{
	"id": "01ab6d4c-a2d2-42e9-ac34-1f0b1aaece1a",
	"created_at": "2026-04-06T00:17:18.248583Z",
	"updated_at": "2026-04-10T03:35:27.50189Z",
	"deleted_at": null,
	"sha1_hash": "78eb40f97a24af3e776d11fdb72b4dad20c92e7c",
	"title": "Nazar: A Lost Amulet — The Lost Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103330,
	"plain_text": "Nazar: A Lost Amulet — The Lost Reports\r\nBy Apr 22 Written By J A G-S\r\nPublished: 2001-04-22 · Archived: 2026-04-05 13:02:04 UTC\r\nAutomated community comment with the misleading detection\r\nSIG37 function from ‘sigs.py’\r\n‘Evil eye’ protection amulets– the better known ‘hamsa’ (left) or ‘nazar’ (right)\r\nIt’s hard to understand the scope of this operation without access to victimology (e.g.: endpoint visibility or\r\ncommand-and-control sinkholing). Additionally, some possible timestomping muddies the water between this\r\noperation possible originating in 2008-2009 or actually coming into full force in 2010-2013 (the latter dates being\r\ncorroborated by VT firstseen submission times and second-stage drop timestamps). There’s a level of variable\r\ndevelopmental capability visible throughout the stages. Multiple components are abused commonly-available\r\nresources, while the orchestrator and two of the DLL drops actually display some developmental ingenuity (in the\r\nform of seemingly novel COM techniques). Far from the most advanced coding practices but definitely better than\r\nthe sort of .NET garbage other ‘Farsi-speaking’ APTs have gotten away with in the past.\r\nSomehow, this operation found its way onto the NSA’s radar pre-2013. As far as I can tell, it’s eluded specific\r\ncoverage from the security industry. A possible scenario to account for the disparate visibility between the NSA\r\nand Western researchers when it comes to this cluster of activity is that these samples were exclusively\r\nencountered on Iranian boxes overlapping with EQGRP implants. Submissions of Nazar subcomponents from Iran\r\n(as well as privately shared visibility into historical and ongoing victimology clustered entirely on Iranian\r\nmachines) could support that theory. Perhaps this is an internal monitoring framework (a la Attor) but given the\r\nsparse availability of historical data, I wouldn’t push that beyond a low-confidence assessment, at this time.\r\nI hope interested researchers take this as an initial introduction and open challenge to contribute to what may\r\nprove a previously unknown threat actor, and encourage them to leverage their greater abilities and visibility to\r\ncontribute to the ongoing research. I’ll gladly update this post with the contributions and publications of others.\r\nhttps://www.epicturla.com/blog/the-lost-nazar\r\nPage 1 of 2\n\nTechnical Breakdown\r\nNazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the\r\nWindows registry via ‘regsvr32.exe’. An orchestrator (‘Data.bin’), disguised as the generic Windows service host\r\nprocess (‘svchost.exe’), is registered as a service (‘EYService’) for persistence. The DLLs are a combination of\r\ncustom type libraries and resourceful repurposing of more widely available libraries for nefarious purposes.\r\nNazar component structure\r\n[Updated 04.28.2020]: Thanks to @maciekkotowicz’s great work, we now know that EYservice is in fact a\r\npassive backdoor with no hardcoded infrastructure. The backdoor is listening for UDP packets on port ‘1234’ and\r\nallows for a ping response, victim info request, or file download. For further details, please refer to the\r\nMalwareLab.pl blog.\r\nThe Subcomponent DLLs\r\nSubcomponent DLLs include multiple abused resources as well as a couple of seemingly custom libraries. The\r\nformer include the common LAME MP3 encoding library (UPX packed) as well as a more obscure bitmap library.