Home/Threat Actor/Gauss
Threat Actor

Gauss

gauss · us_israel_joint_offensive_cyber_speculation · active since 2011-08

Gauss (canonical Kaspersky naming after Carl Friedrich Gauss mathematician derived from winshell.ocx banking module per Kaspersky August 9, 2012 canonical Securelist disclosure by Roel Schouwenberg + GReAT team) is a modular banking-trojan-capable cyber-espionage platform , operationally significant as the first publicly known nation-state sponsored banking Trojan per Kaspersky 2012 attribution.

speculatively attributed to US-Israel joint offensive cyber operation cluster cell coherence with Stuxnet Olympic Games operation per Kaspersky "same factory" attribution (Flame-platform- derived codebase + similar modular structure + similar C&C communication system + numerous other similarities to Flame)

NPR + industry-analyst-speculated US-interest mission profile of tracking Iran-Hezbollah-Syria financial transactions via Lebanese banking system (Iran banned from US banks + Lebanon banking secrecy law per Bilal Saab Monterey Institute analysis)

active August-September 2011 to July 2012 (~10+ months covert operational deployment before discovery) with most recent variant debut January 2012 and C&C infrastructure shutdown July 2012 (5 C&C servers went dark); operational target footprint per Kaspersky cloud data July 31, 2012: Lebanon 1,600+ computers primary target + Israel + Palestinian Territory 750 incidents combined + smaller documented incidents in US + UAE + Qatar + Jordan + Germany + Egypt.

~2,500 documented infections by Kaspersky cloud with estimated tens of thousands total.

signature Lebanese banking targeting Bank of Beirut + Byblos Bank + Fransabank + EBLF + BlomBank + Credit Libanais + Citibank + PayPal (fine-tuned select target list distinct from criminal banking trojans); signature mathematician-named modules (Gauss + Lagrange + Godel + Kurt as Gödel reference + Tailor)

signature encrypted unknown payload USB-triggered that Kaspersky was unable to decrypt through 2012-2026, surgically targets specific system configuration with specific program installed (Kaspersky invited cryptographers at theflame@kaspersky.com to help crack.

per Roel Schouwenberg "We think this payload is a destructive one... It could be Stuxnet all over again")

signature Palida Narrow custom Windows font forensic marker (Kaspersky + CrySyS Lab posted online detection tools); "white" file designation operationally referencing Lebanon (Semitic root word meaning "white")

USB stick infection vector similar to Stuxnet.

Mozilla Firefox- compatible browser plug-in for banking credential theft; encrypted registry setting for plugin loading (Duqu- similar architecture)

200KB mother-ship module + 2MB full platform (about one-third of Flame's ~20MB modular platform)

round-robin DNS C2 distribution first observed in Olympic Games cluster cell.

cluster- cell coherence per Kaspersky canonical attribution chain "Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu".

fills the 4th and final cluster completing the canonical Olympic Games / US-Israel joint cyber-operations cell in this curated corpus, cycles industry reference points across cyber-sabotage (Stuxnet) + modular cyber-espionage (Flame) + reconnaissance + diplomatic-venue targeting (Duqu/Duqu 2.0) + banking-trojan signals intelligence (Gauss); operator industry skepticism perspective per Robert Graham (Errata Security): "'State sponsored' is thrown around too easily without actual evidence... it could just as easily be sponsored by a Russian crime syndicate as a 'state'", though Graham acknowledged "There is reason to believe it was more than just your normal malware in that only specific targets can decrypt a payload".

continued industry reference status as canonical "first publicly known nation-state sponsored banking Trojan" through 2012-2026 period.

us_israel_joint_offensive_cyber_speculation confidence: high 14 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Gauss (canonical Kaspersky naming after Carl Friedrich Gauss mathematician derived from winshell.ocx banking module per Kaspersky August 9, 2012 canonical disclosure) is a modular banking-trojan-capable cyber-espionage platform, operationally significant as the first publicly known nation-state sponsored banking Trojan per Kaspersky 2012 attribution + the 4th cluster completing the canonical Olympic Games / US-Israel joint cyber-operations cluster cell with Stuxnet + Flame + Duqu siblings. Speculatively attributed to US-Israel joint offensive cyber operation per Kaspersky "same factory" attribution (Flame-platform-derived codebase + similar modular structure + similar C&C communication system + numerous other similarities to Flame). NPR-reported speculation: US-interest mission profile of tracking Iran-Hezbollah- Syria financial transactions via Lebanese banking system (Iran banned from US banks.

