{ "id": "20ba9ff5-30fe-44f9-b8bf-664fdb780519", "created_at": "2026-04-06T00:14:08.660262Z", "updated_at": "2026-04-10T03:33:51.947287Z", "deleted_at": null, "sha1_hash": "dd439141a590daf110ddaa38ec8a4851c12d6a72", "title": "Strider cyber attack group deploying malware for espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 356670, "plain_text": "Strider cyber attack group deploying malware for espionage\r\nBy Warwick Ashford\r\nPublished: 2016-08-08 · Archived: 2026-04-05 17:53:14 UTC\r\nSymantec security researchers have uncovered a spying campaign by a previously\r\nunknown group using modular malware as stealthware\r\nSrtider, a previously unknown group of cyber attackers, is using stealthware for cyber espionage campaigns,\r\nsecurity firm Symantec has revealed.\r\nStrider is using an advanced piece of malware called Backdoor.Remsec to spy on targets in Russia, China, Sweden\r\nand Belgium.\r\nAccording to Symantec researchers, Remsec appears to be designed for spying, with references in the code to\r\nSauron, the all-seeing antagonist in Lord of the Rings.\r\nStrider is capable of creating custom malware tools and has operated below the radar for at least five years,\r\nSymantec said.\r\nBased on the espionage capabilities of the malware and the nature of its known targets, it is possible that the group\r\nis a nation-state attacker.\r\nOther Symantec findings reveal possible links to a previously uncovered group known as Flamer because of\r\nsimilar techniques used.\r\nInvestigation revealed that one of Strider’s targets had also previously been infected by the Regin spyware, known\r\nfor its use for systematic spying campaigns.\r\nLow profile\r\nAlthough Strider is believed to have been active since at least October 2011, the group has maintained a low\r\nprofile until now. Its targets have been mainly organisations and individuals that would be of interest to a nation\r\nstate’s intelligence services.\r\nSymantec obtained a sample of the group’s Remsec malware from a customer who submitted it following its\r\ndetection by the company’s behavioural engine.\r\nAccording to the researchers, Remsec typically establishes a means of enabling an attacker to bypass security\r\nmechanisms, creating a back door into computer systems so login credentials and data can be stolen.\r\nhttps://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nPage 1 of 5\n\nStrider has been highly selective in its choice of targets. To date, Symantec has found evidence of infection in 36\r\ncomputers across seven separate organisations. The group’s targets include a number of organisations and\r\nindividuals in Russia, an airline in China, an organisation in Sweden, and an embassy in Belgium.\r\nModular malware\r\nThe researchers said the Remsec malware consists of modules working together as a framework that provides\r\ncomplete control over an infected computer, allowing the attacker to move across a network, exfiltrate data and\r\ndeploy custom modules.\r\nSeveral examples of Remsec use modules written in the Lua programming language. Remsec uses a Lua\r\ninterpreter to run Lua modules which perform various functions, the researchers said.\r\nModules include a loader (to open files from disk and execute them) that masquerades as a security support\r\nprovider, a host loader that decrypts and loads other Lua modules, a keylogger to record keystrokes and exfiltrate\r\nthis data, a network listener for opening a network connection based on monitoring for specific types of traffic,\r\nand an HTTP back door that includes several addresses for a command and control server.\r\nRemsec contains a number of features to help it avoid detection. Several components are in the form of executable\r\nbinary large objects (blobs), which are more difficult for traditional antivirus software to detect.\r\nIn addition, much of the malware’s functionality is deployed over the network, so it resides only in the computer’s\r\nmemory and is never stored on disk, which makes it harder to detect.\r\nSymantec said its researchers will continue to search for more Remsec modules and targets to build their\r\nunderstanding of Strider. In the meantime, they have compiled an indicators-of-compromise document containing\r\nfurther details to help organisations identify the threats associated with Strider in their own IT environments. \r\nRead more on Hackers and cybercrime prevention\r\nBlack Basta might have exploited Microsoft flaw as zero-day\r\nhttps://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nPage 2 of 5\n\nBy: Arielle Waldman\r\nExploitation of Barracuda ESG appliances linked to Chinese spies\r\nBy: Alex Scroxton\r\nhttps://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nPage 3 of 5\n\nBarracuda zero-day bug exploited months prior to discovery\r\nBy: Alexander Culafi\r\nALPHV/BlackCat ransomware family becoming more dangerous\r\nhttps://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nPage 4 of 5\n\nBy: Alex Scroxton\r\nSource: https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nhttps://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage\r\nPage 5 of 5\n\n https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage \nBy: Arielle Waldman \nExploitation of Barracuda ESG appliances linked to Chinese spies\nBy: Alex Scroxton \n Page 3 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage" ], "report_names": [ "Strider-cyber-attack-group-deploying-malware-for-espionage" ], "threat_actors": [ { "id": "99845f58-2c39-46f7-8369-bb621ebb7002", "created_at": "2022-10-25T16:07:24.238844Z", "updated_at": "2026-04-10T02:00:04.90851Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "G0041", "ProjectSauron" ], "source_name": "ETDA:Strider", "tools": [ "Backdoor.Remsec", "ProjectSauron", "Remsec" ], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979", "created_at": "2022-10-25T15:50:23.311311Z", "updated_at": "2026-04-10T02:00:05.407733Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "ProjectSauron" ], "source_name": "MITRE:Strider", "tools": [ "Remsec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434448, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd439141a590daf110ddaa38ec8a4851c12d6a72.pdf", "text": "https://archive.orkl.eu/dd439141a590daf110ddaa38ec8a4851c12d6a72.txt", "img": "https://archive.orkl.eu/dd439141a590daf110ddaa38ec8a4851c12d6a72.jpg" } }