S0143: Flame
Analyst context for executives and security teams
Flame matters because ATT&CK describes it as a sophisticated Windows toolkit used for information collection, with related behaviors spanning local data collection, screen and audio capture, removable media movement, Bluetooth exfiltration, persistence, discovery, and remote-service exploitation. For leaders, the practical issue is not only malware blocking; it is whether the organization can prove it would see sensitive information being collected and moved through channels that may sit outside normal network monitoring.
Executive priority
Prioritize this as a resilience and evidence question: do Windows endpoints, high-value file stores, engineering or operational environments, removable media use, Bluetooth-capable devices, and identity changes have enough logging and control to support rapid incident decisions? The ICS-related relationships make this especially relevant where operational documents, schedules, schematics, or production information are business-critical. Budget and control discussions should focus on endpoint visibility, removable media/Bluetooth governance, Windows persistence monitoring, vulnerability management for remote services, and audit-ready evidence of account creation and security-tool discovery monitoring.
Technical view
SOC and IR teams should validate coverage against the ATT&CK relationships rather than relying on a malware name alone. On Windows, confirm visibility for rundll32.exe abuse, LSA Authentication Package registry changes, removable media execution or file-copy activity, local data access and staging, screen and audio capture indicators, Bluetooth pairing or transfer activity, security software discovery, local account creation or suspiciously similar account names where applicable, and exploitation attempts against remote services. Because the object has no official detection text and no tactics listed at the malware level, detections should be mapped to the related techniques and tuned against local administrative baselines.
Likely telemetry
- Windows endpoint process execution and command-line telemetry, especially rundll32.exe activity
- Windows registry monitoring for LSA Authentication Package persistence locations
- Account creation, rename, and local account administration logs where applicable
- Removable media insertion, Autorun-related behavior, and file write/read events on removable drives
- File system access to sensitive local documents, configuration files, databases, schematics, or operational data
Detection direction
- Map detections to the related techniques because the Flame object itself provides no official detection guidance.
- Tune rundll32.exe analytics for unusual DLL paths, uncommon parent/child process relationships, and execution from removable or user-writable locations, while accounting for legitimate administrative use.
- Monitor LSA Authentication Package changes as high-signal Windows persistence activity and validate alert routing to IR teams.
- Correlate removable media events with new executable content, Autorun-like behavior, and subsequent execution on other Windows systems.
- Validate whether Bluetooth activity is logged at all; many environments monitor network exfiltration but not local radio-based transfer paths.
Mitigation priorities
- Establish or enforce policy for removable media and disable unnecessary Autorun-style behavior on Windows systems.
- Govern Bluetooth use on enterprise and operational systems; disable it where not needed and require logging or compensating controls where it is allowed.
- Harden Windows persistence surfaces by restricting unauthorized registry changes to authentication package configuration and monitoring privileged change paths.
- Maintain vulnerability management and patch prioritization for exposed remote services that could enable lateral movement.
- Limit local administrative rights and review local account creation processes, especially on high-value systems.
Analyst notes and limits
ATT&CK identifies Flame as a historical, sophisticated information-collection toolkit largely targeting Middle East countries since at least 2010. The strongest defensive value comes from the related techniques: collection from local systems, screen and audio capture, removable media propagation, Bluetooth exfiltration, remote-service exploitation, Windows rundll32 proxy execution, authentication package persistence, and security software discovery. The ICS relationships raise the importance of monitoring access to operational information, but local architecture determines whether that risk is relevant.
The supplied ATT&CK malware object has no official detection text, no malware-level tactics, no aliases listed in the object fields, and only Windows as the malware platform. Some related techniques include platforms beyond Windows or do not list Windows in the provided relationship context; those should not be treated as confirmed Flame platform scope without additional evidence. This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection.
Flame
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1091 | Replication Through Removable Media | Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.CitationKaspersky Flame |
| Enterprise | T1210 | Exploitation of Remote Services | Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.CitationKaspersky FlameCitationKaspersky Flame Functionality |
| Enterprise | T1123 | Audio Capture | Flame can record audio using any existing hardware recording devices.CitationKaspersky FlameCitationKaspersky Flame Functionality |
| Enterprise | T1011.001 | Exfiltration Over Bluetooth Sub-technique | Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.CitationSymantec Beetlejuice |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | Flame can create backdoor accounts with login `HelpAssistant` on domain connected systems if appropriate rights are available.CitationKaspersky FlameCitationKaspersky Flame Functionality |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Flame identifies security software such as antivirus through the Security module.CitationKaspersky FlameCitationKaspersky Flame Functionality |
| Enterprise | T1136.001 | Local Account Sub-technique | Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.CitationKaspersky FlameCitationKaspersky Flame Functionality |
| Enterprise | T1113 | Screen Capture | Flame can take regular screenshots when certain applications are open that are sent to the command and control server.CitationKaspersky Flame |
| Enterprise | T1547.002 | Authentication Package Sub-technique | Flame can use Windows Authentication Packages for persistence.CitationCrysys Skywiper |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Rundll32.exe is used as a way of executing Flame at the command-line.CitationCrysys Skywiper |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 129dd26081db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Flame
Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
Open source URL -
[2]
Crysys Skywiper
sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
Open source URL -
[3]
Flame
(Citation: Kaspersky Flame)
-
[4]
Flamer
(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)
-
[5]
Symantec Beetlejuice
Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.
Open source URL -
[6]
mitre-attack S0143Open source URL
-
[7]
sKyWIper
(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.