{
	"id": "c6de9853-1195-40a6-84ec-845dfbac6f06",
	"created_at": "2026-04-06T00:17:44.692558Z",
	"updated_at": "2026-04-10T03:33:01.748029Z",
	"deleted_at": null,
	"sha1_hash": "7a5dc8c998526a7adb8c97dbfb85b68de40585a9",
	"title": "Uroburos rootkit: Belgian Foreign Ministry stricken",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37836,
	"plain_text": "Uroburos rootkit: Belgian Foreign Ministry stricken\r\nBy Sabrina Berkenkopf\r\nPublished: 2017-05-11 · Archived: 2026-04-05 18:11:03 UTC\r\n05/13/2014\r\nReading time: 1 min (367 words)\r\nThe advanced and highly complex spyware first became a media item in February 2014 following extensive\r\nanalysis by experts at G DATA. Straightaway the indications were that Uroburos was not designed to target\r\neveryday users. Following the cyber attack on the Belgian Foreign Ministry, information has now been published\r\nconcerning the affliction of a government institution.\r\nOn Saturday Belgian Foreign Minister Didier Reynders stated that \"information and documents on the crisis in\r\nUkraine\" had been smuggled out of the government institution's networks, reported Die Welt and other news\r\nmedia. At this time neither the origin nor the nature of the attack had been clarified by official sources. However,\r\nBelgian financial newspaper De Tijd named Moscow as the source of the attack shortly after, and Le Soir was also\r\nconnecting it with Russia.\r\nToday: infection by Uroburos rootkit confirmed\r\n\"The effort put in by the developers and contracting authorities behind Uroburos is only justifiable if the targets\r\nare worthwhile, i.e. for spying on major enterprises, national institutions, news services and similar targets,\" said\r\nG DATA experts in their initial blog article on the subject.\r\nBelgian daily newspaper De Standaard considers the source for their article today to be trustworthy. It confirmed\r\nthat the government institution had been infected with the spyware Uroburos, which is also called \"Snake\" in\r\nsome cases. Experts at the military intelligence service are currently working on counter-measures and cleaning up\r\nthe network, it said. French newspaper Le Soir also reported the Uroburos attack on the Belgian government in\r\ntoday's edition. The Belgian intelligence service is named as the source of the information.\r\nIs this just the tip of the iceberg?\r\nEven though the level of detail of the information that has been publicly disclosed on this cyber attack is low, and\r\nmay well remain so, there is nevertheless little doubt that the Uroburos software has caused significant damage.\r\nThe G DATA experts expect that the recent development in Belgium is just the tip of the iceberg, all the more so\r\nsince Le Soir reported last Saturday that other European countries had found the same problem.\r\nShare Article\r\nhttps://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken\r\nPage 1 of 2\n\nSource: https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken\r\nhttps://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken"
	],
	"report_names": [
		"23958-uroburos-rootkit-belgian-foreign-ministry-stricken"
	],
	"threat_actors": [
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775791981,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a5dc8c998526a7adb8c97dbfb85b68de40585a9.pdf",
		"text": "https://archive.orkl.eu/7a5dc8c998526a7adb8c97dbfb85b68de40585a9.txt",
		"img": "https://archive.orkl.eu/7a5dc8c998526a7adb8c97dbfb85b68de40585a9.jpg"
	}
}