Home/Threat Actor/Project Sauron / Strider
Threat Actor

Project Sauron / Strider

project_sauron_strider · suspected_state_aligned_unattributed · active since 2011-06

Project Sauron / Strider (canonical Kaspersky GReAT naming "ProjectSauron" / "Project Sauron" from internal Lua script reference to LotR antagonist.

canonical Symantec naming "Strider".

malware family naming Remsec) is an unattributed but universally-assessed-state-sponsored cyber-espionage cluster that operated approximately five years undetected from June 2011 through September 2015 detection by Kaspersky's KATA anti-targeted-attack platform, with canonical simultaneous Kaspersky GReAT + Symantec disclosures published August 8, 2016.

Eugene Kaspersky has publicly implied U.S. attribution alongside Equation Group and CIA-linked Lamberts though no formal attribution has been established and target selection (Russia, China, Iran, Sweden, Belgium, Rwanda, possibly Italian-speaking countries) complicates straightforward single-state attribution.

Kaspersky GReAT and Symantec categorize the cluster alongside Duqu, Flame, Equation Group, and Regin as "top-of-the-top modular cyber-espionage platform", operationally one of the most sophisticated state-aligned offensive cyber operations clusters in publicly-tracked industry analysis.

signature operational tradecraft is unique implants per individual target never reused (operationally rendering standard IOC-based detection ineffective) with 28 documented domains linked to 11 IPs in US+Europe all unique-per-victim, memory-only Binary Large Object (BLOB) execution, modular Lua-scripted platform (Lua use shared only with Flame and Animal Farm at time of disclosure), Windows LSA password filter persistence on domain controllers, multi-algorithm encryption (RC6+RC5+RC4 +AES+Salsa20), multi-channel C2 (ICMP+PCAP+RAW sockets+ named pipes+HTTP+DNS+legitimate email), signature USB-based air-gap data exfiltration with encrypted partition + In/Out virtual directories, comprehensive intelligence collection plugins (screen capture, audio recording, keylogging, encryption key collection, certificate theft)

~30-40 documented victims across Kaspersky (30+ in Russia/Iran/ Rwanda) and Symantec (36 computers / 7 organizations); operationally distinctive pre-emptive disinfection response to research-community attention before public disclosure per Symantec Vikram Thakur.

Lua-modules operational lineage to Flame.

one Strider victim previously infected by Regin; post-disclosure operational cessation since late 2016 with no observed continuation.

fills historical Tier-4 unattributed-state-aligned ~5-year-undetected APT cell in the curated corpus.

suspected_state_aligned_unattributed confidence: high 11 aliases MITRE ATT&CK G0041 ↗
Sigma rules200 YARA rules25 Live IOCs0 CVEs exploited0

Profile

Project Sauron / Strider (canonical Kaspersky GReAT naming "ProjectSauron" / "Project Sauron" from internal Lua script reference to LotR antagonist.

canonical Symantec naming "Strider".

malware family naming Remsec / Backdoor.Remsec / HEUR:Trojan.Multi.Remsec.gen) is an unattributed but universally-assessed-state-sponsored cyber-espionage cluster that operated approximately five years undetected from June 2011 through September 2015 detection by Kaspersky's KATA anti-targeted-attack platform, with canonical disclosures simultaneously published by Kaspersky GReAT and Symantec on August 8, 2016. The cluster is operationally categorized by Kaspersky GReAT and Symantec alongside Duqu, Flame, The Equation Group, and Regin as "top-of-the-top modular cyber-espionage platform" , operationally one of the most sophisticated state-aligned offensive cyber operations clusters in publicly-tracked cybersecurity industry analysis. Eugene Kaspersky has publicly implied U.S. attribution alongside Equation Group and Lamberts, though no formal attribution has been established. Target selection (Russia, China, Iran, Sweden, Belgium, Rwanda, possibly Italian-speaking countries) operationally complicates straightforward single-state attribution. Operational phases: (1) OPERATIONAL EMERGENCE (June/October 2011). Forensic analysis indicates earliest documented operations June 2011 (Kaspersky) / October 2011 (Symantec). Operational tradecraft pattern established: unique implants per individual target never reused, modular Lua-scripted platform, extensive multi-algorithm encryption (RC6, RC5, RC4, AES, Salsa20), Binary Large Objects (BLOBs) residing only in memory. (2) FIVE-YEAR-UNDETECTED OPERATIONS (2011-2016). Operationally most-distinctive operational pattern, undetected operations for approximately five years. Enabled by deliberate avoidance of IOC reuse patterns and memory-only payload residence. (3) KATA DETECTION (September 2015). Kaspersky's KATA caught a suspicious password-filter module on a Windows domain controller in a client organization. Lua script "SAURON" string led to canonical Kaspersky naming. (4) PRE-EMPTIVE DISINFECTION RESPONSE (2016). Per Symantec Vikram Thakur, attackers began uninstalling their malware from all known victims before public disclosure, operationally suggesting either pre-disclosure operational signals or extreme operational-security discipline. (5) CANONICAL PUBLIC DISCLOSURES (August 8, 2016). Simultaneous Kaspersky GReAT + Symantec disclosures established canonical cluster naming and documented operational tradecraft. (6) POST-DISCLOSURE OPERATIONAL CESSATION (Late 2016+). Cluster has not been observed in publicly-disclosed operations since the August 2016 disclosures. Per Symantec Thakur: "Since then we haven't seen them. They might still be active, but we haven't yet associated any new malware families with Strider.