\r\nThese are abused to implement hot mic and screengrab features, respectively. Another subcomponent is the\r\n‘hodl.dll’ (internally named ‘keydll3.dll’) library used for keylogging. This appears to be a more common\r\nkeylogger but that claim could use further scrutiny.\r\nFinally, the custom libraries are ‘godown.dll’ (our original indicator) as well as ‘filesystem.dll’. Both are treated as\r\ntype libraries and registered as OLE controls. The Filesystem library includes functionality to enumerate attached\r\ndrives and traverse folder structures. The GoDown library is used for system shutdown. [Updated 04.28.2020]\r\nFor a more comprehensive breakdown of these components, refer to the Checkpoint Research blogpost [Updated\r\n05.05.2020].\r\nA Further Oddity – The MicroOlap Packet Sniffer\r\nA core function of EYService includes a further drop, a packet sniffer. The orchestrator will unpack and drop a\r\nkernel driver (pssdk41.vxd, pssdk41.sys) used to sniff packets from the victim machine’s interfaces. The packets\r\nare then parsed looking for something in particular. Perhaps this allows for a sneaky means of command-and-control or more sophisticated uses. At this time, I’ve not determined what it’s parsing in particular.\r\nInterestingly, the packet sniffer is also referenced in the EQGRP drv_list.txt. Other versions are also referenced, as\r\nshown in the image below:\r\nSource: https://www.epicturla.com/blog/the-lost-nazar\r\nhttps://www.epicturla.com/blog/the-lost-nazar\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.epicturla.com/blog/the-lost-nazar"
	],
	"report_names": [
		"the-lost-nazar"
	],
	"threat_actors": [
		{
			"id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea",
			"created_at": "2022-10-25T16:07:23.597455Z",
			"updated_at": "2026-04-10T02:00:04.683154Z",
			"deleted_at": null,
			"main_name": "Evil Eye",
			"aliases": [],
			"source_name": "ETDA:Evil Eye",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bf773c52-830b-46e3-aa61-58c82eb323ee",
			"created_at": "2023-01-06T13:46:39.135077Z",
			"updated_at": "2026-04-10T02:00:03.226187Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "MISPGALAXY:Nazar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f3b19931-3751-4ece-a235-15b397951dc2",
			"created_at": "2022-10-25T16:07:23.889537Z",
			"updated_at": "2026-04-10T02:00:04.780137Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "ETDA:Nazar",
			"tools": [
				"Distribute.exe",
				"EYService",
				"GpUpdates.exe",
				"Microolap Packet Sniffer",
				"TCPDUMP for Windows"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe",
			"created_at": "2023-01-06T13:46:39.056888Z",
			"updated_at": "2026-04-10T02:00:03.198866Z",
			"deleted_at": null,
			"main_name": "POISON CARP",
			"aliases": [
				"Evil Eye",
				"Red Dev 16",
				"Earth Empusa"
			],
			"source_name": "MISPGALAXY:POISON CARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a76ba723-d744-472a-b683-19d80e105d9f",
			"created_at": "2023-01-06T13:46:39.089347Z",
			"updated_at": "2026-04-10T02:00:03.209505Z",
			"deleted_at": null,
			"main_name": "Attor",
			"aliases": [],
			"source_name": "MISPGALAXY:Attor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574",
			"created_at": "2022-10-25T16:07:24.064197Z",
			"updated_at": "2026-04-10T02:00:04.856578Z",
			"deleted_at": null,
			"main_name": "Poison Carp",
			"aliases": [
				"Earth Empusa",
				"Evil Eye",
				"EvilBamboo",
				"Poison Carp",
				"Red Dev 16",
				"Sentinel Taurus"
			],
			"source_name": "ETDA:Poison Carp",
			"tools": [
				"ActionSpy",
				"AxeSpy",
				"BADSIGNAL",
				"BADSOLAR",
				"BadBazaar",
				"IRONSQUIRREL",
				"IceCube",
				"MOONSHINE",
				"PoisonCarp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775792127,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78eb40f97a24af3e776d11fdb72b4dad20c92e7c.pdf",
		"text": "https://archive.orkl.eu/78eb40f97a24af3e776d11fdb72b4dad20c92e7c.txt",
		"img": "https://archive.orkl.eu/78eb40f97a24af3e776d11fdb72b4dad20c92e7c.jpg"
	}
}