S0168: Gazer
Analyst context for executives and security teams
Gazer matters because ATT&CK describes it as a Windows backdoor associated with Turla and links it to persistence, stealth, and encrypted command-and-control behaviors. For leaders, the decision value is not a single malware name; it is whether the organization can prove it would notice a quiet Windows backdoor that persists through logon/startup mechanisms, hides artifacts, injects into processes, and communicates over web protocols with additional encryption.
Executive priority
Prioritize this as a resilience and evidence question: can the SOC and IR teams demonstrate visibility into Windows persistence changes, suspicious process behavior, file hiding/deletion, and encrypted outbound web traffic? Because ATT&CK provides no official detection guidance for Gazer, leadership should ask for coverage evidence mapped to the related techniques rather than assuming malware-signature detection is sufficient.
Technical view
Validate controls against the ATT&CK relationships for S0168: Windows scheduled tasks, Registry Run keys/startup folders, Winlogon helper DLL changes, screensaver-based persistence, shortcut modification, process injection/thread execution hijacking, timestomping, file deletion, NTFS file attribute abuse, encoded/encrypted files, user discovery, ingress tool transfer, mutex-based execution constraints, and encrypted C2 over web protocols. Treat this as a Windows endpoint plus network-detection use case, with special attention to behaviors that can blend into normal administration or ordinary HTTPS traffic.
Likely telemetry
- Windows endpoint process creation and parent/child process telemetry
- Windows registry auditing for Run keys, Winlogon paths, startup persistence, and screensaver configuration
- Scheduled task creation/modification events
- File creation, deletion, timestamp, shortcut, .scr, DLL, and NTFS attribute/alternate data stream evidence
- Process injection or memory-behavior telemetry from EDR where available
Detection direction
- Do not rely on an official Gazer detection analytic; ATT&CK does not provide one for this object.
- Map detections to the related techniques and test whether Windows persistence changes are visible and triaged with useful context.
- Tune for administrative false positives: scheduled tasks, Run keys, shortcuts, and signed binaries are common, so detections should consider rarity, path, signer, user context, timing, and correlated process/network activity.
- Correlate stealth signals such as timestomping, file deletion, NTFS attribute abuse, encoded files, and process injection rather than alerting on each weak signal in isolation.
- Review outbound web traffic for unusual destinations, beacon-like patterns, or encrypted payload behavior, while recognizing that encrypted C2 may limit content inspection.
Mitigation priorities
- Harden and monitor Windows persistence surfaces: scheduled tasks, startup folders, Run keys, Winlogon helper paths, screensaver execution, and shortcut locations.
- Apply least privilege and change control around registry locations and startup mechanisms that enable persistence or privilege escalation.
- Maintain endpoint protection/EDR coverage capable of recording process, file, registry, and memory-behavior signals relevant to injection and stealth.
- Restrict and monitor unauthorized tool transfer and suspicious outbound web communications through egress controls, proxy logging, and DNS visibility.
- Strengthen code-signing validation processes, but do not treat a valid signature alone as proof of trust because ATT&CK links this object to code-signing abuse.
Analyst notes and limits
ATT&CK identifies Gazer as a backdoor used by Turla since at least 2016 and notes WhiteBear is assessed in the references as the same as S0168. The strongest defensive value comes from the technique relationships, especially Windows persistence, stealth, process injection, and encrypted web-based C2. Local baselining is essential because several behaviors overlap with normal administration.
The supplied ATT&CK object has no official detection text and no object-level tactics. This take is limited to the supplied Windows platform, official description, external references, and listed relationships; it does not assert current activity, victim exposure, guaranteed detection, or attribution for any specific incident.
Gazer
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key |
| Enterprise | T1070.006 | Timestomp Sub-technique | For early Gazer versions, the compilation timestamp was faked.CitationESET Gazer Aug 2017 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Gazer uses custom encryption for C2 that uses RSA.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Gazer can establish persistence by creating a .lnk file in the Start menu.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Gazer communicates with its C2 servers over HTTP.CitationESET Gazer Aug 2017 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Gazer has commands to delete files and persistence mechanisms from the victim.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1055.003 | Thread Execution Hijacking Sub-technique | Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1055 | Process Injection | Gazer injects its communication module into an Internet accessible process through which it performs C2.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Gazer can execute a task to download a file.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Gazer uses custom encryption for C2 that uses 3DES.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1546.002 | Screensaver Sub-technique | Gazer can establish persistence through the system screensaver by configuring it to execute the malware.CitationESET Gazer Aug 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Gazer obtains the current user's security identifier.CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.CitationESET Gazer Aug 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Gazer can establish persistence by creating a scheduled task.CitationESET Gazer Aug 2017CitationSecurelist WhiteBear Aug 2017 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | Gazer creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that only one instance of itself is running.CitationESET Gazer Aug 2017 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | d7580c6bba94… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Gazer Aug 2017
ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
Open source URL -
[2]
ESET Crutch December 2020
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Open source URL -
[3]
Gazer
(Citation: ESET Gazer Aug 2017)
-
[4]
Securelist WhiteBear Aug 2017
Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
Open source URL -
[5]
WhiteBear
The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. (Citation: Securelist WhiteBear Aug 2017)(Citation: ESET Crutch December 2020)
-
[6]
mitre-attack S0168Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.