Lebanon banking secrecy law). Active August-September 2011 to July 2012 (~10+ months operational covert deployment before discovery), with most recent variant debut January 2012 and C&C infrastructure shutdown July 2012 (5 servers went dark). Operational target footprint per Kaspersky cloud data (July 31, 2012): Lebanon 1,600+ computers (primary target)

Israel + Palestinian Territory 750 incidents combined.

smaller documented incidents in US + UAE + Qatar + Jordan + Germany + Egypt. Total ~2,500 documented infections by Kaspersky cloud, estimated tens of thousands total per Kaspersky.

Signature operational tradecraft
  • First publicly known nation-state sponsored banking Trojan (cluster-defining), Lebanese banking system targeting profile distinct from sibling Olympic Games cluster missions.
  • Lebanese banking targeting: Bank of Beirut + Byblos Bank + Fransabank + EBLF + BlomBank + Credit Libanais + Citibank + PayPal, fine-tuned select target list distinct from criminal banking trojans.
  • Flame-platform-derived codebase: per Kaspersky same "factory" as Flame.
  • Mathematician-named modules: Gauss + Lagrange + Godel + Kurt (Gödel reference) + Tailor, distinctive naming convention.
  • Encrypted unknown payload USB-triggered (signature unresolved capability): Kaspersky unable to decrypt through 2012-2026, surgically targets specific system configuration with specific program installed.
  • Palida Narrow custom Windows font (signature forensic marker): distinctive Windows font installed by Gauss as detection-enabling signature.
  • "White" file designation referencing Lebanon (Semitic root word meaning "white"): signature debugging-information operational naming.
  • USB stick infection vector (similar to Stuxnet): "It may have been built with an air-gapped network in mind" per Roel Schouwenberg.
  • Mozilla Firefox-compatible browser plug-in: banking credential theft via Firefox browser plug-in architecture.
  • Round-robin DNS C2 distribution: first observed in Olympic Games cluster cell, DNS Balancing technique for high workload distribution.
  • 200KB mother-ship + 2MB full platform: smaller footprint than Flame ~20MB modular platform, about one-third of Flame's main mssecmgr.ocx module.
  • Cluster-cell coherence per Kaspersky chain: "Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu." The cluster completes the 4-cluster Olympic Games / US-Israel joint cyber-operations cell in this curated corpus, operationally cycles canonical industry reference points across cyber-sabotage (Stuxnet) + modular cyber-espionage (Flame) + reconnaissance + diplomatic-venue targeting (Duqu/Duqu 2.0) + banking- trojan signals intelligence (Gauss).

Aliases

14
gaussgauss_malwaregauss_trojangauss_banking_trojanwinshell_ocxlagrange_modulegodel_modulekurt_moduletailor_modulepalida_narrowgauss flame platformgauss lebanese banking trojanfirst nation state banking trojanwhite file designation lebanon

Notable Campaigns

9
2012-2026Encrypted Unknown Payload Kaspersky Unable to Decrypt
2012-2026Continued Industry Reference Status (2012-2026)
2012Most Recent Gauss Variant Deployment (January 2012)
2012Kaspersky Gauss Discovery During Flame Follow-Up (June 2012)
2012Gauss Kaspersky Canonical Disclosure (August 9, 2012)
2012Gauss C2 Infrastructure Shutdown (July 2012)
2012Palida Narrow Custom Windows Font Forensic Signature
2011-2012Lebanese Banking Targeting Signature
2011Gauss Operation Start (August-September 2011)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical August 9, 2012 disclosure, Roel Schouwenberg + GReAT team)F-Secure (Mikko Hyppönen, Flame/Gauss attribution support)CrowdStrike (Dmitri Alperovitch, Kaspersky analysis support)Symantec (Gauss adjacent analysis)CrySyS Lab Budapest (cluster-cell coherence analysis)Errata Security (Robert Graham, industry skepticism perspective)
Key reporting
reportKaspersky GReAT: Gauss canonical disclosure (Securelist, August 9, 2012) + Gauss Abnormal Distribution (PDF technical paper), canonical Gauss disclosure
reportKaspersky FAQ: Gauss: Nation-state cyber-surveillance meets banking Trojan (Securelist)
reportF-Secure (Mikko Hyppönen): Gauss attribution support analysis
reportCrowdStrike (Dmitri Alperovitch): Kaspersky Gauss analysis support
reportSC Media (Roel Schouwenberg quoted): Gauss trojan targets Lebanese banks, likely U.S. creation
reportSlate: Gauss malware, Banking Trojan similar to Flame, Stuxnet
reportNPR: Encoding Geopolitics, Virus Infects Banks In Lebanon (August 10, 2012), canonical US-Hezbollah-Iran financial monitoring speculation
reportDark Reading: Flame 2.0, Gauss Malware Targets Banking Credentials
reportErrata Security (Robert Graham): Industry skepticism perspective
reportMITRE ATT&CK Software S0274: Gauss
reportMalpedia Software Profile: Gauss

Operational

State sponsor

Speculatively attributed to US-Israel joint offensive cyber operation cluster cell coherence with Stuxnet Olympic Games operation per Kaspersky "same factory" attribution. Per Kaspersky August 2012 canonical disclosure: "Code references and encryption subroutines, together with the Command and Control infrastructure make us believe Gauss was created by the same 'factory' which produced Flame. This indicates it is most likely a nation-state sponsored operation." Cluster-cell-coherence attribution chain per Kaspersky: "Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu.

