{
	"id": "8667fe89-0258-4b84-b07a-b811df589ee1",
	"created_at": "2026-04-06T00:20:13.092111Z",
	"updated_at": "2026-04-10T03:28:35.419448Z",
	"deleted_at": null,
	"sha1_hash": "d8a7f3e9b28c9e0247e4f86d87e50dc8d57589a0",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 608980,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 20:29:05 UTC\r\nContributor: Yi Li\r\nA group of attackers, which we call Scarab, has been performing highly targeted attacks against particular\r\nRussian-speaking individuals both inside and outside of Russia since at least January 2012. In each campaign, the\r\nattackers typically target a small amount of individuals—rather than enterprises or governments—using economic,\r\nmilitary, topical, or generic lures. On average, less than ten unique computers are infected per month and there is\r\nno indication that the attackers are trying to spread through the victim’s local network, suggesting that Scarab’s\r\ncampaigns are extremely targeted in nature.\r\nMany of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and\r\nTrojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of\r\nolder vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’\r\ncomputers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the\r\ncomputer. Trojan.Scieron.B has a rootkit-like component that hides some of its network activity and features more\r\nenhanced back door functionality.\r\nWho are the Scarab attackers?\r\nBased on our research, the Scarab attackers are a technically capable group, judging on how they have custom-developed several malicious tools for these campaigns. However, they are not highly skilled or well resourced, as\r\nthey rely on older exploits and executables stored in compressed archives to distribute their threats.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 1 of 6\n\nThere are some indications (based on language resources) that the attackers are familiar with Chinese-language\r\ncharacters, and they seem to mostly target Russian speakers located in Russia and other regions around the world.\r\nFigure 1. Scarab victims based on Symantec telemetry\r\nThe group conducts command-and-control (C\u0026C) operations almost exclusively through the use of dynamic\r\ndomain name system (DNS) domains. The C\u0026C servers are usually hosted in South Korea; however, there have\r\nbeen instances where servers were located in other countries.\r\nFor the majority of 2012, there was not much information about Scarab’s victims. However from October 2012, a\r\nnumber of emails used by Scarab were blocked by Symantec .Cloud. All of the emails were sent from @yandex.ru\r\nemail addresses.\r\nEarly attacks\r\nOn October 29, 2012, an email with the Russian-language subject “Экспериментальное определение\r\nэффективно” was sent to two individuals working for a large retail organization. Translated to English, the\r\nemail’s subject is “Experimental definition is effective.”\r\nThese emails contained Microsoft Word attachments that triggered an exploit taking advantage of the Microsoft\r\nWindows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). Once\r\ntriggered, the exploit dropped a copy of Trojan.Scieron onto the victim’s computer. The attackers continued to\r\nintermittently send emails with .doc malware droppers until August 2013.\r\nOn January 22, 2013, the Scarab attackers sent an email with the English-language subject “Joint Call For Papers -\r\nConferences / Journal Special Issues, January 2013” to two individuals. The attackers sent the message to email\r\naccounts associated with an Australian-funded academic research project that had concluded in 2010. It is possible\r\nthat the researchers were continuing to use the email accounts for unrelated topics and this was why the attackers\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 2 of 6\n\nchose to target them. Seven days later, another email was sent to the same two individuals, this time with a\r\nRussian-language subject of “Информация по обслуживанию высвобожденны,” which translates to “Service-related information are released” (sic).\r\nG20 summit focus\r\nFrom this point on, at least until January of 2014, the attackers moved to finance-related lures and targets. In\r\nApril, the attackers sent an email with the subject “G20 receives clean bill of health at Boao” to a European\r\ngovernment target.\r\nIn August, they sent another email to six people working for an international economic organization. This email\r\nhad the Russian language subject of “G20 на 2013 г” which translates to “G20 for 2013.”\r\nIn August, a final G20-related email was sent to two individuals working in the Economic Ministry of a European\r\ngovernment. That email had the English-language subject “About G20 details.”