Home/Threat Actor/Animal Farm
Threat Actor

Animal Farm

animal_farm · france · active since 2009

Animal Farm (industry canonical naming derived from cluster's signature French-children's-cartoon malware naming convention.

Communications Security Establishment Canada [CSEC] operation naming "SNOWGLOBE".

malware-family-derived naming Babar/Bunny/EvilBunny/Casper/Dino/NBOT/Tafacalou/TFC/ Transporter) is a France state-aligned cyber-espionage cluster active publicly since at least 2009 with attribution to the General Directorate for External Security (Direction Générale de la Sécurité Extérieure / DGSE), France's external intelligence agency controlled by the French Ministry of Defense, per CSEC's March 2014 "Operation SNOWGLOBE" disclosure leaked through Edward Snowden documents and published by French newspaper Le Monde (CSEC assessment: "moderate certainty" French-intelligence-agency attribution)

the cluster operates as one of the only publicly-tracked Western-government-attributed APT clusters in cybersecurity industry analysis alongside Equation Group (NSA-attributed, curated separately) and Project Sauron / Strider (unattributed Western-suspected, curated separately); multi-vendor collaborative disclosure era December 2014 - June 2015 across Cyphort (Marion Marschalek), ESET (Joan Calvet), G DATA (Paul Rascagnères), Kaspersky GReAT; signature operational tradecraft includes Babar Skype/MSN/ Yahoo Messenger VoIP eavesdropping spyware (named after French children's TV cartoon elephant), Casper stealthy first-stage reconnaissance implant (hosted on compromised Syrian Ministry of Justice website April 2014 with Flash Player 0days CVE-2014-0515 + CVE-2014-0497), Dino backdoor with ramFS custom file system (deployed against Iran 2013), EvilBunny Lua-based execution-platform backdoor, NBOT + Tafacalou/TFC/Transporter loaders, signature shared hash- based API obfuscation across all Animal Farm malware (rotate-left 7 + XOR), SHA-256-hash-of-AV-first-word detection tradecraft, ramFS custom file system, sandbox evasion via process name checks.

French language signatures include "Titi" username, "arithmetique" French word in code, language code 1036 (French France) in Dino binary resources; target categories include Iranian nuclear program intelligence (Iranian foreign ministry + Atomic Energy Organization of Iran + Iranian nuclear research institutes and universities), francophone Africa (Ivory Coast + Algeria, former French colonial geographies), Syrian Ministry of Justice (staging compromise April 2014), European financial institutions, government organizations, military contractors, humanitarian aid orgs, activists, journalists, media organizations.

fills historical Tier-4 French-DGSE-attributed Western-state-aligned APT cell in the curated corpus.

france confidence: high 24 aliases
Sigma rules203 YARA rules8 Live IOCs0 CVEs exploited3

Profile

Animal Farm (industry canonical naming derived from cluster's signature French-children's-cartoon malware naming convention; Communications Security Establishment Canada [CSEC] operation naming "SNOWGLOBE".

malware-family-derived naming Babar / Bunny / EvilBunny / Casper / Dino / NBOT / Tafacalou / TFC / Transporter) is a France state-aligned cyber-espionage cluster active publicly since at least 2009, with attribution to the General Directorate for External Security (Direction Générale de la Sécurité Extérieure / DGSE), France's external intelligence agency controlled by the French Ministry of Defense, per the Communications Security Establishment Canada (CSEC) March 2014 "Operation SNOWGLOBE" disclosure leaked through Edward Snowden documents and published by French newspaper Le Monde. CSEC assessment per leaked slides: "CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency." The cluster operates as one of the only publicly-tracked Western-government-attributed APT clusters in cybersecurity industry analysis, alongside Equation Group (NSA-attributed, curated separately as equation_group.yaml) and Project Sauron / Strider (unattributed but suspected Western-state- aligned, curated separately). Operational phases: (1) OPERATIONAL EMERGENCE (2009-2010). Earliest documented Babar samples date 2009-2010. (2) CSEC SNOWGLOBE INTERNAL DOCUMENTATION (2011). Canadian signals intelligence agency internally documented Animal Farm as French-intelligence-agency-sponsored CNO operation with "moderate certainty" attribution assessment. (3) CASPER SYRIAN STAGING + SNOWDEN LE MONDE LEAK (March- April 2014). April 2014: Casper distributed from compromised Syrian Ministry of Justice website with Flash 0days. March 2014: CSEC SNOWGLOBE slides leaked by Snowden via Le Monde.

