{
	"id": "1a4d27b4-fa94-47a0-bc1d-9e5a82f80190",
	"created_at": "2026-04-06T00:12:51.780351Z",
	"updated_at": "2026-04-10T03:30:33.80322Z",
	"deleted_at": null,
	"sha1_hash": "d79e77f5d6af25bc91060edf2d35a3f52dc2f375",
	"title": "Remsec: Top Level Espionage Platform Covertly Extracts Encrypted Government Comms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57647,
	"plain_text": "Remsec: Top Level Espionage Platform Covertly Extracts\r\nEncrypted Government Comms\r\nBy Kaspersky\r\nPublished: 2016-08-01 · Archived: 2026-04-05 20:47:28 UTC\r\nIn September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform flagged an unusual feature in the\r\nnetwork of a client organization\r\nIn September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform flagged an unusual feature in the\r\nnetwork of a client organization. The anomaly led researchers to ‘Remsec’, a nation-state threat actor\r\nattacking state organizations with a unique set of tools for each victim, making traditional indicators of\r\ncompromise almost useless. The aim of the attacks appears to be mainly cyber-espionage.\r\nRemsec is particularly interested in gaining access to encrypted communications, hunting them down using an\r\nadvanced modular cyber-espionage platform that incorporates a set of unique tools and techniques. The most\r\nnoteworthy feature of Remsec’s tactics is the deliberate avoidance of patterns: Remsec customizes its implants and\r\ninfrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for\r\nthe exfiltration of stolen data, such as legitimate email channels and DNS, enables Remsec to conduct secretive,\r\nlong-term spying campaigns in target networks.\r\nRemsec gives the impression of being an experienced and traditional actor that has put considerable effort into\r\nlearning from other extremely advanced actors, including Duqu, Flame, Equation and Regin; adopting some of\r\ntheir most innovative techniques and improving on their tactics in order to remain undiscovered.\r\nKey Features\r\nRemsec tools and techniques of particular interest include:\r\nUnique footprint: Core implants that have different file names and sizes and are individually built for\r\neach target – making it very difficult to detect since the same basic indicators of compromise would have\r\nlittle value for any other target.\r\nRunning in memory: The core implants make use of legitimate software update scripts and work as\r\nbackdoors, downloading new modules or running commands from the attacker purely in memory.\r\nA bias towards crypto-communications: Remsec actively searches for information related to fairly rare,\r\ncustom network encryption software. This client-server software is widely adopted by many of the target\r\norganizations to secure communications, voice, email, and document exchange. The attackers are\r\nparticularly interested in encryption software components, keys, configuration files, and the location of\r\nservers that relay encrypted messages between the nodes.\r\nScript-based flexibility: The Remsec actor has implemented a set of low-level tools which are\r\norchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has\r\npreviously only been spotted in the Flame and Animal Farm attacks.\r\nhttps://www.kaspersky.com/about/press-releases/2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms\r\nPage 1 of 3\n\nBypassing air-gaps: Remsec makes use of specially-prepared USB drives to jump across air-gapped\r\nnetworks. These USB drives carry hidden compartments in which stolen data is concealed.\r\nMultiple exfiltration mechanisms: Remsec implements a number of routes for data exfiltration, including\r\nlegitimate channels such as email and DNS, with stolen information copied from the victim disguised in\r\nday-to-day traffic.\r\nGeography/victim profile\r\nTo date over 30 victim organizations have been identified, the majority of which are located in the Russian\r\nFederation. Many more organizations and geographies are likely to be affected. However, due to the nature of\r\nRemsec’s operations it's extremely hard to discover every new target.