Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0168: Gazer

Gazer is a backdoor used by Turla since at least 2016. [1]

EnterpriseS0168MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Gazer matters because ATT&CK describes it as a Windows backdoor associated with Turla and links it to persistence, stealth, and encrypted command-and-control behaviors. For leaders, the decision value is not a single malware name; it is whether the organization can prove it would notice a quiet Windows backdoor that persists through logon/startup mechanisms, hides artifacts, injects into processes, and communicates over web protocols with additional encryption.

Executive priority

Prioritize this as a resilience and evidence question: can the SOC and IR teams demonstrate visibility into Windows persistence changes, suspicious process behavior, file hiding/deletion, and encrypted outbound web traffic? Because ATT&CK provides no official detection guidance for Gazer, leadership should ask for coverage evidence mapped to the related techniques rather than assuming malware-signature detection is sufficient.

Technical view

Validate controls against the ATT&CK relationships for S0168: Windows scheduled tasks, Registry Run keys/startup folders, Winlogon helper DLL changes, screensaver-based persistence, shortcut modification, process injection/thread execution hijacking, timestomping, file deletion, NTFS file attribute abuse, encoded/encrypted files, user discovery, ingress tool transfer, mutex-based execution constraints, and encrypted C2 over web protocols. Treat this as a Windows endpoint plus network-detection use case, with special attention to behaviors that can blend into normal administration or ordinary HTTPS traffic.

Likely telemetry

  • Windows endpoint process creation and parent/child process telemetry
  • Windows registry auditing for Run keys, Winlogon paths, startup persistence, and screensaver configuration
  • Scheduled task creation/modification events
  • File creation, deletion, timestamp, shortcut, .scr, DLL, and NTFS attribute/alternate data stream evidence
  • Process injection or memory-behavior telemetry from EDR where available

Detection direction

  • Do not rely on an official Gazer detection analytic; ATT&CK does not provide one for this object.
  • Map detections to the related techniques and test whether Windows persistence changes are visible and triaged with useful context.
  • Tune for administrative false positives: scheduled tasks, Run keys, shortcuts, and signed binaries are common, so detections should consider rarity, path, signer, user context, timing, and correlated process/network activity.
  • Correlate stealth signals such as timestomping, file deletion, NTFS attribute abuse, encoded files, and process injection rather than alerting on each weak signal in isolation.
  • Review outbound web traffic for unusual destinations, beacon-like patterns, or encrypted payload behavior, while recognizing that encrypted C2 may limit content inspection.

Mitigation priorities

  • Harden and monitor Windows persistence surfaces: scheduled tasks, startup folders, Run keys, Winlogon helper paths, screensaver execution, and shortcut locations.
  • Apply least privilege and change control around registry locations and startup mechanisms that enable persistence or privilege escalation.
  • Maintain endpoint protection/EDR coverage capable of recording process, file, registry, and memory-behavior signals relevant to injection and stealth.
  • Restrict and monitor unauthorized tool transfer and suspicious outbound web communications through egress controls, proxy logging, and DNS visibility.
  • Strengthen code-signing validation processes, but do not treat a valid signature alone as proof of trust because ATT&CK links this object to code-signing abuse.
Analyst notes and limits

ATT&CK identifies Gazer as a backdoor used by Turla since at least 2016 and notes WhiteBear is assessed in the references as the same as S0168. The strongest defensive value comes from the technique relationships, especially Windows persistence, stealth, process injection, and encrypted web-based C2. Local baselining is essential because several behaviors overlap with normal administration.

The supplied ATT&CK object has no official detection text and no object-level tactics. This take is limited to the supplied Windows platform, official description, external references, and listed relationships; it does not assert current activity, victim exposure, guaranteed detection, or attribution for any specific incident.

Official MITRE ATT&CK definition

Gazer

Gazer is a backdoor used by Turla since at least 2016. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Enterprise T1547.004 Winlogon Helper DLL Sub-technique

Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[1]
Enterprise T1070.006 Timestomp Sub-technique

For early Gazer versions, the compilation timestamp was faked.[1]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Gazer uses custom encryption for C2 that uses RSA.[1][2]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Gazer can establish persistence by creating a .lnk file in the Start menu.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

Gazer communicates with its C2 servers over HTTP.[1]
Enterprise T1547.009 Shortcut Modification Sub-technique

Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[1][2]
Enterprise T1070.004 File Deletion Sub-technique

Gazer has commands to delete files and persistence mechanisms from the victim.[1][2]
Enterprise T1055.003 Thread Execution Hijacking Sub-technique

Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.[1][2]
Enterprise T1055 Process Injection

Gazer injects its communication module into an Internet accessible process through which it performs C2.[1][2]
Enterprise T1105 Ingress Tool Transfer

Gazer can execute a task to download a file.[1][2]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Gazer uses custom encryption for C2 that uses 3DES.[1][2]
Enterprise T1546.002 Screensaver Sub-technique

Gazer can establish persistence through the system screensaver by configuring it to execute the malware.[1]
Enterprise T1553.002 Code Signing Sub-technique

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[1][2]
Enterprise T1033 System Owner/User Discovery

Gazer obtains the current user's security identifier.[2]
Enterprise T1564.004 NTFS File Attributes Sub-technique

Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[2]
Enterprise T1053.005 Scheduled Task Sub-technique

Gazer can establish persistence by creating a scheduled task.[1][2]
Enterprise T1480.002 Mutual Exclusion Sub-technique

Gazer creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that only one instance of itself is running.[1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1547.004: Winlogon Helper DLL Enterprise uses · Technique T1070.006: Timestomp Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Group G0010: Turla Enterprise uses · Technique T1547.009: Shortcut Modification Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1055.003: Thread Execution Hijacking Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1546.002: Screensaver Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1564.004: NTFS File Attributes Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1480.002: Mutual Exclusion Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
d7580c6bba94db5d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle d7580c6bba94…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Gazer Aug 2017

    ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.

    Open source URL
  2. [2]
    Securelist WhiteBear Aug 2017

    Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

    Open source URL
  3. [3]
    ESET Crutch December 2020

    Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.

    Open source URL
  4. [4]
    Gazer

    (Citation: ESET Gazer Aug 2017)

  5. [5]
    WhiteBear

    The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. (Citation: Securelist WhiteBear Aug 2017)(Citation: ESET Crutch December 2020)

  6. [6]
    mitre-attack S0168
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use