(4) MULTI-VENDOR COLLABORATIVE DISCLOSURE ERA (December 2014
  • June 2015). Cyphort December 2014 EvilBunny + February 2015 Babar64 + G DATA Babar + ESET March 2015 Casper + Kaspersky GReAT March 2015 Animal Farm canonical naming + ESET June 2015 Dino disclosures. Convergent multi-vendor shared-developer-team attribution established. (5) CONTINUED OPERATIONS POST-2015 (Limited Public Visibility). Operations continue at reduced public visibility.
Signature operational tradecraft
  • French children's cartoon malware naming convention: Babar (popular French children's TV cartoon elephant), Casper (friendly ghost cartoon), Bunny / EvilBunny, operationally distinctive cultural signature of French- speaking developer team.
  • Babar Skype + MSN + Yahoo Messenger VoIP eavesdropping spyware: signature audio-capture tradecraft against online conversations conducted via popular messaging platforms. Keylogging + monitoring victim internet activity.
  • Casper stealthy first-stage reconnaissance implant: profiles victims and sends detailed reports to attackers, then determines whether victim is interesting and worthy of further hacking via built-in plugin platform for additional malware deployment (Babar). Hosted on compromised Syrian Ministry of Justice website April 2014 with Flash Player 0day exploits CVE-2014-0515 + CVE-2014-0497.
  • Dino backdoor with ramFS custom file system: sophisticated backdoor with custom file system for payload persistence and droppers. Deployed against Iran in 2013.
  • EvilBunny Lua-based backdoor: execution platform for Lua scripts injected by the attacker. Operationally distinct Lua-modules tradecraft (Lua use shared only with Flame and Project Sauron / Strider in publicly-tracked malware at time of disclosure).
  • NBOT + Tafacalou loader: NBOT droppers use ramFS custom file system for persistence. Tafacalou (TFC / Transporter) is loader serving Babar and Dino.
  • Hash-based API function call obfuscation: signature shared technical tradecraft across all Animal Farm malware families, hash calculated from function name (combination of rotate-left 7 bits + XOR operations) used to look up API function address instead of using function names directly.
  • SHA-256-hash-of-AV-first-word detection tradecraft: signature antivirus detection technique shared across Casper + Bunny + Babar + NBOT.
  • ramFS custom file system: signature Animal Farm custom file system used across multiple droppers (NBOT, Dino).
  • Sandbox / virtualization evasion: Dino checks current process names against process names used by some sandboxes to avoid execution in testing environments.
  • Government-owned-website staging compromise: signature Casper Syrian Ministry of Justice deployment vector.
  • Iranian nuclear program intelligence focus: signature target category, Iranian foreign ministry, Atomic Energy Organization of Iran, Iranian nuclear research institutes and universities.
  • Francophone Africa secondary targeting: Ivory Coast + Algeria, France's former colonial-era African geographies.
  • French language signatures: "Titi" username (French diminutive for "Thierry") in code, "arithmetique" French word ("arithmetic") in code, language code 1036 = French (France) in binary resources. The cluster fills the historical Tier-4 French-DGSE-attributed Western-state-aligned APT cell in this curated corpus, operationally one of the only publicly-tracked Western- government-attributed APT clusters alongside Equation Group (NSA-attributed) and Project Sauron / Strider (unattributed Western-suspected). Operationally significant for (a) rare Western-government attribution; (b) signature French-children's-cartoon malware naming convention; (c) Iranian nuclear program intelligence focus; (d) francophone Africa secondary targeting; (e) Skype/MSN/Yahoo Messenger VoIP eavesdropping signature tradecraft.

