{
	"id": "ef369d72-e33d-4981-89e3-02cd362b4828",
	"created_at": "2026-04-06T00:08:18.279169Z",
	"updated_at": "2026-04-10T03:33:51.900181Z",
	"deleted_at": null,
	"sha1_hash": "636c1e89b36e42168df0cd4bd5e2b625db7f7bf8",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 165359,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 12:44:41 UTC\r\nA previously unknown group called Strider has been conducting cyberespionage-style attacks against selected\r\ntargets in Russia, China, Sweden, and Belgium. The group uses an advanced piece of malware known as Remsec\r\n(Backdoor.Remsec) to conduct its attacks. Remsec is a stealthy tool that appears to be primarily designed for\r\nspying purposes. Its code contains a reference to Sauron, the all-seeing antagonist in Lord of the Rings.\r\nStrider’s attacks have tentative links with a previously uncovered group, Flamer. The use of Lua modules, which\r\nwe’ll discuss later, is a technique that has previously been used by Flamer. One of Strider’s targets had also\r\npreviously been infected by Regin.\r\nBackground\r\nStrider has been active since at least October 2011. The group has maintained a low profile until now and its\r\ntargets have been mainly organizations and individuals that would be of interest to a nation state’s intelligence\r\nservices. Symantec obtained a sample of the group’s Remsec malware from a customer who submitted it\r\nfollowing its detection by our behavioral engine.\r\nRemsec is primarily designed to spy on targets. It opens a back door on an infected computer, can log keystrokes,\r\nand steal files.\r\nTargets\r\nStrider has been highly selective in its choice of targets and, to date, Symantec has found evidence of infections in\r\n36 computers across seven separate organizations. The group’s targets include a number of organizations and\r\nindividuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 4\n\nFigure 1. Only a small number of organizations in four countries are impacted by Strider\r\nStealthy back door\r\nThe Remsec malware used by Strider has a modular design. Its modules work together as a framework that\r\nprovides the attackers with complete control over an infected computer, allowing them to move across a network,\r\nexfiltrate data, and deploy custom modules as required.\r\nRemsec contains a number of stealth features that help it to avoid detection. Several of its components are in the\r\nform of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to\r\ndetect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides\r\nonly in a computer’s memory and is never stored on disk. This also makes the malware more difficult to detect\r\nand indicates that the Strider group are technically competent attackers.\r\nRemsec modules seen by Symantec to date include:\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 4\n\nLoader: Named MSAOSSPC.DLL, this module is responsible for loading files from disk and executing\r\nthem. The files on disk contain the payload in an executable blob format. The loader also logs data.\r\nExecutable blobs and data are encrypted and decrypted with a repeating key of 0xBAADF00D. The loader\r\nmaintains persistence by being implemented as a fake Security Support Provider.\r\nLua modules: Several examples of Remsec use modules written in the Lua programming language.\r\nRemsec uses a Lua interpreter to run Lua modules which perform various functions. These Lua modules\r\nare stored in the same executable blob format as the loader. Lua modules include:\r\nNetwork loader – This loads an executable over the network for execution. It may use RSA/RC6\r\nencryption.\r\nHost loader – This is used to decrypt and load at least three other Lua modules into running\r\nprocesses. It references three named modules: ilpsend, updater (neither of which has been\r\ndiscovered to date), and, kblog (likely the Keylogger module detailed below).\r\nKeylogger – This logs keystrokes and exfiltrates this data to a server under the attackers’ control.\r\nThis is the module that contains a string named “Sauron” in its code. Given its capabilities, it is\r\npossible the attackers have nicknamed the module after the all-seeing villain in Lord of the Rings.\r\nFigure 2. String referencing Sauron in Remsec keylogger module\r\nNetwork listener: A number of examples of Remsec implement different techniques for opening a\r\nnetwork connection based on monitoring for specific types of traffic. These include ICMP, PCAP, and\r\nRAW network sockets.\r\nBasic pipe back door: This is a minimal back door module, controlled over named pipes. It can execute\r\ndata in the format of the executable blob or a standard executable.\r\nAdvanced pipe back door: This offers several more commands than the basic version, including sending\r\nthe executable blob, listing files, and reading/writing/deleting files.\r\nHTTP back door: This module includes several URLs for a command and control (C\u0026C) server.\r\nStrider is capable of creating custom malware tools and has operated below the radar for at least five years. Based\r\non the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a\r\nnation-state level attacker. Symantec will continue to search for more Remsec modules and targets in order to\r\nbuild upon our understanding of Strider and better protect our customers.\r\nProtection\r\nSymantec and Norton products detect this threat as Backdoor.Remsec.\r\nIndicators of compromise\r\nWe have also compiled an indicators-of-compromise document containing further details which can be used to\r\nhelp identify the threats if they are present in your environment.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 4\n\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [
		{
			"id": "99845f58-2c39-46f7-8369-bb621ebb7002",
			"created_at": "2022-10-25T16:07:24.238844Z",
			"updated_at": "2026-04-10T02:00:04.90851Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"G0041",
				"ProjectSauron"
			],
			"source_name": "ETDA:Strider",
			"tools": [
				"Backdoor.Remsec",
				"ProjectSauron",
				"Remsec"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde",
			"created_at": "2023-01-06T13:46:38.472883Z",
			"updated_at": "2026-04-10T02:00:02.989134Z",
			"deleted_at": null,
			"main_name": "ProjectSauron",
			"aliases": [
				"Sauron",
				"Project Sauron",
				"G0041"
			],
			"source_name": "MISPGALAXY:ProjectSauron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979",
			"created_at": "2022-10-25T15:50:23.311311Z",
			"updated_at": "2026-04-10T02:00:05.407733Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"ProjectSauron"
			],
			"source_name": "MITRE:Strider",
			"tools": [
				"Remsec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434098,
	"ts_updated_at": 1775792031,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/636c1e89b36e42168df0cd4bd5e2b625db7f7bf8.pdf",
		"text": "https://archive.orkl.eu/636c1e89b36e42168df0cd4bd5e2b625db7f7bf8.txt",
		"img": "https://archive.orkl.eu/636c1e89b36e42168df0cd4bd5e2b625db7f7bf8.jpg"
	}
}