Connect with us

Hi, what are you looking for?



“Strider” Espionage Group Targets China, Russia, Europe

A sophisticated cyber espionage group that has managed to keep a low profile has been found to target organizations in Russia, China and a couple of European countries, Symantec reported on Sunday.

A sophisticated cyber espionage group that has managed to keep a low profile has been found to target organizations in Russia, China and a couple of European countries, Symantec reported on Sunday.

The threat actor, dubbed Strider by Symantec, and also known as ProjectSauron, is believed to have been active since at least 2011. Symantec analyzed one of the group’s tools, named Remsec, after a customer submitted a sample detected by its security product due to suspicious behavior.

According to researchers, Remsec is a piece of malware primarily designed for spying. The threat can open a backdoor on the infected computer, log keystrokes, steal files from the infected machine, and allow the attackers to move laterally on the network.

“Remsec contains a number of stealth features that help it to avoid detection. Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect,” Symantec researchers explained. “In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk. This also makes the malware more difficult to detect and indicates that the Strider group are technically competent attackers.”

Symantec has discovered a total of 36 infections across seven organizations in four countries, including Russian entities, a Chinese airline, an embassy in Belgium and an organization in Sweden.

Kaspersky Lab, which calls the campaign ProjectSauron, discovered that more than 30 organizations in Russia, Iran, Rwanda had been infected, noting that other Italian-speaking countries may have been hit as well. Kaspersky said that it has found cases where the malware has successfully penetrated air-gapped networks.

The malicious functionality is provided by a series of modules, each responsible for a specific task. For example, Remsec relies on a loader module, implemented as a fake Security Support Provider, to load files from the disk and execute them. The malware also includes three different backdoor modules (basic, advanced and HTTP) and a network listener.

Advertisement. Scroll to continue reading.

Interestingly, the network loader, host loader and keylogger modules are written in the Lua programming language. Researchers pointed out that this is similar to Flame (Flamer), a highly sophisticated cyber weapon that has been compared to Stuxnet and Duqu. An analysis of the keylogger module also revealed that its code contains references to Sauron, the main antagonist in Lord of the Rings.

Symantec also noticed that one of Strider’s targets had been previously infected by Regin, another highly sophisticated Trojan compared to Stuxnet and used in cyber espionage operations since at least 2008. It’s worth noting that both Regin and Flame have been attributed to various governments, including the United Kingdom, the United States and Israel.

Based on its capabilities, sophistication and the nature of targets, Symantec believes Strider could also be sponsored by a nation state.

The security firm has published indicators of compromise (IoC) to help organizations detect the presence of the threat on their systems.

Related: Symantec Finds 49 New Modules of “Regin” Cyberespionage Tool

*Updated with additional details from Kaspersky Lab

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...