\r\nBased on our analysis, targeted organizations generally play a key role in providing state services and include:\r\nGovernment\r\nMilitary\r\nScientific research centers\r\nTelecom operators\r\nFinancial organizations\r\nForensic analysis indicates that Remsec has been operational since June, 2011 and remains active in 2016. The\r\ninitial infection vector used by Remsec to penetrate victim networks remains unknown.\r\n“A number of targeted attacks now rely on low-cost, readily-available tools. Remsec, in contrast, is one of those\r\nthat relies on homemade, trusted tools and customizable scripted code. The single use of unique indicators, such\r\nas control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other\r\nmajor threat actors, is rather new. The only way to withstand such threats is to have many layers of security in\r\nplace, based on a chain of sensors monitoring even the slightest anomaly in organizational workflow, multiplied\r\nwith threat intelligence and forensic analysis to hunt for patterns even when there appear to be none,” said Vitaly\r\nKamluk, Principal Security Researcher at Kaspersky Lab.\r\nThe cost, complexity, persistence and ultimate goal of the operation: stealing confidential and secret information\r\nfrom state-sensitive organizations, suggest the involvement or support of a nation state.\r\nKaspersky Lab security experts advise organizations to undertake a thorough audit of their IT networks and\r\nendpoints and to implement the following measures:\r\nIntroduce an anti-targeted attack solution alongside new or existing endpoint protection.  Endpoint\r\nprotection on its own is not enough to withstand the next generation of threat actors.\r\nCall in the experts if the technology flags an anomaly. The most advanced security solutions will be able to\r\nspot an attack even as it’s happening, and security professionals are sometimes the only ones who can\r\neffectively block, mitigate and analyze major attacks.\r\nSupplement the above with threat intelligence services: this will inform security teams about the latest\r\nevolution in the threat landscape, attack trends and the signs to watch out for.\r\nAnd last, but not least, since many major attacks start with a spear-phishing or other approach to\r\nemployees, make sure that staff understand and practice responsible cyber-behavior.  \r\nhttps://www.kaspersky.com/about/press-releases/2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms\r\nPage 2 of 3\n\nThe full report on Remsec has been made available to customers of Kaspersky Lab APT Intelligence reporting\r\nservice in advance. Learn more at: http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting\r\nIndicators of compromise and YARA rules are available here.\r\nAll Kaspersky Lab products detect Remsec samples as HEUR:Trojan.Multi.Remsec.gen\r\nTo learn more about Remsec, read the blogpost on Securelist.com    \r\nLearn more about how Kaspersky Lab products can protect users from this threat.\r\nSource: https://www.kaspersky.com/about/press-releases/2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms\r\nhttps://www.kaspersky.com/about/press-releases/2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms"
	],
	"report_names": [
		"2016_remsec-top-level-espionage-platform-covertly-extracts-encrypted-government-comms"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e09a7338-fb16-4e39-b579-c3bfc3140c47",
			"created_at": "2022-10-25T16:07:24.207294Z",
			"updated_at": "2026-04-10T02:00:04.899166Z",
			"deleted_at": null,
			"main_name": "Snowglobe",
			"aliases": [
				"ATK 8",
				"Animal Farm",
				"SIG20",
				"Snowglobe"
			],
			"source_name": "ETDA:Snowglobe",
			"tools": [
				"Babar",
				"Casper",
				"Chocopop",
				"Dino",
				"EvilBunny",
				"Nbot",
				"TFC",
				"Tafacalou"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f",
			"created_at": "2023-01-06T13:46:38.443779Z",
			"updated_at": "2026-04-10T02:00:02.977564Z",
			"deleted_at": null,
			"main_name": "SNOWGLOBE",
			"aliases": [
				"Animal Farm",
				"Snowglobe",
				"ATK8"
			],
			"source_name": "MISPGALAXY:SNOWGLOBE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434371,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d79e77f5d6af25bc91060edf2d35a3f52dc2f375.pdf",
		"text": "https://archive.orkl.eu/d79e77f5d6af25bc91060edf2d35a3f52dc2f375.txt",
		"img": "https://archive.orkl.eu/d79e77f5d6af25bc91060edf2d35a3f52dc2f375.jpg"
	}
}