{
	"id": "df65851a-cab3-4e64-a473-2e0d6e8e056d",
	"created_at": "2026-04-06T00:07:38.492974Z",
	"updated_at": "2026-04-10T03:33:46.227518Z",
	"deleted_at": null,
	"sha1_hash": "b2d7fb04f9d6005787765307ef99710cef752430",
	"title": "Sophisticated Spy Kit Targets Russians with Rare GSM Plugin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 185031,
	"plain_text": "Sophisticated Spy Kit Targets Russians with Rare GSM Plugin\r\nBy Tara Seals\r\nPublished: 2019-10-10 · Archived: 2026-04-05 21:41:31 UTC\r\nThe Attor malware targets government and diplomatic victims with unusual tactics.\r\nA sophisticated cyberespionage platform called Attor has come to light, sporting an unusual capability for\r\nfingerprinting mobile devices as part of its attacks on government and diplomatic victims.\r\nAccording to researchers at ESET, Attor, which has flown under the radar since at least 2013, also sports a\r\ncomplex modular architecture and elaborate network communications utilizing Tor, making it a highly evolved\r\nthreat.\r\nClick to enlarge.\r\nThe malware, researchers said, has been used in espionage campaigns as recently as this summer; however, the\r\noffensives are highly targeted, with only a few dozen victims recorded. Attor appears to go after Russian-based,\r\nRussian-speaking users, based on geographic telemetry as well as the fact that it was seen snooping on Russian\r\napplications; this includes taking screenshots of Russian instant messenger (IM) apps.\r\nESET noted that some targets are located in Eastern Europe.\r\nGSM Plugin\r\nAs far as its architecture goes, Attor hinges on a dispatcher, which serves as a management and synchronization\r\nunit; all of Attor’s capabilities are provided as plugins. This allows the attackers to customize the platform on a\r\nper-victim basis, researchers said.\r\nhttps://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/\r\nPage 1 of 3\n\nOne of Attor’s most notable modules is a GSM fingerprinting tool that ESET noted utilizes a rarely used AT\r\ncommand set (it’s this combined with “Tor” that gives the malware its name). AT commands, also known as Hayes\r\ncommand set, were originally developed in the 1980s to command a modem to dial, hang up or change connection\r\nsettings. The command set was subsequently extended, and now supports other phone devices, including mobile\r\ndevices.\r\n“The commands are still in use in most modern smartphones,” ESET researchers said in a posting on Thursday.\r\n“[It’s possible] to bypass security mechanisms and communicate with the smartphones using AT commands\r\nthrough their USB interface. [In research], thousands of commands were recovered and tested, including those to\r\nsend SMS messages, push touch events, or leak sensitive information. This … illustrates that the old-school AT\r\ncommands pose a serious risk when misused.”\r\nAs for Attor’s plugin, ESET said that it seems unlikely it is targeting modern smartphone devices; it ignores\r\ndevices connected via a USB port, and only contacts those connected to a network via a serial COM port.\r\n“A more likely explanation of the plugin’s main motive is that it targets modems and older phones,” according to\r\nthe research. “Alternatively, it may be used to communicate with some specific devices (used by the victim or\r\ntarget organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor. In this\r\nscenario, it is possible the attackers have learned about the victim’s use of these devices using some other\r\nreconnaissance techniques.”\r\nRegardless, the plugin retrieves the name of manufacturer, model number, IMEI number and software version for\r\nthe mobile phone or GSM/GPRS modem, along with information on the subscriber’s carrier.\r\nESET noted that these fingerprints are likely used to tailor the deployment of additional commands to the specific\r\ndevices.\r\nAside from the GSM module, other Attor plugins provide persistence, an exfiltration channel to upload files,\r\ncommand-and-control (C2) communication and several further spying capabilities such as audio recording\r\nhttps://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/\r\nPage 2 of 3\n\ncapabilities.\r\nOne of the plugins is a screengrabber, which takes screenshots of social networks, email services, office software,\r\narchiving utilities, cloud storage and file sharing services, and VoIP applications and messaging services. Also\r\ntargeted are applications that suggest that the attackers are specifically interested in privacy-conscious users,\r\nincluding TrueCrypt and other encryption/digital signature utilities, a VPN application (HMA VPN), secure mail\r\nclients (The Bat! and HushMail) and a secure web browser (Dragon).\r\nUse of Tor and Malware Timeline\r\nAttor also incorporates Tor to avoid tracking, and distributes network communications to help thwart analysis.\r\n“Plugins themselves are heavily synchronized, with network communication alone being spread across four\r\ndifferent components, each implementing a different layer,” explained researchers. “This allows the malware to\r\ncommunicate with its FTP C\u0026C server, which resides on an onion domain. Tor is used for communication, aiming\r\nfor anonymity and untraceability, and the overall setup makes it impossible to analyze the communication unless\r\nall pieces of the puzzle have been collected.”\r\nThat’s one of the reasons that ESET wasn’t able to uncover the full operation timeline, nor how the malware\r\ninitially entered the victim organizations. The analysis did show that Attor has been active in two waves: One in\r\n2013 (only detected this year); and another that began in 2018 and continued through July.\r\nNonetheless, the campaign – and the actors behind it – bear watching, the firm warned: “We were not able to\r\nrecover the full operation timeline, nor the initial access vector. The versioning information in the plugins suggests\r\nthere are other plugins that we have not yet seen. However, our research provides a deep insight into the malware,\r\nand suggests that it is well worth further tracking of the operations of the group behind this malware.”\r\nWhat are the top cyber security issues associated with privileged account access and credential governance?\r\nExperts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros:\r\nWhere They Agree \u0026 Disagree When It Comes to Your Privileged Access Security.” Click here to register.\r\nSource: https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/\r\nhttps://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/"
	],
	"report_names": [
		"149095"
	],
	"threat_actors": [
		{
			"id": "a76ba723-d744-472a-b683-19d80e105d9f",
			"created_at": "2023-01-06T13:46:39.089347Z",
			"updated_at": "2026-04-10T02:00:03.209505Z",
			"deleted_at": null,
			"main_name": "Attor",
			"aliases": [],
			"source_name": "MISPGALAXY:Attor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775792026,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2d7fb04f9d6005787765307ef99710cef752430.pdf",
		"text": "https://archive.orkl.eu/b2d7fb04f9d6005787765307ef99710cef752430.txt",
		"img": "https://archive.orkl.eu/b2d7fb04f9d6005787765307ef99710cef752430.jpg"
	}
}