{
	"id": "9843b1b2-3e40-43fb-9281-9608d402aebd",
	"created_at": "2026-04-06T00:07:38.929578Z",
	"updated_at": "2026-04-10T13:11:47.144133Z",
	"deleted_at": null,
	"sha1_hash": "7bdb6c0d46f3d9bfa83353555f2b6afaf3cd142f",
	"title": "Quick look at Nazar's backdoor - Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45257,
	"plain_text": "Quick look at Nazar's backdoor - Capabilities\r\nPublished: 2020-04-23 · Archived: 2026-04-05 15:18:40 UTC\r\nIntro\r\nYesterday at a virtual edition of OPCDE Juan Andrés Guerrero-Saade disclosed to the world part of his research\r\non threat groups listed in Lost in Translation , a leak of Equation Group tools done by Shadowbrokers in 2017.\r\nShortly after he published an analysis on his blog and shared hashes. During the talk Juan mentioned that he\r\ndoesn’t really know what the piece of malware, belonging to Nazar APT, actually does so we put some time to\r\nfind out.\r\nEYService\r\nEYService (2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6) is a main part of the\r\nbackdoor and its the one we took a look at. This a passive backdoor that relies on, now discontinued, Packet\r\nSniffer SDK (PSSDK) from Microolap. We wont go into details of communication and how packets from and to\r\nc2 are build, this will be a subject of following posts. Instead we will present capabilities of this malware. All\r\nmagic is happening in 00404F10h where we can find a big if-else tree with various commands id.\r\nCommand Action Comments\r\n311\r\nprepare/execute\r\nkeyloger\r\nloads %WINSYSDIR%\\hodll.dll calls instalhook and removehook\r\nfrom it, saves data to %WINSYSDIR%\\report.txt\r\n139 shutdown os\r\ncalls ole object via rclsid: F6E5B398-E3DF-496B-A2AD-C20FEA30DBFE, riid: DBCB4B31-21B8-4A0F-BC69-0C3CE3B66D00 -\r\nregisterd by godown.dll\r\n189\r\nprepare/take\r\nscreen shot\r\nloads ViewScreen.dll, calls SaveBitmapToPNGFile, saves screenshot to\r\n%CWD%\\z.png\r\n119\r\nprepare/record\r\naudio\r\nusing mixer* WINAPI, saves recorded audio to\r\n%WINSYSDIR%\\music.mp3\r\n199 list drives Enumerates drives, saves results to %WINSYSDIR%\\Drives.txt\r\n200 list files Enumerates files on drive, save results to %WINSYSDIR%\\Files.txt\r\n201 read file\r\n209 remove file\r\n499 list programs Its done by enumerating\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall, results are\r\nhttps://blog.malwarelab.pl/posts/nazar_eyservice/\r\nPage 1 of 2\n\nCommand Action Comments\r\nsaved to %WINSYSDIR%\\Programs.txt\r\n599\r\nlist available\r\ndevices\r\n999 ping sends back pong\r\n555 get os info sends back windows version and computer name\r\n315\r\ndisable audio\r\nrecording\r\n312 disable keyloger\r\n313\r\ndisable\r\nscreenshot\r\n666 set unused flag\r\nUpdate 27.04.2020\r\nQuick update regarding commands 555, 999, 139\r\n999 - ping\r\n555 - get os info\r\n139 - shut down system via godown.dll\r\nConclusion\r\nIn this short post we showed a capabilities of a malware used by Nazar APT, clearly designed with espionage\r\npurposes. Stay tune for next part about abusing IP and TCP protocol in order to smuggle commands. In the\r\nmeantime if you have an interesting piece of malware and need someone to take a look at it don’t hesitate to\r\ncontact us - contact@malwarelab.pl\r\nSource: https://blog.malwarelab.pl/posts/nazar_eyservice/\r\nhttps://blog.malwarelab.pl/posts/nazar_eyservice/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarelab.pl/posts/nazar_eyservice/"
	],
	"report_names": [
		"nazar_eyservice"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf773c52-830b-46e3-aa61-58c82eb323ee",
			"created_at": "2023-01-06T13:46:39.135077Z",
			"updated_at": "2026-04-10T02:00:03.226187Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "MISPGALAXY:Nazar",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f3b19931-3751-4ece-a235-15b397951dc2",
			"created_at": "2022-10-25T16:07:23.889537Z",
			"updated_at": "2026-04-10T02:00:04.780137Z",
			"deleted_at": null,
			"main_name": "Nazar",
			"aliases": [
				"SIG37"
			],
			"source_name": "ETDA:Nazar",
			"tools": [
				"Distribute.exe",
				"EYService",
				"GpUpdates.exe",
				"Microolap Packet Sniffer",
				"TCPDUMP for Windows"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bdb6c0d46f3d9bfa83353555f2b6afaf3cd142f.pdf",
		"text": "https://archive.orkl.eu/7bdb6c0d46f3d9bfa83353555f2b6afaf3cd142f.txt",
		"img": "https://archive.orkl.eu/7bdb6c0d46f3d9bfa83353555f2b6afaf3cd142f.jpg"
	}
}