{ "id": "154a911e-32fc-4550-9ab0-bbcf6afc8473", "created_at": "2026-04-06T00:21:29.602243Z", "updated_at": "2026-04-10T03:35:41.950667Z", "deleted_at": null, "sha1_hash": "941d6cac3b97c64bc7280026d2bb5fb1c7db9414", "title": "New traces of Hacking Team in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 417077, "plain_text": "New traces of Hacking Team in the wild\r\nBy Filip Kafka\r\nArchived: 2026-04-05 18:44:26 UTC\r\nCybercrime\r\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance\r\ntools to governments and their agencies across the world. The capabilities of its flagship product, the Remote\r\nControl System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging,\r\nas well as remotely activating a device’s webcam and microphone.\r\n09 Mar 2018  •  , 8 min. read\r\nPreviously unreported samples of Hacking Team’s infamous surveillance tool – the Remote Control System (RCS)\r\n– are in the wild, and have been detected by ESET systems in fourteen countries.\r\nOur analysis of the samples reveals evidence suggesting that Hacking Team’s developers themselves are actively\r\ncontinuing the development of this spyware.\r\nFrom Hacking Team to Hacked Team to…?\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 1 of 12\n\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance\r\ntools to governments and their agencies across the world.\r\nThe capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted\r\ndevice, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and\r\nmicrophone. The company has been criticized for selling these capabilities to authoritarian governments – an\r\nallegation it has consistently denied.\r\nWhen the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of\r\nRCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of\r\ncustomers, internal communications, and spyware source code – leaked online, Hacking Team was forced to\r\nrequest its customers to suspend all use of RCS, and was left facing an uncertain future.\r\nFollowing the hack, the security community has been keeping a close eye on the company’s efforts to get back on\r\nits feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of\r\nHacking Team's Mac spyware was apparently in the wild. A year after the breach, an investment by a company\r\nnamed Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking\r\n20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news\r\nsuggests it has ties to Saudi Arabia.\r\nHaving just concluded our research into another commercial spyware product, FinFisher, two interesting events\r\ninvolving Hacking Team occurred in close succession – the report about Hacking Team’s apparent financial\r\nrecovery and our discovery of a new RCS variant in the wild with a valid digital certificate.\r\nThe spyware lives on\r\nIn the early stages of this investigation, our friends from the Citizen Lab – who have a long record of keeping\r\ntrack of Hacking Team – provided us with valuable input that led to the discovery of a version of the spyware\r\ncurrently being used in the wild and signed with a previously unseen valid digital certificate.\r\nOur further research uncovered several more samples of Hacking Team’s spyware created after the 2015 hack, all\r\nbeing slightly modified compared to variants released before the source code leak.\r\nThe samples were compiled between September 2015 and October 2017. We have deemed these compilation dates\r\nto be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few\r\ndays of those dates.\r\nFurther analysis led us to conclude that all the samples can be traced back to a single group, rather than being\r\nisolated instances of diverse actors building their own versions from the leaked Hacking Team source code.\r\nOne indicator supporting this is the sequence of digital certificates used to sign the samples – we found six\r\ndifferent certificates issued in succession. Four of the certificates were issued by Thawte to four different\r\ncompanies, and two are personal certificates issued to Valeriano Bedeschi (Hacking Team co-founder) and\r\nsomeone named Raffaele Carnacina, as shown in the following table:\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 2 of 12\n\nCertificate issued to Validity period\r\nValeriano Bedeschi 8/13/2015 – 8/16/2016\r\nRaffaele Carnacina 9/11/2015 – 9/15/2016\r\nMegabit, OOO 6/8/2016 - 6/9/2017\r\nADD Audit 6/20/2016 - 6/21/2017\r\nMedia Lid 8/29/2016 - 8/30/2017\r\nZiber Ltd 7/9/2017 - 7/10/2018\r\nThe samples also have forged Manifest metadata – used to masquerade as a legitimate application – in common,\r\nappearing as “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.\r\nOur analysis further shows that the author(s) of the samples have been using VMProtect, apparently in an effort to\r\nmake their samples less prone to detection. This was also common among pre-leak Hacking Team spyware.\r\nThe connections among these samples alone could have originated with virtually any group re-purposing the\r\nleaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have,\r\nhowever, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.\r\nThe versioning (which we accessed after overcoming VMProtect protection) observed in the analyzed samples\r\ncontinues where Hacking Team left off before the breach, and follows the same patterns. Hacking Team’s habit of\r\ncompiling their payloads – named Scout and Soldier – consecutively, and often on the same day, can also be seen\r\nacross the newer samples.\r\nThe following table shows the compilation dates, versioning and certificate authorities of Hacking Team Windows\r\nspyware samples seen between 2014 and 2017. Reuse of leaked source code by Callisto Group is marked in red.\r\nCompilation date Scout version Soldier version Certificate issued to\r\n2014-11-27 1007 Open Source Developer, Muhammad Lee's\r\n2014-12-05 11 Open Source Developer, Muhammad Lee's\r\n2014-12-12 12 1008 Open Source Developer, meicun ge\r\n2015-03-19 1009 Open Source Developer, meicun ge\r\n2015-03-27 13 Open Source Developer, meicun ge\r\nJULY 2015 LEAK #colspan# #colspan# #colspan#\r\n2015-09-04 15 Valeriano Bedeschi\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 3 of 12\n\nCompilation date Scout version Soldier version Certificate issued to\r\n2015-10-19 16 1011 Raffaele Carnacina\r\n2016-01-05 13 SPC\r\n2016-01-18 17 Raffaele Carnacina\r\n2016-03-24 18 1012 Raffaele Carnacina\r\n2016-06-17 1014 Megabit, OOO\r\n2016-08-02 21 1016 Megabit, OOO\r\n2016-09-01 22 1017 ADD Audit\r\n2016-12-19 23 1018 ADD Audit\r\n2017-01-31 24 1019 ADD Audit\r\n2017-04-28 25 1020 ADD Audit, Media Lid\r\n2017-06-28 27 1022 Media Lid, Ziber Ltd\r\n2017-10-09 28 Ziber Ltd\r\n2017-10-18 1025 Ziber Ltd\r\nFurthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line\r\nwith Hacking Team’s own coding style and are often found in places indicating a deep familiarity with the code. It\r\nis highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would\r\nmake changes in exactly these places when creating new versions from the leaked Hacking Team source code.\r\nOne of the subtle differences we spotted between the pre-leak and the post-leak samples is the difference in\r\nStartup file size. Before the leak, the copied file was padded to occupy 4MB. In the post-leak samples, this file\r\ncopy operation is padded to 6MB – most likely as a primitive detection evasion technique.\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 4 of 12\n\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 5 of 12\n\nFigure 1 – Startup file size copy changed from 4 MB pre-leak to 6MB post-leak\r\nWe found further differences that fully convinced us of Hacking Team’s involvement. However, the disclosure of\r\nthese details could interfere with the future tracking of the group, which is why we choose not to publish them. We\r\nare, however, open to share these details with fellow researchers (for any inquiries contact us at\r\nthreatintel@eset.com).\r\nThe functionality of the spyware largely overlaps with that in the leaked source code. Our analysis so far has not\r\nconfirmed the release of any significant update, as promised by Hacking Team following the hack.\r\nAs for the distribution vector of the post-leak samples we analyzed, at least in two cases, we detected the spyware\r\nin an executable file disguised as a PDF document (using multiple file extensions) attached to a spearphishing\r\nemail. The names of the attached files contain strings likely aimed to reduce suspicion when received by\r\ndiplomats.\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 6 of 12\n\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 7 of 12\n\nFigure 2 – Investigation timeline\r\nConclusion\r\nOur research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve\r\nanalyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated\r\nactors, such as in the case of Callisto Group in 2016.\r\nAs of this writing, our systems have detected these new Hacking Team spyware samples in fourteen countries. We\r\nchoose not to name the countries to prevent potentially incorrect attributions based on these detections, since the\r\ngeo-location of the detections doesn’t necessarily reveal anything about the origin of the attack.