL files that are loaded on system boot.\r\nOverall, we can say Flame is one of the most complex threats ever discovered.\r\nHow is this different to or more sophisticated than any other backdoor Trojan? Does it do specific things\r\nthat are new?\r\nFirst of all, usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit.\r\nGenerally, modern malware is small and written in really compact programming languages, which make it easy to\r\nhide. The practice of concealment through large amounts of code is one of the specific new features in Flame.\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 2 of 9\n\nThe recording of audio data from the internal microphone is also rather new. Of course, other malware exists\r\nwhich can record audio, but key here is Flame’s completeness – the ability to steal data in so many different ways.\r\nAnother curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the\r\ncorresponding option is turned on in the configuration block, it collects information about discoverable devices\r\nnear the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon,\r\nand make it discoverable via Bluetooth and provide general information about the malware status encoded in the\r\ndevice information.\r\nWhat are the notable info-stealing features of Flame?\r\nAlthough we are still analyzing the different modules, Flame appears to be able to record audio via the\r\nmicrophone, if one is present. It stores recorded audio in compressed format, which it does through the use of a\r\npublic-source library.\r\nRecorded data is sent to the C\u0026C through a covert SSL channel, on a regular schedule. We are still analyzing this;\r\nmore information will be available on our website soon.\r\nThe malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain\r\n“interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are\r\nregularly sent to the C\u0026C server – just like the audio recordings.\r\nWe are still analyzing this component and will post more information when it becomes available.\r\nWhen was Flame created?\r\nThe creators of Flame specially changed the dates of creation of the files in order that any investigators couldn’t\r\nestablish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it’s clear that these are\r\nfalse dates.\r\nWe consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active\r\ndevelopment to date. Its creators are constantly introducing changes into different modules, while continuing to\r\nuse the same architecture and file names. A number of modules were either created of changed in 2011 and 2012.\r\nAccording to our own data, we see use of Flame in August 2010. What’s more, based on collateral data, we can be\r\nsure that Flame was out in the wild as early as in February to March 2010. It’s possible that before then there\r\nexisted earlier version, but we don’t have data to confirm this; however, the likelihood is extremely high.\r\nWhy is it called Flame? What is the origin of its name?\r\nThe Flame malware is a large attack toolkit made up of multiple modules. One of the main modules was named\r\nFlame – it’s the module responsible for attacking and infecting additional machines.\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 3 of 9\n\nIs this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or\r\nhacktivisits?\r\nCurrently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals\r\nand nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple\r\nhack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to\r\nconclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states\r\nare in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that\r\nsponsored the research that went into it.\r\nWho is responsible?\r\nThere is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with\r\nStuxnet and Duqu, its authors remain unknown.\r\nWhy are they doing it?\r\nTo systematically collect information on the operations of certain nation states in the Middle East, including Iran,\r\nLebanon, Syria, Israel and so on. Here’s a map of the top 7 affected countries:\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 4 of 9\n\nIs Flame targeted at specific organizations, with the goal of collecting specific information that could be\r\nused for future attacks? What type of data and information are the attackers looking for?\r\nFrom the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence – e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any\r\nspecific signs indicating a particular target such as the energy industry – making us believe it’s a complete attack\r\ntoolkit designed for general cyber-espionage purposes.\r\nOf course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack\r\nmodules, which can target SCADA devices, ICS, critical infrastructure and so on.\r\nWhat industries or organizations is Flame targeting? Are they industrial control facilities/PLC/SCADA?\r\nWho are the targets and how many?\r\nThere doesn’t seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from\r\nindividuals to certain state-related organizations or educational institutions. Of course, collecting information on\r\nthe victims is difficult because of strict personal data collecting policies designed to protect the identity of our\r\nusers.\r\nBased on your analysis, is this just one variation of Flame and there are others?\r\nBased on the intelligence received from the Kaspersky Security Network, we are seeing multiple versions of the\r\nmalware being in the wild – with different sizes and content. Of course, assuming the malware has been in\r\ndevelopment for a couple of years, it is expected that many different versions will be seen in the wild.\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 5 of 9\n\nAdditionally, Flame consists of many different plug-ins – up to 20 – which have different specific roles. A specific\r\ninfection with Flame might have a set of seven plugins, while another infection might have 15. It all depends on\r\nthe kind of information that is sought from the victim, and how long the system was infected with Flame.\r\nIs the main C\u0026C server still active? Is there more than one primary C\u0026C server? What happens when an\r\ninfected machine contacts the C\u0026C server?\r\nSeveral C\u0026C servers exist, scattered around the world. We have counted about a dozen different C\u0026C domains,\r\nrun on several different servers. There could also be other related domains, which could possibly bring the total to\r\naround 80 different domains being used by the malware to contact the C\u0026C. Because of this, it is really difficult to\r\ntrack usage of deployment of C\u0026C servers.\r\nWas this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in\r\ncommon?\r\nIn size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage\r\nfeatures. Flame has no major similarities with Stuxnet/Duqu.\r\nFor instance, when Duqu was discovered, it was evident to any competent researcher that it was created by\r\nthe same people who created Stuxnet on the “Tilded” platform.\r\nFlame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are\r\nhowever some links which could indicate that the creators of Flame had access to technology used in the Stuxnet\r\nproject – such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler\r\nvulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as\r\nStuxnet’s authors.\r\nOn the other hand, we can’t exclude that the current variants of Flame were developed after the discovery of\r\nStuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet\r\nand put it to work in Flame.\r\nIn summary, Flame and Stuxnet/Duqu were probably developed by two separate groups. We would position Flame\r\nas a project running parallel to Stuxnet and Duqu.\r\nYou say this was active since March 2010. That is close to the time when Stuxnet was discovered. Was this\r\nbeing used in tandem with Stuxnet? It is interesting they both exploit the printer-spooler vulnerability.\r\nOne of the best pieces of advice in any kind of operation is not to put all your eggs in one basket. Knowing that\r\nsooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects –\r\nbut based on a completely different philosophy. This way, if one of the research projects is discovered, the other\r\none can continue unhindered.\r\nHence, we believe Flame to be a parallel project, created as a fallback in case some other project is discovered.\r\nIn your analysis of Duqu you mentioned “cousins” of Duqu, or other forms of malware that could exist. Is\r\nthis one of them?\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 6 of 9\n\nDefinitely not. The “cousins” of Duqu were based on the Tilded platform, also used for Stuxnet. Flame does not\r\nuse the Tilded platform.\r\nThis sounds like an info-stealing tool, similar to Duqu. Do you see this as part of an intelligence-gathering\r\noperation to make a bigger cyber-sabotage weapon, similar to Stuxnet?\r\nThe intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less\r\nthan 50 targets worldwide for Duqu – all of them, super-high profile.\r\nFlame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide.\r\nThe targets are also of a much wider scope, including academia, private companies, specific individuals and so on.\r\nAccording to our observations, the operators of Flame artificially support the quantity of infected systems on a\r\ncertain constant level. This can be compared with a sequential processing of fields – they infect several dozen,\r\nthen conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the\r\nmost important ones in place. After which they start a new series of infections.\r\nWhat is Wiper and does it have any relation to Flame? How is it destructive and was it located in the same\r\ncountries?\r\nThe Wiper malware, which was reported on by several media outlets, remains unknown. While Flame was\r\ndiscovered during the investigation of a number of Wiper attacks, there is no information currently that ties Flame\r\nto the Wiper attacks. Of course, given the complexity of Flame, a data wiping plugin could easily be deployed at\r\nany time; however, we haven’t seen any evidence of this so far.\r\nAdditionally, systems which have been affected by the Wiper malware are completely unrecoverable – the extent\r\nof damage is so high that absolutely nothing remains that can be used to trace the attack.\r\nThere is information about Wiper incidents only in Iran. Flame was found by us in different countries of the\r\nregion, not only Iran.\r\nFunctionality/Feature Questions about the Flame Malware\r\nWhat are the ways it infects computers? USB Sticks? Was it exploiting vulnerabilities other than the print-spooler to bypass detection? Any 0-Days?\r\nFlame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”.\r\nWe haven’t seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration\r\ndata. Nevertheless, the ability to infect USB sticks exists in the code, and it’s using two methods:\r\n1. 1 Autorun Infector: the “Autorun.inf” method from early Stuxnet, using the “shell32.dll” “trick”. What’s\r\nkey here is that the specific method was used only in Stuxnet and was not found in any other malware\r\nsince.\r\n2. 2 Euphoria: spread on media using a “junction point” directory that contains malware modules and an LNK\r\nfile that trigger the infection when this directory is opened. Our samples contained the names of the files\r\nbut did not contain the LNK itself.\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 7 of 9\n\nIn addition to these, Flame has the ability to replicate through local networks. It does so using the following:\r\n1. 1 The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the\r\nattacked system using WMI.\r\n2. 2 Remote jobs tasks.\r\n3. 3 When Flame is executed by a user who has administrative rights to the domain controller, it is also able\r\nto attack other machines in the network: it creates backdoor user accounts with a pre-defined password that\r\nis then used to copy itself to these machines.\r\nAt the moment, we haven’t seen use of any 0-days; however, the worm is known to have infected fully-patched\r\nWindows 7 systems through the network, which might indicate the presence of a high risk 0-day.\r\nCan it self-replicate like Stuxnet, or is it done in a more controlled form of spreading, similar to Duqu?\r\nThe replication part appears to be operator commanded, like Duqu, and also controlled with the bot configuration\r\nfile. Most infection routines have counters of executed attacks and are limited to a specific number of allowed\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 8 of 9\n\nattacks.\r\nWhy is the program several MBs of code? What functionality does it have that could make it so much\r\nlarger than Stuxnet? How come it wasn’t detected if it was that big?\r\nThe large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is\r\nsmall and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks,\r\ndownloading 100K has a much higher chance of being successful than downloading 6MB.\r\nFlame’s modules together account for over 20MB. Much of these are libraries designed to handle SSL traffic, SSH\r\nconnections, sniffing, attack, interception of communications and so on. Consider this: it took us several months to\r\nanalyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame.\r\nDoes Flame have a built-in Time-of-Death like Duqu or Stuxnet ?\r\nThere are many different timers built-in into Flame. They monitor the success of connections to the C\u0026C, the\r\nfrequency of certain data stealing operations, the number of successful attacks and so on. Although there is no\r\nsuicide timer in the malware, the controllers have the ability to send a specific malware removal module (named\r\n“browse32”), which completely uninstalls the malware from a system, removing every single trace of its presence.\r\nWhat about JPEGs or screen-shots? Is it stealing those too?\r\nThe malware has the ability to regularly take screenshots. What’s more, it takes screenshots when certain\r\n“interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are\r\nregularly sent to the C\u0026C server, just like the audio recordings.\r\nWe are still analyzing this component and will post more information when it becomes available.\r\nWe will share a full list of the files and traces for technical people in a series of blog posts on Securelist during the\r\nnext weeks.\r\nWhat should I do if I find an infection and am willing to contribute to your research by providing malware\r\nsamples?\r\nWe would greatly appreciate it if you could contact us by e-mail at the previously created mailbox for\r\nStuxnet/Duqu research: stopduqu@kaspersky.com.\r\nUpdate 1 (28-May-2012):\r\nAccording to our analysis, the Flame malware is the same as “SkyWiper”, described by the CrySyS Lab and by\r\nIran Maher CERT group where it is called “Flamer”.\r\nSource: https://securelist.com/the-flame-questions-and-answers-51/34344/\r\nhttps://securelist.com/the-flame-questions-and-answers-51/34344/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://securelist.com/the-flame-questions-and-answers-51/34344/"
	],
	"report_names": [
		"34344"
	],
	"threat_actors": [],
	"ts_created_at": 1775434415,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2821c2f96899ef863724cb1c9a1f321bc6dcaba2.pdf",
		"text": "https://archive.orkl.eu/2821c2f96899ef863724cb1c9a1f321bc6dcaba2.txt",
		"img": "https://archive.orkl.eu/2821c2f96899ef863724cb1c9a1f321bc6dcaba2.jpg"
	}
}