Connect with us

Hi, what are you looking for?


Malware & Threats

Advanced ‘StripedFly’ Malware With 1 Million Infections Shows Similarities to NSA-Linked Tools

The StripedFly malware has APT-like capabilities, but remained unnoticed for five years, posing as a cryptocurrency miner.

Qlik Sense exploited by ransomware

A highly sophisticated piece of malware posing as a cryptocurrency miner has stayed under the radar for five years, infecting more than one million devices, cybersecurity firm Kaspersky warns.

Dubbed StripedFly, the threat contains code sequences previously observed in the malware used by the threat actor known as the Equation Group, which has been linked to the US National Security Agency.

Designed as a modular framework, StripedFly can target both Windows and Linux and comes with a built-in Tor network tunnel it uses for communication with the command-and-control (C&C) server. It also has update and delivery mechanisms that rely on trusted services, including Bitbucket, GitLab, and GitHub.

“Such an approach is by no means common among APT and crimeware developers, and this notable example underscores the sophistication of this malware against the background of many others. Its functional complexity and elegance remind us of the elegant code implementing delay tolerant Equation communications networking and other libraries, reinforcing its classification as a highly advanced threat,” Kaspersky notes.

StripedFly, the cybersecurity firm says, was initially detected in 2017, when it was misclassified as a cryptocurrency miner, despite its custom EternalBlue SMBv1 exploit that allowed it to spread quietly, avoiding detection by most security solutions.

Based on the presence of PowerShell and its privileges on the system, the malware achieves persistence by modifying Windows registry or by creating scheduler tasks. Various persistence methods are used on Linux as well.

Malware components that can be offloaded are hosted as encrypted binaries on online services. While the download counts on those repositories only reflect the downloads for the latest version, Kaspersky has determined that over one million updates have been downloaded since 2017.

StripedFly’s modules provide either service or extended functionality and are responsible for storing the malware’s configuration, upgrade and uninstall operations, creating a reverse proxy, harvesting credentials and files, taking screenshots, executing processes, recording microphone input, performing reconnaissance, spreading the malware, and mining for Monero.

Advertisement. Scroll to continue reading.

Kaspersky’s analysis of the malware also revealed multiple similarities with the ThunderCrypt ransomware, such as the presence of a Tor client and multiple modules with the same functionality as StripedFly’s.

Furthermore, the security firm found similarities between StripedFly and the Equation malware, although it has identified “no direct evidence that they are related”.

According to Kaspersky, the purpose of StripedFly remains unclear. What is clear, however, is that it has all the capabilities of an advanced persistent threat, combined with those of ransomware, and that it can be used both for financial gain and espionage.

Related: Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer

Related: Mysterious Malware Uses Wi-Fi Scanning to Get Location of Infected Device

Related: Takedown of GitHub Repositories Disrupts RedLine Malware Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.