Guys behind Gauss and Flame are the same

Jump to navigation Jump to search

(Publication) Google search: [1]

Guys behind Gauss and Flame are the same
Botnet Gauss, Flame
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol HTTP
Date 2012 / 2012-08-23
Editor/Conference FireEye
Link (Archive copy)
Author Ali Islam


The Gauss malware, which was in the media recently for its stealth and notorious payload, is now back from its dormant state with a surprise. We recently discovered a very interesting shift in the Gauss malware CnC communication. Gauss bot masters have directed their zombies to connect to the Flame/SkyWiper CnC to take commands.

UPDATE: In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates.

We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1119,
   editor = {FireEye},
   author = {Ali Islam},
   title = {Guys behind Gauss and Flame are the same},
   date = {23},
   month = Aug,
   year = {2012},
   howpublished = {\url{}},