{ "id": "0f8c447f-dba7-47c7-9d3d-4985192d21a9", "created_at": "2026-04-06T00:15:30.124397Z", "updated_at": "2026-04-10T03:33:35.63633Z", "deleted_at": null, "sha1_hash": "a4f76114a903f17203a1710175e89d065dbebf6d", "title": "New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 652955, "plain_text": "New ESET research uncovers Gazer, the stealthy backdoor that\r\nspies on embassies\r\nBy Graham Cluley\r\nArchived: 2026-04-05 19:48:16 UTC\r\nESET Research\r\nSecurity researchers at ESET have released new research today into the activities of the notorious Turla\r\ncyberespionage group.\r\n30 Aug 2017  •  , 2 min. read\r\nSecurity researchers at ESET have released new research today into the activities of the notorious Turla\r\ncyberespionage group, and specifically a previously undocumented backdoor that has been used to spy on\r\nconsulates and embassies worldwide.\r\nESET’s research team are the first in the world to document the advanced backdoor malware, which they have\r\nnamed “Gazer”, despite evidence that it has been actively deployed in targeted attacks against governments and\r\ndiplomats since at least 2016.\r\nhttps://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/\r\nPage 1 of 3\n\nGazer’s success can be explained by the advanced methods it uses to spy on its intended targets, and its ability to\r\nremain persistent on infected devices, embedding itself out of sight on victim’s computers in an attempt to steal\r\ninformation for a long period of time.\r\nESET researchers have discovered that Gazer has managed to infect a number of computers around the world,\r\nwith the most victims being located in Europe. Curiously, ESET’s examination of a variety of different espionage\r\ncampaigns which used Gazer has identified that the main target appears to have been Southeastern Europe as well\r\nas countries in the former Soviet Union.\r\nThe attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:\r\nTargeted organizations are embassies and ministries;\r\nSpearphishing delivers a first-stage backdoor such as Skipper;\r\nA second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar)\r\nis put in place;\r\nThe second-stage backdoor receives encrypted instructions from the gang via C\u0026C servers, using\r\ncompromised, legitimate websites as a proxy.\r\n\"ESET researchers have discovered that Gazer has managed to infect a number of computers around the\r\nworld\"\r\nAnother notable similarity between Gazer and past creations of the Turla cyberespionage group become obvious\r\nwhen the malware is analyzed. Gazer makes extra efforts to evade detection by changing strings within its code,\r\nrandomizing markers, and wiping files securely.\r\nIn the most recent example of the Gazer backdoor malware found by ESET’s research team, clear evidence was\r\nseen that someone had modified most of its strings, and inserted phrases related to video games throughout its\r\ncode.\r\nGazer's creators appear to be video game fans.\r\nDon’t be fooled by the sense of humor that the Turla hacking group are showing here, falling foul of computer\r\ncriminals is no laughing matter.\r\nhttps://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/\r\nPage 2 of 3\n\nAll organizations, whether governmental, diplomatic, law enforcement, or in traditional business, need to take\r\ntoday’s sophisticated threats serious and adopt a layered defense to reduce the chances of a security breach.\r\nLearn more about Gazer in ESET’s research paper: Gazing at Gazer: “Turla’s new second stage backdoor”\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/\r\nhttps://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/" ], "report_names": [ "eset-research-cyberespionage-gazer" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434530, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4f76114a903f17203a1710175e89d065dbebf6d.pdf", "text": "https://archive.orkl.eu/a4f76114a903f17203a1710175e89d065dbebf6d.txt", "img": "https://archive.orkl.eu/a4f76114a903f17203a1710175e89d065dbebf6d.jpg" } }