Aliases

24
animal farmanimal_farmanimalfarmanimalfarm_aptsnowglobeoperation snowglobesnowballbabarbabar64babar spywareevilbunnyevil bunnybunnycasperdinonbottafacaloutfcdgsegeneral directorate for external securityfrench intelligence agencyanimal farm francefrench dgse aptbabar_evilbunny_casper_dino

Notable Campaigns

10
2015-PresentContinued Operations Post-2015 (Limited Public Visibility)
2015Cyphort Babar64 Disclosure (February 2015)
2015ESET Casper Disclosure (March 2015)
2015Kaspersky Animal Farm Canonical Naming + Dino/NBot/Tafacalou Disclosure (March 2015)
2015ESET Dino Disclosure (June 30, 2015)
2014Snowden Le Monde CSEC SNOWGLOBE Slides Leak (March 2014)
2014Casper Syrian Ministry of Justice Website Compromise Staging (April 2014)
2014Cyphort EvilBunny First Documentation (December 2014)
2011CSEC Operation SNOWGLOBE Internal Documentation (2011)
2009Animal Farm Operational Emergence (Active Since at Least 2009)

Attribution & Reporting

Attributed by
ESET (Joan Calvet, Paul Rascagnères)Cyphort (Marion Marschalek)G DATA (Paul Rascagnères)Kaspersky GReATCommunications Security Establishment Canada (CSEC)Edward Snowden documentsLe Monde (French newspaper)Der Spiegel (German news magazine)MandiantMicrosoft Threat Intelligence CenterCrowdStrikeSymantec / Broadcom Threat Hunter TeamSOPHOS X-OpsSentinelOne / SentinelLabsTrend MicroCostin Raiu (Kaspersky GReAT Director)Morgan Marquis-Boire (Citizen Lab)
Key reporting
reportESET (Joan Calvet): Casper Malware, Babar and Bunny Have a Third Cousin, Another Espionage Cartoon (March 5, 2015), canonical ESET Casper disclosure
reportESET (Joan Calvet): Dino, the latest spying malware from an allegedly French espionage group analyzed (June 30, 2015), canonical ESET Dino disclosure
reportCyphort (Marion Marschalek): Babar64 + EvilBunny Disclosures (December 2014 + February 2015), canonical Cyphort Animal Farm cluster identification
reportG DATA (Paul Rascagnères): Babar, Espionage Software Finally Found and Put Under the Microscope (February 2015), canonical G DATA-side Babar disclosure
reportKaspersky GReAT: Animal Farm, The Heritage of Babar (March 2015), canonical Kaspersky-side Animal Farm cluster comprehensive disclosure
reportCommunications Security Establishment Canada (CSEC): Operation SNOWGLOBE Internal Slides (2011, leaked March 2014 via Le Monde), canonical Western-intelligence-community attribution of Animal Farm to French intelligence agency
reportEdward Snowden NSA + Five Eyes Documents Leak (2013-2014): Operational context for SNOWGLOBE attribution
reportLe Monde (French newspaper): March 21, 2014 article 'Quand les Canadiens partent en chasse de Babar' (When the Canadians go hunting for Babar), canonical French-newspaper publication of CSEC SNOWGLOBE slides
reportDer Spiegel (German news magazine): January 2015 publication of Snowden NSA+Five-Eyes documents (including SNOWGLOBE CSEC presentation)
reportVice / Motherboard: Casper Coverage with Animal Farm Cluster Attribution Context
reportInfoSec Institute: Animal Farm APT and the Shadow of French Intelligence (cluster overview synthesis)
reportMandiant: France-Aligned Cluster Tracking
reportMicrosoft Threat Intelligence: Western-Aligned Cluster Tracking
reportCrowdStrike Global Threat Report: France-Aligned Cluster Tracking
reportSymantec / Broadcom Threat Hunter Team: Animal Farm Continued Analysis
reportSOPHOS X-Ops: France-Aligned Cluster Tracking
reportSentinelLabs: Western-Government-Attributed Cluster Operational Analysis
reportTrend Micro: Animal Farm Adjacent Cluster Tracking
reportMITRE ATT&CK Group G0021, Animal Farm
reportMalpedia Actor Profile: Animal Farm

Operational

State sponsor

France state-aligned cluster, General Directorate for External Security (Direction Générale de la Sécurité Extérieure / DGSE), France's external intelligence agency controlled by the French Ministry of Defense, per the Communications Security Establishment Canada (CSEC) March 2014 "Operation SNOWGLOBE" disclosure leaked through Edward Snowden documents and published by French newspaper Le Monde. CSEC assessment per leaked slides: "CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency." The French DGSE attribution is operationally supported by multiple convergent evidence streams documented across ESET, Cyphort, G DATA, Kaspersky GReAT collaborative analysis 2014-2015: (a) CSEC Snowden 2014 leak attribution: per Snowden's leaked CSEC slides dated 2011, CSEC assessed with moderate certainty that Operation SNOWGLOBE was a French-intelligence- agency-sponsored CNO operation. The CSEC slide leak via Le Monde in March 2014 operationally established the canonical Western-intelligence-community attribution of the cluster to France.

