Wild Neutron Wild Neutron

  • First known sample

  • Discovery

  • Number of targets

  • Current status

  • Type

    Backdoor , Cyberespionage toolkit , Trojan
  • Targeted platforms

    OS X , Windows

More about the Wild Neutron group, its tactics, techniques, procedures and tools

Learn more
  • The way of propagation

    Exploits , Watering hole attacks
  • Purpose/Functions

    Data theft
  • Special features

    The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests

  • Targets

    Financial institutions , Information technology , Investments , Manufacturing , Pharmaceutical , Private companies , Software companies , Specific individuals , Trade and commerce
  • Artefacts/Attribution

    The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication. In addition to that, Kaspersky Lab researchers have found another non-English string which is the Latin transcription of the Russian word “Успешно” ("uspeshno" -> "successfully").

  • Description

    A powerful threat actor active since 2011 targeting high-profile companies. It became well-known after successfully infecting companies, such as Facebook, Apple, Twitter, and Microsoft, by taking advantage of a Java zero-day exploit. This actor has also shown an interest in investment-related targets, suggesting they are conducting espionage for financial gain.

    Additional information