" Signature operational tradecraft
  • Unique implants per individual target, never reused: operationally most-distinctive tradecraft. Custom infrastructure, domains, IP addresses, and malware compilation per individual victim, operationally rendering standard IOC-based detection ineffective. Per Kaspersky: "all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim." 28 documented domains linked to 11 IPs in US + Europe, all unique-per-victim.
  • Memory-only Binary Large Object (BLOB) execution: much of the malware functionality deployed over the network and residing only in computer memory, never stored on disk.
  • Modular Lua-scripted platform: signature operational lineage marker, Lua use shared only with Flame and Animal Farm attacks at the time of disclosure.
  • Windows LSA password filter persistence on domain controllers: signature persistence tradecraft, Remsec backdoor module registered as Windows Local System Authority password filter, automatically activating on any user/admin password entry or change to collect passwords.
  • Multi-algorithm encryption tradecraft: RC6, RC5, RC4, AES, Salsa20 encryption algorithms used throughout payload and communications. Cluster name "Equation"-adjacent operational tradecraft.
  • Multi-channel C2 architecture: ICMP-based covert channel, PCAP-based covert channel, RAW network sockets, named pipes (basic + advanced backdoor variants), HTTP backdoor with multiple C&C URLs, DNS exfiltration, legitimate email channels for exfiltration.
  • USB-based air-gap data exfiltration: signature tradecraft module, USB drive reserves space on encrypted partition with virtual file system and two directories called "In" and "Out." "Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine.".
  • Comprehensive intelligence collection plugins: screen capture, audio recording, keystroke logging, encryption key collection, certificate collection, software certificate theft, encryption-key theft, domain/keystroke/file recording, configuration file collection, IP address collection, real- time user status updates.
  • Search keywords for "Secret" and "Segreto" (Italian): one Kaspersky-identified Remsec module searched specifically for files labeled as "Secret" and Italian "Segreto", suggesting cluster operational interest in classified Italian-language documents.
  • Pre-emptive operational disinfection response: operational-security tradecraft of withdrawing implants before public disclosure, operationally distinct from typical cluster responses to research-community attention. The cluster fills the unattributed-state-aligned ~5-year- undetected historical APT cell in this curated corpus, operationally one of the most sophisticated clusters in industry consensus. Operationally adjacent to but distinct from Equation Group (curated separately as equation_group.yaml), Flame (curated as adjacent operational lineage), Regin (curated as adjacent NSA-attributed historical), and Animal Farm / Babar (curated as adjacent Lua-modules tradecraft cluster).

Aliases

11
project sauronprojectsauronproject_sauronprojectsauron_aptstriderstrider_aptremsecbackdoor.remsecheur:trojan.multi.remsec.genproject sauron remsecproject_sauron_strider

Notable Campaigns

9
2016-PresentPost-Disclosure Operational Cessation (Late 2016+)
2016Pre-Emptive Disinfection Operational Response (2016)
2016Canonical Public Disclosures (August 8, 2016)
2015Kaspersky Anti-Targeted Attack Platform (KATA) Initial Detection (September 2015)
2011-2016Five-Year-Undetected Operations Era (2011-2016)
2011-2016Target Concentration Pattern (Documented per Kaspersky + Symantec)
2011-2016Lua Module Tradecraft Flame Operational Lineage
2011-2016Regin Shared Victim Operational Overlap
2011Project Sauron Operational Emergence (June 2011)

Attribution & Reporting

Attributed by
Kaspersky GReATSymantec / Broadcom Threat Hunter TeamESETMandiantMicrosoft Threat Intelligence CenterCrowdStrikeSOPHOS X-OpsSentinelOne / SentinelLabsTrend MicroEugene Kaspersky (CEO public statements)Costin Raiu (Kaspersky GReAT Director)Vikram Thakur (Symantec)Cameron Camp (ESET)
Key reporting
reportKaspersky GReAT: ProjectSauron, top level cyber-espionage platform covertly extracts encrypted government comms (Securelist, August 8, 2016), canonical Kaspersky-side Project Sauron disclosure
reportKaspersky GReAT: The ProjectSauron APT Research (full technical PDF, August 2016), canonical comprehensive technical disclosure
reportSymantec / Broadcom Threat Hunter Team: Strider, Cyberespionage Group Turns Eye of Sauron on Targets (Symantec Connect blog, August 8, 2016), canonical Symantec-side disclosure
reportSymantec: Backdoor.Remsec Detailed Technical Analysis (August 2016)
reportESET (Cameron Camp): Strider Cyberespionage Group Analysis (WeLiveSecurity, August 8, 2016)
reportCyberScoop: Eugene Kaspersky Project Sauron / NSA Equation Group Context (December 2017), Eugene Kaspersky public implication of U.S. attribution
reportMandiant: Project Sauron / Strider Continued Tracking Analysis
reportMicrosoft Threat Intelligence: Project Sauron / Strider Operational Context
reportCrowdStrike Global Threat Report: Project Sauron / Strider Adjacent Activity
reportSOPHOS X-Ops: Sophisticated State-Aligned Cluster Tracking
reportSentinelLabs: Sophisticated State-Aligned Cluster Operational Analysis
reportTrend Micro: Project Sauron / Strider Adjacent Cluster Tracking
reportMITRE ATT&CK Group G0041, Strider
reportMalpedia Actor Profile: Strider / Project Sauron

