{
	"id": "d5a6a1c6-c5ad-4e32-8488-ce65c2c9201c",
	"created_at": "2026-04-06T02:10:52.013922Z",
	"updated_at": "2026-04-10T03:26:23.658783Z",
	"deleted_at": null,
	"sha1_hash": "a7ee2795065f1b61e2315fb0bbff258256c5cca8",
	"title": "The Russian SpyAgent – a Decade Later and RAT Tools Remain at Risk | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1900554,
	"plain_text": "The Russian SpyAgent – a Decade Later and RAT Tools Remain at Risk |\r\nDeep Instinct\r\nPublished: 2022-10-11 · Archived: 2026-04-06 01:29:26 UTC\r\nDeep Instinct Threat Lab researchers have observed changes in the distribution scheme of SpyAgent (A.K.A.\r\nTeamSpy/TVRat/TeamBot/Sheldor), a malware that likely originated over a decade ago based on the historical timeline\r\nbelow. \r\nSpyAgent is a malware that abuses legitimate, well-known remote access tools (RAT). The recent changes observed by our\r\nteam allow the malware to stay stealthy while bypassing and evading many security products. \r\nAttackers evading existing security controls is a trend we see increasing. This is a problem for the industry as most security\r\nsolutions that were developed with an “assume breach” mindset will miss these stealthy attacks until is it far too late to stop\r\nthe damage.  \r\nHistorical Background on SpyAgent: \r\nIn a report from 2011, a malware named “Sheldor” used DLL search order hijacking to abuse TeamViewer 5.0 for\r\nmalicious activities.\r\nIn a report from 2013, a malware named “TeamSpy” used DLL search order hijacking to abuse TeamViewer 6.0 for\r\nmalicious activities. The report also shows a relationship between “Sheldor” and “TeamSpy.”\r\nIn a report from 2016, a malware named “Spy-Agent” used DLL search order hijacking to abuse TeamViewer 6.0 for\r\nmalicious activities. The report contains unique URI patterns that the malware uses to communicate with the C\u0026C\r\nserver.\r\nSpyAgent’s main capabilities are leveraged to enhance the usage of TeamViewer by hooking some of the functions\r\nused by legitimate applications.\r\nThe most important thing that SpyAgent does is obtain the client's unique ID, which is required to connect to a\r\ncomputer using TeamViewer.\r\nOther hooks disable logging and hide the GUI of the application to make it stealthy and avoid detection.\r\n10 years later: \r\nA report published in 2021 showed that the “Spy-Agent” malware has been observed shifting from hijacking\r\nTeamViewer to hijacking “Safib Assistant,” a Russian replica of TeamViewer.\r\nThe report demonstrates the distribution scheme of the malware, using fake crypto applications as a theme.\r\nThe fake applications are actually downloaders of multiple malware families, which include different RATs and\r\nstealers, such as RedLine. “SpyAgent” is one of the downloaded malware families. \r\nRecent Changes \r\nIn May 2022, a small change was observed in the fake crypto campaign first seen in 2021. Instead of using NSIS or Inno\r\nSetup droppers, executable files over 700MB were used to evade detection. This is because many security products limit the\r\nsize of scanned files to compensate for performance issues. This is similar to the way the “Quartz.dll” SpyAgent files are\r\ninflated to 1GB+, as noted in the 2021 report. This is done by simply appending a large overlay of zeros to the file, and this\r\ntechnique allows the file to be compressed to the actual size without the overlay.  \r\nFigure 1: Overlay of zeros appended at the end of the file to inflate its’ size to avoid detection\r\nDue to their large size, the files are not stored in public malware repositories or sandboxes. \r\nThe large overlayed executables are droppers which use Microsoft’s .NET ClickOnce launch utility “AppLaunch.exe” to\r\ndownload and execute malware files from the web. \r\nhttps://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nPage 1 of 5\n\nMore malicious files related to this change can be found by searching the included txt file inside the zip: \r\nFigure 2: Contents of the text file included in the zip archive\r\nFigure 3: More archives containing the same text file\r\nThe text translates from Russian into: \r\n1. We execute the client inside the archive \r\n2. We enter our wallets to receive payments \r\n3. We are happy everyday because of the profit! \r\nIn June 2022, additional changes were observed. \r\nThe SpyAgent theme is no longer related to crypto applications. \r\nThe dropper files are once again Inno Setup files, however, they no longer download any additional malware except\r\n“SpyAgent” bundled with “Safib Assistant.” \r\nSince “Safib Assistant” is a legitimate tool, similar to TeamViwer, just less known, this change lowers the detection rate for\r\nthe campaign as the only real malware is “SpyAgent.” \r\nHowever, as previously was reported, the “SpyAgent” DLL files are very large. \r\nT1027.001 is a known MITRE technique that adversaries use to “decrease the effectiveness of certain tools and detection\r\ncapabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for\r\nanalysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.” \r\nExample file \r\n1565d137d235b65af1d1e4963ebc02eaf36cc81f870534674983bc6f67e5e274 is an Inno Setup file that during the writing of\r\nthis article was detected by four security vendors:  \r\nFigure 4: Detection rate at first submission (2022-07-18 06:04:01 UTC)\r\nThis file is inside three different zip files, which are not related to a crypto theme. \r\nThe dropper silently installs “Safib Assistant,” the software’s main executable hash is\r\nb8dde42c70d8c4a3511d5edffbc9f7f0c03dbda980e29693e71344f76da6bb0f and it is detected by only two security vendors,\r\nalthough it is not malicious without the SpyAgent DLL:  \r\nhttps://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nPage 2 of 5\n\nFigure 5: Metadata of the “Safib Assistant” main executable\r\nThe SpyAgent C\u0026C server is thief[.]lol which resolved during the analysis to the IP address 185.125.206[.]172. \r\n During our investigation, the C\u0026C was still working, allowing us to confirm that the malware bundled with “Safib\r\nAssistant” is indeed “SpyAgent:” \r\nFigure 6: SpyAgent C2 panel\r\nConclusion \r\nBoth TeamViewer and “Safib Assistant” are legitimate remote admin tools, however, without the spy-agent malware DLL\r\nwhich adds stealth they are less useful for cybercriminal operations.  \r\nOn the other hand, there are several other legitimate remote admin tools that don’t require any additional malicious DLL\r\nfiles to be stealthy which are used as-is by cybercriminals. \r\nDeep Instinct classifies such tools as dual-use because they are 3rd-party software that is not necessarily allowed to be used\r\nin a corporate network as it can be used maliciously. \r\nDeep Instinct blocks the Safib Assistant application. \r\nhttps://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nPage 3 of 5\n\nMITRE ATT\u0026CK: \r\nTactic Technique Description Ob\r\nDiscovery \r\nT1082 System\r\nInformation\r\nDiscovery \r\nSpyAgent computes environment hash as an MD5 of the string created by concatenating the following: \r\nValue 1 =\r\nto_uppercase(crc32(HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid)) \r\nValue 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName)) \r\nValue 3 = to_uppercase(crc32(user name)) \r\nValue 4 = to_uppercase(crc32(computer name)) \r\n\u003cC\u0026\r\n\u003c9d\r\nhash\r\nDefense\r\nEvasion \r\nT1027.001\r\nObfuscated Files or\r\nInformation: Binary\r\nPadding \r\nSpyAgent’s quartz.dll was artificially inflated to the size of 1GB \r\ne2e\r\n– 7z\r\nbun\r\nSpyAgent’s dropper executable was artificially inflated to the size of 700MB \r\nc72\r\n– zi\r\nT1574.002 Hijack\r\nExecution Flow:\r\nDLL Side-Loading \r\nSpyAgent hooks and patches various API functions called by the original DLLs used by TeamViewer and\r\nSafib Assistant \r\ntv.d\r\nmsi\r\navic\r\nqua\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information \r\nSpyAgent comes with a config file (.cfg) that contains an encrypted configuration. The bitmap file\r\n(.bmp) is used for deriving the key to decrypt the config file \r\n808\r\n– bm\r\n6f4\r\n– cf\r\nCommand\r\nand\r\nControl \r\nT1219 Remote\r\nAccess Software \r\nSpyAgent’s quartz.dll uses the “Safib Assistant” \r\n800\r\n- As\r\nSpyAgent’s avicap32.dll uses TeamViewer \r\n28c\r\n- Te\r\nhttps://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nPage 4 of 5\n\nTactic Technique Description Ob\r\nT1071.001 Web\r\nProtocols \r\nSpyAgent uses HTTP for command and control \r\n\u003cC\u0026\r\n\u003c9d\r\nhash\r\nIOC \r\n1565d137d235b65af1d1e4963ebc02eaf36cc81f870534674983bc6f67e5e274 \r\nActive Spy Agent C2: \r\n23.19.227[.]217 \r\n45.66.151[.]237 \r\n108.62.118[.]48 \r\njmai[.]ink \r\nSource: https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nhttps://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk"
	],
	"report_names": [
		"the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk"
	],
	"threat_actors": [
		{
			"id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6",
			"created_at": "2023-01-06T13:46:38.408359Z",
			"updated_at": "2026-04-10T02:00:02.962242Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"TeamSpy",
				"Team Bear",
				"Anger Bear",
				"IRON LYRIC"
			],
			"source_name": "MISPGALAXY:TeamSpy Crew",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441452,
	"ts_updated_at": 1775791583,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7ee2795065f1b61e2315fb0bbff258256c5cca8.pdf",
		"text": "https://archive.orkl.eu/a7ee2795065f1b61e2315fb0bbff258256c5cca8.txt",
		"img": "https://archive.orkl.eu/a7ee2795065f1b61e2315fb0bbff258256c5cca8.jpg"
	}
}