(b) French children's cartoon malware naming convention: cluster malware named after French children's TV cartoons and characters, Babar (popular French children's TV cartoon elephant character), Casper (friendly ghost cartoon), Bunny / EvilBunny, operationally distinctive cultural signature consistent with French-speaking developer team. Per Motherboard: "They refer to the hacking group as the 'Animal Farm' because of each malware's animal-like and cartoon-inspired names." (c) French language code 1036 in binary resources: per ESET Joan Calvet's Dino analysis: "Dino's binary contains a resource whose language code value is 1036. The original purpose of this language code is to allow developers to provide resources... in the corresponding language.

So, which language corresponds to the value 1036, or 0x40c in hexadecimal? French (France)." The language-code value operationally signals French (France) development environment. (d) French language strings in code: "Titi" username ("Titi" is a French diminutive for "Thierry") found amid computer coding. "arithmetique" French word ("arithmetic") found in code.

Operationally consistent with French- speaking developer team. (e) Multi-vendor convergent technical analysis 2014-2015: Cyphort (Marion Marschalek), ESET (Joan Calvet, Paul Rascagnères), G DATA (Paul Rascagnères), Kaspersky GReAT published convergent analyses 2014-2015 establishing shared- developer-team operational identity across the Babar + Bunny / EvilBunny + Casper + Dino + NBot + Tafacalou malware families. Shared technical characteristics include: hash-based API function call obfuscation (rotate-left 7 bits + XOR), custom file system ramFS in multiple droppers, similar antivirus-detection-via-SHA-256-hashing tradecraft, command-and-control server overlap.

(f) Target selection consistent with French strategic intelligence priorities: Iranian nuclear research institutes and universities, French foreign ministry, Atomic Energy Organization of Iran, European financial institutions, government organizations, military contractors, humanitarian aid organizations, private companies, activists, journalists, media organizations. The targets also include Ivory Coast and Algeria, France's former colonial-era African geographies operationally consistent with continued French strategic intelligence interests in francophone Africa. The French DGSE attribution operates at "linked to French intelligence" / "likely French government" assessment level by major cybersecurity industry analysts.

The French Ministry of Defense has consistently declined to comment on attribution questions when contacted by journalists. The cluster operates as one of the few publicly-tracked Western-government-attributed APT clusters in cybersecurity industry analysis, alongside Equation Group (NSA- attributed, curated separately as equation_group.yaml) and Project Sauron / Strider (unattributed but suspected Western-state-aligned, curated separately).

Motivations
france_state_aligned_intelligence_collection, french_strategic_intelligence_collection, iranian_nuclear_program_intelligence, francophone_africa_strategic_intelligence, syrian_government_intelligence_collection, european_financial_institution_intelligence, middle_east_strategic_intelligence, signals_intelligence_via_skype_msn_yahoo_messenger_eavesdropping
Sectors
government_administrationforeign_affairs_ministriesatomic_energy_organization_of_iraniranian_nuclear_research_institutesiranian_universitieseuropean_financial_institutionsgovernment_organizationsmilitary_contractorshumanitarian_aid_organizationsprivate_companiesactivistsjournalistsmedia_organizationssyrian_ministry_of_justice
Regions
iransyriaivory_coastalgeriafranceeurope_broadlymiddle_east_broadly

Techniques Used

60
T1003T1005T1010T1012T1016T1020T1027T1027.001T1027.002T1027.005T1027.013T1033T1036T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1095T1106T1113T1115T1119T1123T1129T1133T1140T1189T1190T1199T1203T1204T1213T1218T1497T1497.001T1497.003T1518T1518.001T1543

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)26/60 · 43%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SHA256 HASH AV FIRST WORD DETECTIONSNOWBALLSYRIAN MINISTRY OF JUSTICE COMPROMISED WEBSITE STAGING

CVEs Exploited

3
CVECVE-2011-4369
CVECVE-2014-0497
CVECVE-2014-0515
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin