S0143: Flame
Analyst context for executives and security teams
Flame matters because ATT&CK describes it as a sophisticated Windows toolkit used for information collection, with related behaviors spanning local data collection, screen and audio capture, removable media movement, Bluetooth exfiltration, persistence, discovery, and remote-service exploitation. For leaders, the practical issue is not only malware blocking; it is whether the organization can prove it would see sensitive information being collected and moved through channels that may sit outside normal network monitoring.
Executive priority
Prioritize this as a resilience and evidence question: do Windows endpoints, high-value file stores, engineering or operational environments, removable media use, Bluetooth-capable devices, and identity changes have enough logging and control to support rapid incident decisions? The ICS-related relationships make this especially relevant where operational documents, schedules, schematics, or production information are business-critical. Budget and control discussions should focus on endpoint visibility, removable media/Bluetooth governance, Windows persistence monitoring, vulnerability management for remote services, and audit-ready evidence of account creation and security-tool discovery monitoring.
Technical view
SOC and IR teams should validate coverage against the ATT&CK relationships rather than relying on a malware name alone. On Windows, confirm visibility for rundll32.exe abuse, LSA Authentication Package registry changes, removable media execution or file-copy activity, local data access and staging, screen and audio capture indicators, Bluetooth pairing or transfer activity, security software discovery, local account creation or suspiciously similar account names where applicable, and exploitation attempts against remote services. Because the object has no official detection text and no tactics listed at the malware level, detections should be mapped to the related techniques and tuned against local administrative baselines.
Likely telemetry
- Windows endpoint process execution and command-line telemetry, especially rundll32.exe activity
- Windows registry monitoring for LSA Authentication Package persistence locations
- Account creation, rename, and local account administration logs where applicable
- Removable media insertion, Autorun-related behavior, and file write/read events on removable drives
- File system access to sensitive local documents, configuration files, databases, schematics, or operational data
Detection direction
- Map detections to the related techniques because the Flame object itself provides no official detection guidance.
- Tune rundll32.exe analytics for unusual DLL paths, uncommon parent/child process relationships, and execution from removable or user-writable locations, while accounting for legitimate administrative use.
- Monitor LSA Authentication Package changes as high-signal Windows persistence activity and validate alert routing to IR teams.
- Correlate removable media events with new executable content, Autorun-like behavior, and subsequent execution on other Windows systems.
- Validate whether Bluetooth activity is logged at all; many environments monitor network exfiltration but not local radio-based transfer paths.
Mitigation priorities
- Establish or enforce policy for removable media and disable unnecessary Autorun-style behavior on Windows systems.
- Govern Bluetooth use on enterprise and operational systems; disable it where not needed and require logging or compensating controls where it is allowed.
- Harden Windows persistence surfaces by restricting unauthorized registry changes to authentication package configuration and monitoring privileged change paths.
- Maintain vulnerability management and patch prioritization for exposed remote services that could enable lateral movement.
- Limit local administrative rights and review local account creation processes, especially on high-value systems.
Analyst notes and limits
ATT&CK identifies Flame as a historical, sophisticated information-collection toolkit largely targeting Middle East countries since at least 2010. The strongest defensive value comes from the related techniques: collection from local systems, screen and audio capture, removable media propagation, Bluetooth exfiltration, remote-service exploitation, Windows rundll32 proxy execution, authentication package persistence, and security software discovery. The ICS relationships raise the importance of monitoring access to operational information, but local architecture determines whether that risk is relevant.
The supplied ATT&CK malware object has no official detection text, no malware-level tactics, no aliases listed in the object fields, and only Windows as the malware platform. Some related techniques include platforms beyond Windows or do not list Windows in the provided relationship context; those should not be treated as confirmed Flame platform scope without additional evidence. This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection.
Flame
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1091 | Replication Through Removable Media | |
| Enterprise | T1210 | Exploitation of Remote Services | |
| Enterprise | T1123 | Audio Capture | |
| Enterprise | T1011.001 | Exfiltration Over Bluetooth Sub-technique | |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1136.001 | Local Account Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1547.002 | Authentication Package Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 129dd26081db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Flame
Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
Open source URL -
[2]
Symantec Beetlejuice
Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.
Open source URL -
[3]
Crysys Skywiper
sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
Open source URL -
[4]
Flame
(Citation: Kaspersky Flame)
-
[5]
Flamer
(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)
-
[6]
mitre-attack S0143Open source URL
-
[7]
sKyWIper
(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.