Skip to main content
  1. Home
  2. Computing
  3. News

Powerful malware infected governments in Russia, Iran, and Rwanada, stayed hidden for five years

Add as a preferred source on Google

An incredibly sophisticated piece of malware infected government computers in Russia, Iran, and Rwanda, and evaded detection for five years. The malware, called “ProjectSauron” by Kaspersky and “Remsec” by Symantec, has been active since 2011, or longer, infecting computers on the computers of government entities, military operations, research institutions, banks, and telecommunication companies.

The malware used all kinds of tricks to stay hidden, including living mostly in system memory. But a huge part of ProjectSauron’s success, Ars Technica is reporting, is the virus’ ability to avoid leaving patterns.

Recommended Videos

“The attackers clearly understand that we as researchers are always looking for patterns,” a Kaspersky report said. “Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.”

This pattern avoidance is crucial to the malware’s success, and also downright impressive. For example: executables had different names on different machines, all of them designed to look innocuous. Here are a few example filenames from Kaspersky’s report:

Vendor that uses similar filenames Disguised malware filename
Kaspersky Lab kavupdate.exe, kavupd.exe
Symantec SsaWrapper.exe, symnet32.dll
Microsoft KB2931368.exe
Hewlett-Packard hptcpprnt.dll
VmWare VMwareToolsUpgr32.exe

As you can see, the malware took on seemingly mundane filenames that users would not find out-of-place.

But things get even crazier. This malware had a plugin system, meaning custom Lua code could be configured to grab data from specific machines. There are 50 different kinds of plugin possible.

The malware can infect computers in a number of different ways. Even if a target is air-gapped, the malware can hop over on USB drives.

Information can be gleaned from targets in all sorts of different ways too, some of them quite novel. For example: the malware has been shown to send metadata over DNS.

What’s the point of all this? According to Kaspersky, the malware is “designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks.”

What isn’t known is who made this malware. The sophistication suggests a state sponsor, but nothing can be said for sure at this point. We’ll be watching closely as security researchers try to learn more.

Justin Pot
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
macOS clipboard app Maccy has a fake out there stealing passwords
PamStealer malware is disguising itself as Maccy to target Mac users
Depicting of the Maccy clipboard app for macOS on a laptop with letters inb the background.

A fake version of Maccy, a popular clipboard manager for macOS, is being used to deliver a newly discovered Mac malware strain called PamStealer. Researchers at Jamf say the malware impersonates the real open-source app, but its actual purpose is to steal data and capture a victim’s login password.

PamStealer arrives as a disk image containing an AppleScript file that impersonates Maccy. Once the user opens that file, macOS launches it in Script Editor, where the on-screen instructions tell them to press Command-R. To someone expecting a normal app installer, that may look like an odd setup step. In reality, that action runs hidden malware code and starts the attack.

Read more
A new technology teaching drones to feel pain could stop your self-driving car from harming itself
Drones first, autonomous cars next. A pain-sensing system that detects failure before it happens has real stakes for self-driving vehicles.
Transportation, Vehicle, Car

When you sprain your ankle in the middle of a run, your body sends a pain signal to your brain, forcing you to stop. Essentially, the ability to sense pain stops you from pushing through the injury and causing further self-harm.

Researchers at Delft University of Technology and Wageningen University have applied this exact concept to drones, giving them a digital equivalent of a nervous system that recognizes a faulty part and triggers a pain-like warning signal. What's even more interesting is that the technology could find use in self-driving cars.

Read more
Claude Fable 5 is leaving subscriptions, but maybe not for good
High demand is pushing Claude Fable 5 out of subscriptions for now
Claude Fable 5 and Claude Mythos 5 Official Render

Anthropic’s most advanced publicly available Claude model is still leaving standard subscription access after July 7, but the company is now trying to calm fears that the move is permanent.

Fable 5 recently returned to Claude after drawing scrutiny from the U.S. government. Anthropic said it would be included on Pro, Max, Team, and select Enterprise plans for up to 50% of weekly usage limits through July 7. After that date, the model is set to move to usage-credit billing, meaning users will pay for access outside their regular plan limits.

Read more