Hence, Gauss is related to Duqu." Per Kaspersky comparative analysis: "After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories'. All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of sophisticated malware." Per NPR August 2012 reporting: "Kaspersky did not say which nation-state it suspected of developing the Gauss virus, but some officials have privately hinted that the United States and Israel developed the Flame and Stuxnet viruses. If the Gauss virus was developed to gather inside information on Lebanese banks, it would be consistent with a U.S. desire to monitor financial transactions carried out by the Lebanon-based Hezbollah organization." Per Bilal Saab (Monterey Institute of International Studies): "They want to see if there's money-laundering in these banks, whether Hezbollah is using them, or perhaps even the Syrian government or the Iranian government to sustain their operations." Per F-Secure Mikko Hyppönen: "I do believe Kaspersky is correct in their estimate." Per CrowdStrike Dmitri Alperovitch: "Kaspersky's done solid analysis and proven pretty comprehensively that the malware [Gauss] was connected to Flame." Some industry analyst skepticism: per Robert Graham (Errata Security): "'State sponsored' is thrown around too easily without actual evidence... it could just as easily be sponsored by a Russian crime syndicate as a 'state'." However Graham acknowledged: "There is reason to believe it was more than just your normal malware in that only specific targets can decrypt a payload." Operational mission objective: Lebanese banking system signals intelligence / financial-monitoring with hypothesized US-interest mission profile of tracking Iran-Hezbollah-Syria money flows (Iran banned from US banks, Lebanon banking secrecy law).

Per SC Media: "Critical infrastructure does indeed come to mind. It's very clear the attackers put in a lot of work to obscure this payload. We think this payload is a destructive one...

It could be Stuxnet all over again" per Roel Schouwenberg (Kaspersky). Operational discovery context: Per Kaspersky: "While analyzing the Flame malware that we detected in May 2012, Kaspersky Lab experts identified some distinguishing features of Flame's modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform.

This indicates that there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms. Based on the results of a detailed analysis of Flame, we continued to actively search for new, unknown components. A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C servers, as well as numerous other similarities to Flame.

" Operational target footprint (per Kaspersky July 31, 2012 Kaspersky Security Network data)
  • Lebanon: 1,600+ computers (highest infection rate, primary target)
  • Israel + Palestinian Territory: 750 incidents combined.
  • United States + United Arab Emirates + Qatar + Jordan + Germany + Egypt: smaller documented incidents.
  • Kaspersky estimated total infections likely in tens of thousands (vs. ~2,500 documented by Kaspersky cloud) The cluster fills the 4th Olympic Games / US-Israel joint cyber-operations cell, completing canonical Stuxnet + Flame + Duqu + Gauss capability cell.
Motivations
lebanese_banking_system_signals_intelligence_financial_monitoring, first_publicly_known_nation_state_sponsored_banking_trojan_capability, hezbollah_iran_syria_money_flow_tracking_speculation, flame_platform_derived_cyber_espionage_capability_extension, encrypted_usb_payload_unknown_specific_target_warhead_capability, middle_east_banking_credential_harvesting, online_banking_credential_theft_for_intelligence_collection
Sectors
lebanese_banksbank_of_beirutbyblos_bankfransabankeblfblombankcredit_libanaiscitibankpaypalfinancial_services_broadlyonline_banking_userssocial_network_email_im_account_holders
Regions
lebanonisraelpalestinian_territoriesunited_statesunited_arab_emiratesqatarjordangermanyegyptmiddle_east_broadly

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1020T1021T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1052T1052.001T1053T1056T1056.001T1056.004T1057T1059T1059.001T1059.005T1068T1070T1070.004T1071T1071.001T1071.004T1074T1078T1080T1082T1083T1087T1090T1090.001T1091T1102T1106T1113T1114T1114.001T1119T1129T1132T1133T1140T1185T1190T1203T1213T1217T1218T1497T1497.001T1518

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)23/60 · 38%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MOZILLA FIREFOX COMPATIBLE BROWSER PLUGINSPECIFIC SYSTEM CONFIGURATION PAYLOAD TRIGGER
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKMITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin