| SYMBOL | COMMON_NAME | aka. SYNONYMS |
This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.
| 2020-05-05
⋅
Checkpoint
⋅
Nazar: Spirits of the Past EYService |
| 2020-04-27
⋅
MalwareLab.pl
⋅
Quick look at Nazar's backdoor - Network Communication EYService |
| 2020-04-23
⋅
MalwareLab.pl
⋅
Quick look at Nazar backdoor - Capabilities EYService |
| 2020-04-22
⋅
EpicTurla
⋅
Nazar: A Lost Amulet EYService Nazar |
| 2018-03-01
⋅
CrySyS Lab
⋅
Territorial Dispute – NSA’s perspective on APT landscape 9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos |