{
	"id": "345e0ff4-4031-4942-9b63-8c82bb65358e",
	"created_at": "2026-04-06T02:11:58.932205Z",
	"updated_at": "2026-04-10T03:33:51.926481Z",
	"deleted_at": null,
	"sha1_hash": "cd2e0e46a08d0baed590be8986783effd73ec046",
	"title": "ProjectSauron APT On Par With Equation, Flame, Duqu",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64618,
	"plain_text": "ProjectSauron APT On Par With Equation, Flame, Duqu\r\nBy Michael Mimoso\r\nPublished: 2016-08-08 · Archived: 2026-04-06 01:54:32 UTC\r\nProjectSauron, an APT attack platform, has been used since 2011 to target critical government, financial and\r\ncommunications organizations in a number of countries.\r\nA state-sponsored APT platform on par with Equation, Flame and Duqu has been used since 2011 to spy on\r\ngovernment agencies and other critical industries.\r\nKnown as ProjectSauron, or Strider, the platform has all the earmarks of advanced attackers who covet stealth,\r\nand rely on a mix of zero-day exploits and refined coding to exfiltrate sensitive data, even from air-gapped\r\nmachines.\r\nResearchers at Kaspersky Lab and Symantec today published separate reports on ProjectSauron, and said large-scale attacks have targeted government agencies, telecommunications firms, financial organizations, military and\r\nresearch centers in Russia, Iran, Rwanda, China, Sweden, Belgium and Italy. Campaigns were still active this year,\r\nsaid researchers at Kaspersky Lab.\r\nWhile researchers still do not know how the attackers are infiltrating these critical networks, much of their activity\r\non compromised networks has been uncovered.\r\nThe attack platform, for example, is modular framework called Remsec that once deployed allows for lateral\r\nmovement, data theft and the injection of more attack code. To complicate detection and attribution, the attackers\r\ncustomize artifacts used in campaigns to each target, making them less useful as indicators of compromise,\r\nKaspersky Lab said.\r\nThe platform, meanwhile, uses a Lua scripting engine to deploy the core platform and its 50 different plugins; a\r\nreference to Sauron, the evil villain in Lord of the Rings was found in a Lua module. Another hallmark of\r\nProjectSauron is its use of strong encryption algorithms, specifically RC6, RC5, Salsa20 and others.\r\nhttps://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/\r\nPage 1 of 3\n\n“The actor behind ProjectSauron has a high interest in communication encryption software widely used by\r\ntargeted governmental organizations,” Kaspersky Lab said in its report. “It steals encryption keys, configuration\r\nfiles, and IP addresses of the key infrastructure servers related to the encryption software.”\r\nFor persistence, a backdoor module is registered on domain controllers as a Windows Local Security Authority\r\npassword filter, which is normally used to enforce password policies.\r\n“This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an\r\nadministrator) logs in or changes a password, and promptly harvests the password in plaintext,” Kaspersky Lab\r\nsaid in its report.\r\nMost of the implants used in the attacks work as backdoors that either install new modules or run commands.\r\nEach implant is unique, the Kaspersky Lab report said, with unique file names and sizes and missions such as\r\nstealing documents, logging keystrokes or stealing encryption keys from local and attached disks.\r\nKaspersky Lab said it found 28 command and control domains linked to 11 IP addresses in the United States and a\r\nnumber of European countries. Local CERTs and law enforcement have been notified of the attacks, Kaspersky\r\nLab said.\r\n“The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive\r\ncyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to\r\neach victim organization and never reused again. This makes traditional network-based indicators of compromise\r\nalmost useless because they won’t be reused in any other organization, Kaspersky Lab said in its report. “Even the\r\ndiversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to\r\navoid creating patterns.”\r\nThe researchers also discovered a module that moves data from air-gapped machines via a removable USB that\r\nreserves space on an encrypted partition with its own virtual file system and two directories called “In” and “Out.”\r\n“Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected\r\nmachine,” Kaspersky Lab said in its report.\r\nTo move data off compromised networks, the attackers use common protocols such as HTTP, TCP, SMTP and\r\nothers. A plugin was also found that uses DNS to exfiltrate stolen data.\r\n“To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is\r\nwhy it is used solely to exfiltrate target system metadata,” Kaspersky Lab said in its report. “Another interesting\r\nfeature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation\r\nprogress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a\r\nspecial subdomain unique to each target.”\r\nAs for zero-day exploits, none have been discovered, Kaspersky Lab said in its report, but the means by which the\r\nattackers are moving data from air-gapped machines indicates there has to be one.\r\n“When penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable\r\nattackers to get control of the air-gapped machines. There has to be another component such as a 0day exploit\r\nhttps://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/\r\nPage 2 of 3\n\nplaced on the main partition of the USB drive,” Kaspersky Lab said in its report. “So far we have not found any 0-\r\nday exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare,\r\nhard-to-catch instances.”\r\nSource: https://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/\r\nhttps://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/"
	],
	"report_names": [
		"119725"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99845f58-2c39-46f7-8369-bb621ebb7002",
			"created_at": "2022-10-25T16:07:24.238844Z",
			"updated_at": "2026-04-10T02:00:04.90851Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"G0041",
				"ProjectSauron"
			],
			"source_name": "ETDA:Strider",
			"tools": [
				"Backdoor.Remsec",
				"ProjectSauron",
				"Remsec"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde",
			"created_at": "2023-01-06T13:46:38.472883Z",
			"updated_at": "2026-04-10T02:00:02.989134Z",
			"deleted_at": null,
			"main_name": "ProjectSauron",
			"aliases": [
				"Sauron",
				"Project Sauron",
				"G0041"
			],
			"source_name": "MISPGALAXY:ProjectSauron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979",
			"created_at": "2022-10-25T15:50:23.311311Z",
			"updated_at": "2026-04-10T02:00:05.407733Z",
			"deleted_at": null,
			"main_name": "Strider",
			"aliases": [
				"ProjectSauron"
			],
			"source_name": "MITRE:Strider",
			"tools": [
				"Remsec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441518,
	"ts_updated_at": 1775792031,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd2e0e46a08d0baed590be8986783effd73ec046.pdf",
		"text": "https://archive.orkl.eu/cd2e0e46a08d0baed590be8986783effd73ec046.txt",
		"img": "https://archive.orkl.eu/cd2e0e46a08d0baed590be8986783effd73ec046.jpg"
	}
}