{ "id": "8763a44e-8d6f-4611-af17-41bea779abeb", "created_at": "2026-04-06T00:11:05.389574Z", "updated_at": "2026-04-10T03:33:46.24385Z", "deleted_at": null, "sha1_hash": "bd913baa7dd3307073d76fba67d2b9a62b63fac8", "title": "New espionage malware found targeting Russian-speaking users in Eastern Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43011, "plain_text": "New espionage malware found targeting Russian-speaking users in\r\nEastern Europe\r\nBy Written by Catalin Cimpanu, ContributorContributor Oct. 10, 2019 at 6:33 a.m. PT\r\nArchived: 2026-04-05 17:25:26 UTC\r\nSecurity researchers have discovered an advanced malware strain that's been deployed to spy on diplomats and\r\nRussian-speaking users in Eastern Europe.\r\nSee als\r\nThe malware, named Attor, has been used in attacks since 2013 but was only discovered last year, according to an\r\nESET report published today.\r\nESET said the malware bears the signs of a targeted espionage campaign perpetrated by a skilled actor, with a\r\nvery narrow focus on a small selection of targets.\r\nTargeting diplomats and Russian-speaking users`\r\nAn analysis of the malware and its features shows that Attor's creators specifically designed it to target Russian-speaking users.\r\n\"Our conclusion is that Attor is specifically targeting Russian-speakers, which is further supported by the fact that\r\nmost of the targets are located in Russia,\" said ESET malware analyst Zuzana Hromcová.\r\n\"Other targets are located in Eastern Europe, and they include diplomatic missions and governmental institutions,\"\r\nshe added.\r\nattor-countries.png\r\nImage: ESET\r\nFurthermore, the theory that this malware was designed to target Russian users first and foremost is supported by\r\nsome of Attor's features that include the targeting of popular Russian apps and services -- such as social networks\r\nOdnoklassniki and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email\r\nclients Yandex and Mail.ru, and payment system WebMoney.\r\nAttor was designed by skilled malware coders\r\nIn addition, the ESET report paints a pretty clear picture that Attor is not your run-of-the-mill malware. The\r\nmalware uses a highly-modularized architecture and is designed around a central component, called a dispatcher.\r\nhttps://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/\r\nPage 1 of 3\n\nThis is not strange, as most malware uses a modularized structure. However, Attor shows its sophistication by the\r\nuse of encryption to hide the modules, something seen only on very rare occasions, and in malware strains usually\r\ndeveloped by nation-state hacker groups.\r\n\"Attor's plugins are delivered to the compromised computer as DLLs, asymmetrically encrypted with RSA,\"\r\nHromcová said. \"The plugins are only fully recovered in memory, using the public RSA key embedded in the\r\ndispatcher. As a result, it is difficult to obtain Attor's plugins, and to decrypt them without access to the\r\ndispatcher.\"\r\nOver the course of the past year, Hromcová and other ESET researchers have spent months toiling over Attor to\r\ndecipher its secrets. Eventually, they had a breakthrough.\r\n\"We were able to recover eight of Attor's plugins,\" she said.\r\nThe Slovak researcher said they found a module for taking screenshots, one for recording audio, one to upload\r\nfiles to a remote server, one for setting up a SOCKS proxy to disguise its traffic, a keyboard and clipboard logger,\r\nan installer watchdog, a device monitor, and a module to support communications via the Tor network.\r\nattor-structure.png\r\nImage: ESET\r\nThe GSM fingerprinting module\r\nOf all the plugins, by a very wide margin, the most interesting one was the module that performed device\r\nmonitoring.\r\nThis module, found in many other malware strains, usually works by creating a fingerprint of devices a user\r\nconnects to a computer or laptop. For example, POS malware uses similar modules to detect when certain types of\r\ndevices are connected, so they can watch for incoming data streams that may contain payment card data.\r\nOther malware strains uses similar modules to detect when users plug in a USB thumb drive, to plant malware-laced files on its storage.\r\nHowever, Attor's device monitor module was specifically designed to detect when users connected modems and\r\nolder phones to their devices. When this happened, Attor would collect info about the files present on each device.\r\n\"[This module] is responsible for collection of metadata, not the files themselves, so we consider it a plugin used\r\nfor device fingerprinting, and hence likely used as a base for further data theft,\" Hromcová said.\r\nBut there was more. Attor's device monitoring module also included a very strange function that used ancient AT\r\ncommands to fingerprint GSM-capable devices.\r\n\"Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to\r\ncommunicate with the device, via the associated serial port,\" Hromcová said.\r\nAT commands were developed in the 80s as a way to control with early versions of internet modems. They are still\r\nsupported today, even on modern high-end smartphones -- all of which come with modems to be able to connect\r\nhttps://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/\r\nPage 2 of 3\n\nto a telco provider's LTE network.\r\nThe Attor device monitor module used these ancient commands to determine when targets were connecting GSM\r\nequipment to their computers.\r\nBut here's the catch. The Attor gang was completely ignoring modern smartphones connected via USB. Stealing or\r\nplanting malware on smartphones via the USB port would have been much easier than using AT commands via\r\nold serial ports.\r\nMalware targeting spies?\r\nESET speculates that Attor creators specifically created this module to target users who employed older mobile\r\nhandsets -- or even a custom GSM-capable platform used by one of their targets.\r\n\"In this scenario, it is possible the attackers have learned about the victim's use of these devices using some other\r\nreconnaissance techniques,\" Hromcová said.\r\nMany diplomatic and intelligence operations use custom GSM-capable platforms for secure communications --\r\nshowing just how targeted this malware really was.\r\nWhile ESET didn't provide any thoughts on who might have developed and deployed Attor, it is clear that this\r\nmalware was used by some of the world's most sophisticated espionage players.\r\nMore in ESET's 32-page Attor report [PDF].\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/\r\nhttps://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/" ], "report_names": [ "new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe" ], "threat_actors": [ { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a76ba723-d744-472a-b683-19d80e105d9f", "created_at": "2023-01-06T13:46:39.089347Z", "updated_at": "2026-04-10T02:00:03.209505Z", "deleted_at": null, "main_name": "Attor", "aliases": [], "source_name": "MISPGALAXY:Attor", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434265, "ts_updated_at": 1775792026, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd913baa7dd3307073d76fba67d2b9a62b63fac8.pdf", "text": "https://archive.orkl.eu/bd913baa7dd3307073d76fba67d2b9a62b63fac8.txt", "img": "https://archive.orkl.eu/bd913baa7dd3307073d76fba67d2b9a62b63fac8.jpg" } }