Regin is a highly sophisticated, modular multi-stage cyber-espionage platform used to provide attackers with deep remote control across victim networks. Reporting in the provided content describes it as a nation-state-grade framework active since at least 2003, with infections observed across at least 14 countries and victims including telecom operators, government institutions, multinational political bodies, financial institutions, research organizations, and individuals involved in advanced mathematical or cryptographical research. Kaspersky characterized Regin as the first known cyber-attack platform able to penetrate and monitor GSM networks, including modules that monitored GSM base station controllers, collected GSM cell and infrastructure data, and obtained engineering or administrative credentials that could enable manipulation of GSM network operations. The platform is extremely modular and staged, with later components stored in NTFS extended attributes or the registry on some systems, encrypted virtual file systems, and a dispatcher core supported by numerous plugins. Documented capabilities in the content include credential sniffing over HTTP, SMTP, and SMB; keylogging; modification of remote Registry information; lateral movement via Windows administrative shares; and command-and-control over multiple transports including HTTP, HTTPS, SMB named pipes, Winsock, and ICMP. Its command-and-control architecture is described as especially stealthy, using communication drones and peer-to-peer VPN-like routing through compromised victim organizations, with some compromised universities reportedly used as proxies to obscure origin and some victim networks linked so that only one node communicated externally. The content notes known external C2 servers at 61.67.114.73, 202.71.144.113, 203.199.89.80, and 194.183.237.145, and states Kaspersky detections included Trojan.Win32.Regin.gen and Rootkit.Win32.Regin. The operation has been associated in the content with Western or Five Eyes intelligence services, though the provided material stops short of definitive attribution. Additional references note a 2018 intrusion at Yandex using Regin that targeted technical information related to user account authentication and was reportedly detected and neutralized before causing damage.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
25 distinct techniques documented for this family, organized by ATT&CK tactic.
The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).
The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts
"Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface." / "Regin appears to have functionality to modify remote Registry information."
a platform – a software package, consisting of multiple modules, capable of infecting the entire networks of targeted organizations to seize full remote control at all possible levels.
The Regin platform uses an incredibly complex communication method between infected networks and command and control servers, allowing remote control and data transmission by stealth.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes.
The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks.
The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as another advanced malware platform.
A stealthy espionage malware platform used to compromise Yandex systems in an operation targeting technical information related to user account authentication.
A likely multi-country malware platform cited as an example of complex collaborative threat activity.
Referenced as a likely multi-country malware platform in a discussion about collaborative or supra threat actor models.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.