For almost five years now, a modular malware known as ProjectSauron (Remsec) has been lurking, slowly making its rounds in high-profile networks. The platform reportedly has infected at least 36 sites and raises significant concerns for virtually anyone working in the IT environment.

At a Glance


  • Likely is state-sponsored
  • Is designed to spy on large organizations, including corporate entities, military groups, research centers, etc.
  • Steals personal information such as keystrokes, passwords and files
  • Can run on basic Microsoft Windows platforms familiar to general consumers
  • Is so named due to in-code references to Sauron from The Lord of the Rings
  • Has operated since at least October 2011
  • Has been detected in multiple countries (e.g., China, Belgium, Russia, Sweden, Iran, Rwanda)

Why ProjectSauron Is Different Than Other Platforms

ProjectSauron has information technology security specialists concerned largely because of the stealth features it employs. Individuals behind the program don't use the same code for different targets, so it's harder to notice than other forms of malware, steering clear of patterns that would let IT experts detect it. It also can use specially prepared USB storage drives to infect devices that aren't connected to the Internet, as well, deploying much of its functionality over the network.

What Platforms Like ProjectSauron Can Do to Businesses

State-sponsored malware programs are capable of giving attackers access to information that could, for example, shut down entire power grids or halt a business' financial transactions. They also can have a direct influence on the fair market, with hackers accessing information that governments and competitors can use to cripple specific businesses. The effects of a state-sponsored attack often trickle down because of the way industries today are so interconnected and inter-reliant, meaning that even companies not directly targeted can see financial, reputation or other losses.

The Experts Weigh In

Mike Raggo, Chief Security Researcher at social media security company, ZeroFOX, had this to say:

"ProjectSauron represents a level of stealthiness similar to Operation Shady RAT found by McAfee back in 2011. These commonalities include RAT (Remote Access Tool) features, C&C, encoded communications and stealthiness by embedding calls and commands. Attackers further obfuscate their activities by using digital channels outside the jurisdiction of security teams, such as websites, social networks and forums, to engage their victims and distribute their attacks. Additionally, like Operation Shady RAT, ProjectSauron remained undetected for 5 years and is likely a single actor or group.

It would benefit organizations to check their network logs against the list of C2 servers provided by Kaspersky for any evidence of these IPs or domains being accessed over the network. However, it's important to note that in order to avoid detection, different C2 servers were used for each organization to avoid any detectable patterns."

Clear Need, No Solution Yet

ProjectSauron is proof that IT specialists need to up their game in terms of protecting their infrastructures. With a host of hurdles to overcome, however, the route to true security is, unfortunately, still unclear.