\r\nRussian news lures\r\nThere were no further emails discovered and no active infections detected until January 2014, when Scarab’s\r\nactivity resumed and continued up to now. From that month on, the attackers have been using “.scr” files to drop\r\nTrojan.Scieron. The titles of these .scr files are usually in Russian, and are a hint as to the nature of the targets. It’s\r\nvery likely that the .scr files are being delivered by email; however, this has not been confirmed. It is also likely\r\nand again, unconfirmed that the .scr files are embedded in .rar files.\r\nOne example of the group’s malicious .scr file names is “Россия к 2016 году проведет испытания газовых\r\nтурбин для военных кораблей.” This translates to “Russian Federation to 2016 will test gas turbines for\r\nwarships.” The title comes from an article, published in June 2014, on a Russian media website.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 3 of 6\n\nFigure 2. The attackers used the titles of news articles from a Russian media site for their malicious files’ names\r\nAnother more recent file name was “план работы на июнь 2014 года.doc.scr” which translates to the quite\r\ngeneric “work plan for June 2014 year.doc.src.”\r\nLooking at the total number of infections per country in Figure 1 based on Symantec telemetry, it’s clear that\r\nRussia, or at least Russian speakers, are the primary targets of the Scarab attackers, although non-Russian\r\nspeakers have been targeted as well.\r\nScarab’s malware\r\nIn all of these campaigns, the attackers have attempted to compromise victims’ computers with a variant of\r\nTrojan.Scieron. This is a basic back door threat that is used to download additional malware onto the target’s\r\ncomputer.\r\nThe main payload of Trojan.Scieron is within a DLL file. This file is dropped either from a Trojanized Microsoft\r\nWord document or from other PE files.\r\nOnce the Trojan compromises the victim’s computer, it is able to perform the following actions:\r\nGather system information, such as the computer name, host name, operating system version, and drive\r\ntype\r\nDownload additional files\r\nExecute files\r\nRetrieve specific files from the victim’s computer\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 4 of 6\n\nList directories\r\nDelete files\r\nMove files to other folders\r\nIn most of the investigated incidents, Trojan.Scieron has been used to download an enhanced version of itself,\r\nwhich Symantec detects as Trojan.Scieron.B. This threat includes a basic ‘rootkit-like’ tool which hides some of\r\nits network activity.\r\nTrojan.Scieron.B’s file names seen to date are usually seclog32.dll (back door) and hidsvc.dat (rootkit). The back\r\ndoor’s functionality includes the following features:\r\nCreate, list, and terminate processes\r\nRead, set, and delete registry entries\r\nRead, write, list, and delete files and directories\r\nGather cached URLs\r\nLaunch remote shell\r\nGather recent active files\r\nRetrieve details from its configuration file\r\nTrojan.Scieron.B’s ‘rootkit’ functionality allows it to hide a Transmission Control Protocol (TCP) port in\r\ncommunications.\r\nSymantec and Norton protection\r\nThe Scarab attackers have been consistently targeting a select number of victims with custom malware over the\r\nlast few years. While the group uses older exploits, their campaigns seem to have had some success, judging on\r\nhow they have continued to operate similar campaigns over the years. The attackers’ focus on Russian speakers\r\nshows that they have specific targets in mind and they continue to adjust the subject of their email campaigns to\r\nsuccessfully compromise their victims.\r\nSymantec .Cloud blocks emails that come from the Scarab attackers. Symantec and Norton products also offer the\r\nfollowing detections against Scarab’s custom malware:\r\nTrojan.Scieron\r\nTrojan.Scieron.B\r\nIn general, you should adhere to the following best practices to prevent Scarab’s attacks from compromising your\r\ncomputer:\r\nExercise caution when receiving unsolicited, unexpected, or suspicious emails.\r\nAvoid clicking on links in unsolicited, unexpected, or suspicious emails.\r\nAvoid opening attachments in unsolicited, unexpected, or suspicious emails.\r\nUpdate the software, operating system, and browser plugins on your computer to prevent attackers from\r\nexploiting known vulnerabilities.\r\nUse comprehensive security software, such as Norton Security, to protect yourself from malware.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 5 of 6\n\nIndicators of compromise (IoC)\r\nFor a full list of IoCs, please check out our indicators of compromise document.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363"
	],
	"report_names": [
		"viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775791715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8a7f3e9b28c9e0247e4f86d87e50dc8d57589a0.pdf",
		"text": "https://archive.orkl.eu/d8a7f3e9b28c9e0247e4f86d87e50dc8d57589a0.txt",
		"img": "https://archive.orkl.eu/d8a7f3e9b28c9e0247e4f86d87e50dc8d57589a0.jpg"
	}
}