{ "id": "4b525a12-a2a8-41ea-bdd1-c3371d1b276c", "created_at": "2026-04-06T01:32:34.882658Z", "updated_at": "2026-04-10T03:33:01.53345Z", "deleted_at": null, "sha1_hash": "bdc54b0b77bff81ab4e9d45574c3f98777fb9701", "title": "Uroburos - highly complex espionage software with Russian roots", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35425, "plain_text": "Uroburos - highly complex espionage software with Russian roots\r\nBy MN\r\nPublished: 2016-11-25 · Archived: 2026-04-06 00:40:40 UTC\r\nUroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to\r\ntake control of an infected machine, execute arbitrary commands and hide system activities. It can steal\r\ninformation (most notably: files) and it is also able to capture network traffic. Its modular structure allows\r\nextending it with new features easily, which makes it not only highly sophisticated but also highly flexible and\r\ndangerous. Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to\r\nidentify.\r\nTechnical complexity suggests connections to intelligence agencies\r\nThe development of a framework like Uroburos is a huge investment. The development team behind this malware\r\nobviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design\r\nof the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants,\r\nwhich are still to be discovered.\r\nUroburos is designed to work in peer-to-peer mode, meaning that infected machines communicate among each\r\nother, commanded by the remote attackers. By commanding one infected machine that has Internet connection,\r\nthe malware is able to infect further machines within the network, even the ones without Internet connection. It\r\ncan spy on each and every infected machine and manages to send the exfiltrated information back to the attackers,\r\nby relaying this exfiltrated data through infected machines to one machine with Internet connection. This malware\r\nbehavior is typical for propagation in networks of huge companies or public authorities. The attackers expect that\r\ntheir target does have computers cut off from the Internet and uses this technique as a kind of workaround to\r\nachieve their goal.\r\nUroburos supports 32-bit and 64-bit Microsoft Windows systems. Due to the complexity of this malware and the\r\nsupposed spying techniques used by it, we assume that this rootkit targets governments, research institutes, or/and\r\nbig companies.\r\nRelation to Russian attack against U.S. suspected\r\nDue to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we\r\nassume that the group behind Uroburos is the same group that performed a cyberattack against the United States\r\nof America in 2008 with a malware called Agent.BTZ. Uroburos checks for the presence of Agent.BTZ and\r\nremains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a\r\nsample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this\r\nfact, the usage of Russian, also applied for the authors of Agent.BTZ.\r\nAccording to all indications we gathered from the malware analyses and the research, we are sure of the fact that\r\nattacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence\r\nagencies and similar targets.\r\nhttps://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots\r\nPage 1 of 2\n\nProbably undiscovered for at least three years\r\nThe Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this environment. The oldest\r\ndriver we identified was compiled in 2011, which means that the campaign remained undiscovered for at least\r\nthree years. \r\nInfection vector still unknown\r\nAt the current stage of the investigations it is unknown how Uroburos initially infiltrates high profile networks.\r\nMany infection vectors are conceivable. E.g. spear phishing, drive-by-infections, USB sticks, or social\r\nengineering attacks.\r\nSource: https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots\r\nhttps://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots" ], "report_names": [ "23968-uroburos-highly-complex-espionage-software-with-russian-roots" ], "threat_actors": [ { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439154, "ts_updated_at": 1775791981, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bdc54b0b77bff81ab4e9d45574c3f98777fb9701.pdf", "text": "https://archive.orkl.eu/bdc54b0b77bff81ab4e9d45574c3f98777fb9701.txt", "img": "https://archive.orkl.eu/bdc54b0b77bff81ab4e9d45574c3f98777fb9701.jpg" } }