Nazar  (Back to overview)

aka: SIG37

This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.

Associated Families

2020-05-05CheckpointCheck Point Research
Nazar: Spirits of the Past
2020-04-27MalwareLab.plMaciej Kotowicz
Quick look at Nazar's backdoor - Network Communication
2020-04-23MalwareLab.plMaciej Kotowicz
Quick look at Nazar backdoor - Capabilities
2020-04-22EpicTurlaJuan Andrés Guerrero-Saade
Nazar: A Lost Amulet
EYService Nazar
2018-03-01CrySyS LabBoldizsar Bencsath
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos

Credits: MISP Project