{
	"id": "44b385fe-67dc-48f0-bb9a-8ea7b914d086",
	"created_at": "2026-04-06T00:21:53.21767Z",
	"updated_at": "2026-04-10T03:23:38.82085Z",
	"deleted_at": null,
	"sha1_hash": "4e4a9aafa4e0c98169710365b5264e254371e03c",
	"title": "Regin (malware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126855,
	"plain_text": "Regin (malware)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2014-11-23 · Archived: 2026-04-05 13:44:28 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nRegin\r\nMalware details\r\nAliases Prax, QWERTY\r\nAuthors NSA, GCHQ\r\nTechnical details\r\nPlatform Windows\r\nRegin (also known as Prax or QWERTY) is a sophisticated malware and hacking toolkit used by United States'\r\nNational Security Agency (NSA) and its British counterpart, the Government Communications Headquarters\r\n(GCHQ).[1][2][3] It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014.\r\n[4][5]\r\n The malware targets specific users of Microsoft Windows-based computers and has been linked to the US\r\nintelligence-gathering agency NSA and its British counterpart, the GCHQ.\r\n[6][7][8]\r\n The Intercept provided samples\r\nof Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom.\r\n[5]\r\nKaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from\r\n2003.[9] (The name Regin is first found on the VirusTotal website on 9 March 2011.[5]) Among computers\r\ninfected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico\r\nand Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.\r\n[10]\r\nKaspersky has said the malware's main victims are private individuals, small businesses and telecom companies.\r\nRegin has been compared to Stuxnet and is thought to have been developed by \"well-resourced teams of\r\ndevelopers\", possibly a Western government, as a targeted multi-purpose data collection tool.[11][12][13]\r\nAccording to Die Welt, security experts at Microsoft gave it the name \"Regin\" in 2011, after the cunning Norse\r\ndwarf Regin.\r\n[14]\r\nRegin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying.\r\nThe design makes it highly suited for persistent, long-term mass surveillance operations against targets.[15][16]\r\nRegin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted virtual\r\nfile system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host,\r\nwithin which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of\r\nhttps://en.wikipedia.org/wiki/Regin_(malware)\r\nPage 1 of 4\n\nthe rarely used RC5 cipher.\r\n[16]\r\n Regin communicates over the Internet using ICMP/ping, commands embedded in\r\nHTTP cookies and custom TCP and UDP protocols with a command and control server which can control\r\noperations, upload additional payloads, etc.[10][12]\r\nIdentification and naming\r\n[edit]\r\nSymantec says that both it and Kaspersky identified the malware as Backdoor.Regin.\r\n[10]\r\n Most antivirus programs,\r\nincluding Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as\r\nmalware.[17] On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia;[18][19] later two\r\nmore variants, Regin.B and Regin.C were added. Microsoft appears to call the 64-bit variants of Regin Prax.A and\r\nPrax.B. The Microsoft entries do not have any technical information.[5] Both Kaspersky and Symantec have\r\npublished white papers with information they learned about the malware.[12][13]\r\nKnown attacks and originator of malware\r\n[edit]\r\nGerman news magazine Der Spiegel reported in June 2013 that the US intelligence National Security Agency\r\n(NSA) had conducted online surveillance on both European Union (EU) citizens and EU institutions. The\r\ninformation derives from secret documents obtained by former NSA worker Edward Snowden. Both Der Spiegel\r\nand The Intercept quote a secret 2010 NSA document stating that it made cyberattacks that year, without\r\nspecifying the malware used, against the EU diplomatic representations in Washington, D.C. and its\r\nrepresentations to the United Nations.\r\n[5][20]\r\n Signs identifying the software used as Regin were found by\r\ninvestigators on infected machines.\r\nThe Intercept reported that, in 2013, the UK's GCHQ attacked Belgacom, Belgium's largest telecommunications\r\ncompany.\r\n[5]\r\n These attacks may have led to Regin coming to the attention of security companies. Based on analysis\r\ndone by IT security firm Fox IT, Der Spiegel reported in November 2014, that Regin is a tool of the UK and USA\r\nintelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their\r\nanalysis parts of Regin are mentioned in the NSA ANT catalog under the names \"Straitbizarre\" and \"Unitedrake\".\r\nFox IT did not name the customer, but Der Spiegel mentioned that among the customers of Fox IT is Belgacom\r\nand cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in\r\nthe Belgacom network.[1]\r\nIn December 2014, German newspaper Bild reported that Regin was found on a USB flash drive used by a staff\r\nmember of Chancellor Angela Merkel. Checks of all high-security laptops in the German Chancellery revealed no\r\nadditional infections.[21]\r\nRegin was used in October and November 2018 to hack the research and development unit of Yandex.\r\n[22]\r\nAdvanced persistent threat\r\nCyberwarfare in the United States\r\nhttps://en.wikipedia.org/wiki/Regin_(malware)\r\nPage 2 of 4\n\nNSA ANT catalog\r\nStuxnet\r\nWARRIOR PRIDE\r\n1. ^ Jump up to: a\r\n \r\nb\r\n Christian Stöcker, Marcel Rosenbach \" Spionage-Software: Super-Trojaner Regin ist eine\r\nNSA-Geheimwaffe\" Der Spiegel, November 25, 2014\r\n2. ^ \"Experts Unmask 'Regin' Trojan as NSA Tool\". Spiegel.de. Retrieved 9 November 2021.\r\n3. ^ Zetter, Kim. \"Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian\r\nCryptographer\". Wired. ISSN 1059-1028. Retrieved 2022-02-22.\r\n4. ^ \"Regin Revealed\". Kaspersky Lab. 24 November 2014. Retrieved 24 November 2014.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n \r\ne\r\n \r\nf\r\n Marquis-Boire, Morgan; Guarnieri, Claudio; Gallagher, Ryan (24 November\r\n2014). \"Secret Malware in European Union Attack Linked to U.S. and British Intelligence\". The Intercept.\r\nThe Intercept. Archived from the original on 29 July 2015. Retrieved 24 November 2014.\r\n6. ^ \"Top German official infected by highly advanced spy trojan with NSA ties\". 26 October 2015.\r\n7. ^ Perlroth, Nicole (24 November 2014). \"Symantec Discovers 'Regin' Spy Code Lurking on Computer\r\nNetworks\". New York Times. Retrieved 25 November 2014.\r\n8. ^ Gallagher, Ryan (13 December 2014). \"The Inside Story of How British Spies Hacked Belgium's Largest\r\nTelco\". The Intercept. Archived from the original on 17 August 2015. Retrieved 13 June 2015.\r\n9. ^ Kaspersky:Regin: a malicious platform capable of spying on GSM networks, 24 November 2014\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Regin: Top-tier espionage tool enables stealthy surveillance\". Symantec. 23 November\r\n2014. Retrieved 25 November 2014.\r\n11. ^ \"BBC News - Regin, new computer spying bug, discovered by Symantec\". BBC News. 23 November\r\n2014. Retrieved 23 November 2014.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Regin White Paper\" (PDF). Symantec. Archived from the original (PDF) on 7\r\nSeptember 2019. Retrieved 23 November 2014.\r\n13. ^ Jump up to: a\r\n \r\nb\r\n \"Regin White Paper\" (PDF). Kaspersky Lab. Retrieved 24 November 2014.\r\n14. ^ Benedikt Fuest (24 November 2014). \"Ein Computervirus, so mächtig wie keines zuvor\". Die Welt.\r\nArchived from the original on 28 November 2014.\r\n15. ^ \"Regin Malware - 'State-Sponsored' Spying Tool Targeted Govts\". The Hacking Post - Latest hacking\r\nNews \u0026 Security Updates. Archived from the original on 2017-02-18. Retrieved 2014-11-24.\r\n16. ^ Jump up to: a\r\n \r\nb\r\n \"NSA, GCHQ or both behind Stuxnet-like Regin malware?\". SC Magazine UK.\r\nscmagazineuk.com. 24 November 2014. Archived from the original on 16 June 2016. Retrieved 25\r\nNovember 2014.\r\n17. ^ Virustotal: Detection ratio: 21 / 56\r\n18. ^ Microsoft Malware Protection Center, click button \"Malware Encyclopedia\r\n19. ^ Microsoft Protection Center: Trojan:WinNT/Regin.A\r\n20. ^ Poitras, Laura; Rosenbach, Marcel; Schmid, Fidelius; Stark, Holger (29 June 2013). \"Attacks from\r\nAmerica: NSA Spied on European Union Offices\". Der Spiegel.\r\n21. ^ \"German government denies falling victim to cyber attack\". Deutsche Welle. 29 December 2014.\r\n22. ^ \"Western Intelligence Hacked 'Russia's Google' Yandex to Spy on Accounts\". Reuters. June 27, 2019.\r\nArchived from the original on June 29, 2019.\r\nhttps://en.wikipedia.org/wiki/Regin_(malware)\r\nPage 3 of 4\n\nSource: https://en.wikipedia.org/wiki/Regin_(malware)\r\nhttps://en.wikipedia.org/wiki/Regin_(malware)\r\nPage 4 of 4\n\n3. ^ Zetter, Cryptographer\". Kim. \"Researchers Wired. ISSN Uncover Government 1059-1028. Spy Retrieved 2022-02-22. Tool Used to Hack Telecoms and Belgian\n4. ^ \"Regin Revealed\". Kaspersky Lab. 24 November 2014. Retrieved 24 November 2014. \n5. ^ Jump up to: a b c d e f Marquis-Boire, Morgan; Guarnieri, Claudio; Gallagher, Ryan (24 November\n2014). \"Secret Malware in European Union Attack Linked to U.S. and British Intelligence\". The Intercept.\nThe Intercept. Archived from the original on 29 July 2015. Retrieved 24 November 2014. \n6. ^ \"Top German official infected by highly advanced spy trojan with NSA ties\". 26 October 2015.\n7. ^ Perlroth, Nicole (24 November 2014). \"Symantec Discovers 'Regin' Spy Code Lurking on Computer\nNetworks\". New York Times. Retrieved 25 November 2014.   \n8. ^ Gallagher, Ryan (13 December 2014). \"The Inside Story of How British Spies Hacked Belgium's Largest\nTelco\". The Intercept. Archived from the original on 17 August 2015. Retrieved 13 June 2015.\n9. ^ Kaspersky:Regin: a malicious platform capable of spying on GSM networks, 24 November 2014\n10. ^ Jump up to: a b c \"Regin: Top-tier espionage tool enables stealthy surveillance\". Symantec. 23 November\n2014. Retrieved 25 November 2014.    \n11. ^ \"BBC News -Regin, new computer spying bug, discovered by Symantec\". BBC News. 23 November\n2014. Retrieved 23 November 2014.    \n12. ^ Jump up to: a b c \"Regin White Paper\" (PDF). Symantec. Archived from the original (PDF) on 7\nSeptember 2019. Retrieved 23 November 2014.   \n13. ^ Jump up to: a b \"Regin White Paper\" (PDF). Kaspersky Lab. Retrieved 24 November 2014.\n14. ^ Benedikt Fuest (24 November 2014). \"Ein Computervirus, so mächtig wie keines zuvor\". Die Welt.\nArchived from the original on 28 November 2014.   \n15. ^ \"Regin Malware-'State-Sponsored' Spying Tool Targeted Govts\". The Hacking Post -Latest hacking\nNews \u0026 Security Updates. Archived from the original on 2017-02-18. Retrieved 2014-11-24. \n16. ^ Jump up to: a b \"NSA, GCHQ or both behind Stuxnet-like Regin malware?\". SC Magazine UK.\nscmagazineuk.com. 24 November 2014. Archived from the original on 16 June 2016. Retrieved 25\nNovember 2014.     \n17. ^ Virustotal: Detection ratio: 21 / 56    \n18. ^ Microsoft Malware Protection Center, click button \"Malware Encyclopedia  \n19. ^ Microsoft Protection Center: Trojan:WinNT/Regin.A    \n20. ^ Poitras, Laura; Rosenbach, Marcel; Schmid, Fidelius; Stark, Holger (29 June 2013). \"Attacks from\nAmerica: NSA Spied on European Union Offices\". Der Spiegel.  \n21. ^ \"German government denies falling victim to cyber attack\". Deutsche Welle. 29 December 2014.\n22. ^ \"Western Intelligence Hacked 'Russia's Google' Yandex to Spy on Accounts\". Reuters. June 27, 2019.\nArchived from the original on June 29, 2019.    \n   Page 3 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Regin_(malware)"
	],
	"report_names": [
		"Regin_(malware)"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434913,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e4a9aafa4e0c98169710365b5264e254371e03c.pdf",
		"text": "https://archive.orkl.eu/4e4a9aafa4e0c98169710365b5264e254371e03c.txt",
		"img": "https://archive.orkl.eu/4e4a9aafa4e0c98169710365b5264e254371e03c.jpg"
	}
}