\r\nIoCs\r\nESET detection names\r\nTrojan.Win32/CrisisHT.F\r\nTrojan.Win32/CrisisHT.H\r\nTrojan.Win32/CrisisHT.E\r\nTrojan.Win32/CrisisHT.L\r\nTrojan.Win32/CrisisHT.J\r\nTrojan.Win32/Agent.ZMW\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 8 of 12\n\nESET detection names\r\nTrojan.Win32/Agent.ZMX\r\nTrojan.Win32/Agent.ZMY\r\nTrojan.Win32/Agent.ZMZ\r\nSamples signed by Ziber Ltd\r\nThumbprint: 14 56 d8 a0 0d 8b e9 63 e2 22 4d 84 5b 12 e5 08 4e a0 b7 07\r\nSerial Number: 5e 15 20 5f 18 04 42 cc 6c 3c 0f 03 e1 a3 3d 9f\r\nSHA-1 samples\r\n2eebf9d864bef5e08e2e8abd93561322de2ab33b\r\n51506ed3392b9e59243312b0f798c898804913db\r\n61eda4847845f49689ae582391cd1e6a216a8fa3\r\n68ffd64b7534843ac2c66ed68f8b82a6ec81b3e8\r\n6fd86649c6ca3d2a0653fd0da724bada9b6a6540\r\n92439f659f14dac5b353b1684a4a4b848ecc70ef\r\na10ca5d8832bc2085592782bd140eb03cb31173a\r\na1c41f3dad59c9a1a126324a4612628fa174c45a\r\nb7229303d71b500157fa668cece7411628d196e2\r\neede2e3fa512a0b1ac8230156256fc7d4386eb24\r\nC\u0026Cs\r\n149.154.153.223\r\n192.243.101.125\r\n180.235.133.23\r\n192.243.101.124\r\n95.110.167.74\r\n149.154.153.223\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 9 of 12\n\nSamples signed by ADD Audit\r\nThumbprint: 3e 19 ad 16 4d c1 03 37 53 26 36 c3 7c a4 c5 97 64 6f bc c8\r\nSerial Number: 4c 8e 3b 16 13 f7 35 42 f7 10 6f 27 20 94 eb 23\r\nSHA-1 samples\r\n341dbcb6d17a3bc7fa813367414b023309eb69c4\r\n86fad7c362a45097823220b77dcc30fb5671d6d4\r\n9dfc7e78892a9f18d2d15adbfa52cda379ddd963\r\ne8f6b7d10b90ad64f976c3bfb4c822cb1a3c34b2\r\nC\u0026Cs\r\n188.166.244.225\r\n45.33.108.172\r\n178.79.186.40\r\n95.110.167.74\r\n173.236.149.166\r\nSamples signed by Media Lid\r\nThumbprint: 17 f3 b5 e1 aa 0b 95 21 a8 94 9b 1c 69 a2 25 32 f2 b2 e1 f5\r\nSerial Number: 2c e2 bd 0a d3 cf de 9e a7 3e ec 7c a3 04 00 da\r\nSHA-1 samples\r\n27f4287e1a5348714a308e9175fb9486d95815a2\r\n71a68c6140d066ca016efa9087d71f141e9e2806\r\ndc817f86c1282382a1c21f64700b79fcd064ae5c\r\nSHA-1 samples\r\n27f4287e1a5348714a308e9175fb9486d95815a2\r\n71a68c6140d066ca016efa9087d71f141e9e2806\r\ndc817f86c1282382a1c21f64700b79fcd064ae5c\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 10 of 12\n\nC\u0026Cs\r\n188.226.170.222\r\n173.236.149.166\r\nSamples signed by Megabit, OOO\r\nThumbprint: 6d e3 a1 9d 00 1f 02 24 c1 c3 8b de fa 74 6f f2 3a aa 43 75\r\nSerial Number: 0f bc 30 db 12 7a 53 6c 34 d7 a0 fa 81 b4 81 93\r\nSHA-1 samples\r\n508f935344d95ffe9e7aedff726264a9b500b854\r\n7cc213a26f8df47ddd252365fadbb9cca611be20\r\n98a98bbb488b6a6737b12344b7db1acf0b92932a\r\ncd29b37272f8222e19089205975ac7798aac7487\r\nd21fe0171f662268ca87d4e142aedfbe6026680b\r\n5BF1742D540F08A187B571C3BF2AEB64F141C4AB\r\n854600B2E42BD45ACEA9A9114747864BE002BF0B\r\nC\u0026Cs\r\n95.110.167.74\r\n188.226.170.222\r\n173.236.149.166\r\n46.165.236.62\r\nSamples signed by Raffaele Carnacina\r\nThumbprint: 8a 85 4f 99 2a 5f 20 53 07 f8 2d 45 93 89 af da 86 de 6c 41\r\nSerial Number: 08 44 8b d6 ee 91 05 ae 31 22 8e a5 fe 49 6f 63\r\nSHA-1 samples\r\n4ac42c9a479b34302e1199762459b5e775eec037\r\n2059e2a90744611c7764c3b1c7dcf673bb36f7ab\r\nb5fb3147b43b5fe66da4c50463037c638e99fb41\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 11 of 12\n\nSHA-1 samples\r\n9cd2ff4157e4028c58cef9372d3bb99b8f2077ec\r\nb23046f40fbc931b364888a7bc426b56b186d60e\r\ncc209f9456f0a2c5a17e2823bdb1654789fcadc8\r\n99c978219fe49e55441e11db0d1df4bda932e021\r\ne85c2eab4c9eea8d0c99e58199f313ca4e1d1735\r\n141d126d41f1a779dca69dd09640aa125afed15a\r\nC\u0026Cs\r\n199.175.54.209\r\n199.175.54.228\r\n95.110.167.74\r\nSamples signed by Valeriano Bedeschi\r\nThumbprint: 44 a0 f7 f5 39 fc 0c 8b f6 7b cd b7 db 44 e4 f1 4c 68 80 d0\r\nSerial Number: 02 f1 75 66 ef 56 8d c0 6c 9a 37 9e a2 f4 fa ea\r\nSHA-1 samples\r\nbaa53ddba627f2c38b26298d348ca2e1a31be52e\r\n5690a51384661602cd796e53229872ff87ab8aa4\r\naa2a408fcaa5c86d2972150fc8dd3ad3422f807a\r\n83503513a76f82c8718fad763f63fcd349b8b7fc\r\nC\u0026Cs\r\n172.16.1.206 – It is an internal address which was found in the samples.\r\nSource: https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nhttps://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "report_names": [ "new-traces-hacking-team-wild" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434889, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/941d6cac3b97c64bc7280026d2bb5fb1c7db9414.pdf", "text": "https://archive.orkl.eu/941d6cac3b97c64bc7280026d2bb5fb1c7db9414.txt", "img": "https://archive.orkl.eu/941d6cac3b97c64bc7280026d2bb5fb1c7db9414.jpg" } }