{ "id": "a366cd81-d2b8-48a6-8bf4-323c3eb0ccb4", "created_at": "2026-04-06T00:13:58.564034Z", "updated_at": "2026-04-10T03:26:23.64238Z", "deleted_at": null, "sha1_hash": "acb87ce03e22ded232cafbbb677afe5724362370", "title": "TeamSpy – Obshie manevri. Ispolzovat' tolko s razreshenija S-a – CrySyS Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45407, "plain_text": "TeamSpy – Obshie manevri. Ispolzovat' tolko s razreshenija S-a –\r\nCrySyS Blog\r\nPublished: 2013-03-20 · Archived: 2026-04-05 14:27:57 UTC\r\nThe CrySyS Lab, Budapest has been notified by the Hungarian National Security Authority (www.nbf.hu) about\r\nthe detection of an ongoing high profile targeted attack affecting our home country, Hungary. During our\r\ninvestigation of the incident, we discovered a number of C\u0026C servers, and a large number of malware samples\r\nthat have been used in multiple attacks campaigns in the last couple of years. Indeed, the collected evidences\r\nsuggest that part of the attack toolkit we discovered was used back in 2010. It seems that the main objective of the\r\nattackers was information gathering from the infected computers. Many of the victims appear to be ordinary users,\r\nbut some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered\r\nour investigation. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we\r\nnamed the entire malicious toolkit TeamSpy.\r\nWe detail the findings in our technical report.\r\nAs mentioned above, a distinct feature of the attack is the abuse of the legitimate TeamViewer remote access tool.\r\nThe attackers install an original, legitimate TeamViewer instance on the victim computer, but they modify its\r\nbehavior with DLL hijacking, and they obtain remote access to the victim computers in real-time. Therefore, the\r\nattackers are not only able to remotely observe the infected computers, but they can also misuse TeamViewer to\r\ninstall other tools to obtain important information, files, and other data from the victim.\r\nThe collected evidences suggest that attacks have been carried out in multiple campaigns. In addition to the\r\nTeamViewer based campaigns, we also saw signs indicating a number of older attacks based on proprietary\r\nmalware with C\u0026C server based control. We estimate the number of distinct campaigns to be in the order of tens.\r\nThe activities of the attackers might be related to other known attack campaigns, like the TeamBot/Sheldor\r\ncampaign (banking cyber-crime), as we describe later in this document. Despite of this relation to cyber-crime\r\nactivities, we believe TeamSpy has been used in high-profile targeted attacks too. This is underpinned by the\r\nfollowing observations:\r\n• In case of the Hungarian incident, the signs clearly show that the target is high-profile.\r\n• Some malware samples were created just for the retrieval of specific office documents (see the analysis of\r\nmodule 2016_11.txt below) whose name (e.g. “gaza tunnel”) indicate that the target is probably high-profile.\r\n• The telemetry revealed additional high-profile victims outside Hungary. Indeed, multiple victims were found in\r\nIran, including victims at http://www.sashiraz.co.ir, which is an electronics company with government\r\nbackground. The possible date of infection for this victim is from 2010.\r\n• Some tools used by the attackers run traceroute to an unknown host on a subnet, where some other hosts belong\r\nto the Ministry of Foreign Affairs of Uzbeghistan.\r\n• Some tools used in the attacks look for files matching the following templates saidumlo secret.* секрет.*\r\nпарол.* .xls *.pdf *.pgp *pass.* *.rtf *.doc. This list shows the interest of the attackers in “secret” and “password”\r\nhttps://blog.crysys.hu/2013/03/teamspy/\r\nPage 1 of 2\n\ndocuments. In addition, the attackers’ interest in .pgp and .p12 files indicates that they were looking not only for\r\npasswords, but also for cryptographic keys, which goes beyond attacks against ordinary users.\r\nDuring our investigation, we uncovered a large set of malware samples that were probably utilized back in the\r\npast; hence, our analysis can also shed light on older malware campaigns and might help victims to reveal\r\nincidents that are several years old. Therefore, the information disclosed in this report could be used to perform a\r\nlongitudinal study of targeted malware attacks.\r\nWhile identity of most of the victims could not be revealed, we have information on some high-profile victims,\r\ne.g.:\r\n11/2012: Hungarian high profile governmental victim.\r\n03/2013: Embassy of NATO/EU state in Russia\r\n04/2010: Electronics company in Middle-East, Govt. background\r\n03/2013: Multiple research/educational organizations in France and Belgium\r\n03/2013: Industrial manufacturer in Russia\r\nPlease read the detailed technical report.\r\nSource: https://blog.crysys.hu/2013/03/teamspy/\r\nhttps://blog.crysys.hu/2013/03/teamspy/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.crysys.hu/2013/03/teamspy/" ], "report_names": [ "teamspy" ], "threat_actors": [ { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434438, "ts_updated_at": 1775791583, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/acb87ce03e22ded232cafbbb677afe5724362370.pdf", "text": "https://archive.orkl.eu/acb87ce03e22ded232cafbbb677afe5724362370.txt", "img": "https://archive.orkl.eu/acb87ce03e22ded232cafbbb677afe5724362370.jpg" } }