Operational

State sponsor

Unattributed state-sponsored cluster, universally assessed as "nation-state-sponsored" by Kaspersky GReAT and Symantec based on operational sophistication, target selection patterns, and tradecraft complexity, but never definitively attributed to any specific government. The cluster is operationally one of the most sophisticated state-aligned offensive cyber operations clusters in publicly-tracked cybersecurity industry analysis, operationally categorized by Kaspersky alongside Duqu, Flame, The Equation Group, and Regin as "top-of-the-top modular cyber-espionage platform." Per Kaspersky: "The threat actor behind [Project Sauron] commands a top-of-the-top modular cyber- espionage platform in terms of technical sophistication." Attribution context: (a) Eugene Kaspersky public implication: Kaspersky CEO has publicly mentioned ProjectSauron / Strider as one of the U.S. intelligence-related hacking operations the company unveiled, alongside NSA-linked Equation Group and CIA-linked Lamberts, "implying U.S. involvement with the discovered activity." However, neither Kaspersky GReAT nor Symantec has issued formal attribution to a specific government in their canonical disclosures. (b) Target selection inconsistent with single attribution narrative: Cluster targets include Russia, China, Iran, Sweden, Belgium, and Rwanda.

Most targets were based in Russia per Symantec, with Kaspersky additionally detecting infections in Iran, Rwanda, and possibly Italian-speaking countries. The mix of targeted countries operationally complicates straightforward attribution, Russia/China/Iran targeting is consistent with Western/NATO state-aligned intelligence priorities, but the smaller European targeting (Sweden, Belgium) is operationally less consistent with that hypothesis. Per Symantec: "That Strider and ProjectSauron is attacking Russia and China-and perhaps spread to Sweden, Belgium, and other European countries-suggest the group and the virus is not theirs." (c) Forensic infrastructure analysis: Kaspersky discovered 28 domains linked to 11 IP addresses based in the United States and several European countries, though Kaspersky noted "there is still no definitive evidence to conclude that those countries were behind the attack." The cluster operationally took extensive measures to avoid creating patterns: "Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns." (d) Operational similarity to Flame and Regin: Per Symantec: "Strider's attacks have tentative links with a previously uncovered group, Flamer.

The use of Lua modules... is a technique that has previously been used by Flamer." One of Strider's targets had also previously been infected by Regin (curated separately as adjacent NSA- attributed historical cluster). The Lua-modules + Flame operational similarity is operationally significant because "the use of Lua in malware is highly uncommon, with only two known cases prior to this: the Flame and Animal Farm attacks", operationally placing Project Sauron within a narrow ecosystem of advanced state-aligned malware platforms using Lua scripting. (e) Reaction to public disclosure: Per Symantec researcher Vikram Thakur: "Even before we came out with research about Strider, not that long after a customer came to us with the original file, they started uninstalling their malware from all the victims we knew about.

By the time we published anything they were totally gone." The pre-emptive operational disinfection response operationally demonstrates the cluster's high operational-security discipline and access to either operational signals from within the research community or pre-emptive operational caution. Operational classification: nation-state-level cluster with operational sophistication tier equivalent to Equation Group, Flame creators, and Regin operators, operationally one of the most advanced clusters in publicly-tracked industry analysis. The cluster operationally ceased observable activity after Kaspersky's September 2015 detection and August 2016 public disclosure.

Per CyberScoop Vikram Thakur: "they might still be active, but we haven't yet associated any new malware families with Strider. It's likely because Strider either totally abandoned the project or changed their codebase so much that they look very different today.".

Motivations
state_aligned_intelligence_collection, long_term_persistent_strategic_intelligence_collection, encrypted_communications_intelligence_collection, air_gapped_network_intelligence_collection, cryptographic_key_collection, government_diplomatic_intelligence_collection, critical_infrastructure_intelligence_collection
Sectors
government_administrationmilitaryscientific_research_centerstelecommunications_providersfinancial_institutionsforeign_embassiesforeign_internet_service_providersairlinesstate_owned_enterprises
Regions
russiachinairanswedenbelgiumrwandaitalian_speaking_countries

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1018T1020T1021T1021.001T1021.002T1021.006T1025T1027T1027.001T1027.002T1027.005T1027.013T1029T1033T1036T1036.005T1039T1041T1048T1052T1052.001T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1069T1070T1070.004T1071T1071.001T1071.003T1071.004T1074T1074.001T1078T1080T1082T1083T1087T1090T1090.001T1090.003T1091T1095T1106T1113T1119T1123

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SALSA20 ENCRYPTION
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin