Red October, also referred to as Operation Red October and associated with the Rocra malware, was a cyberespionage malware campaign discovered by Kaspersky Lab in October 2012 and publicly uncovered in January 2013. The operation had reportedly been active for up to five years, with activity assessed as dating back to at least May 2007. It targeted diplomatic, governmental, military, and scientific research organizations worldwide, with reporting specifically noting victims in Eastern Europe, former Soviet republics, and Central Asia, as well as diplomatic, military, and nuclear research networks. The malware exfiltrated a wide range of information, including diplomatic secrets and personal data, and also collected information from mobile devices.
The primary infection vector was spearphishing or email-delivered malicious Microsoft Word and Excel documents exploiting vulnerabilities in those applications. A secondary infection path was also identified on Red October command-and-control infrastructure: a PHP page hosted in a special folder on the servers that exploited the Java browser plugin vulnerability CVE-2011-3544 to automatically download and execute the Red October malware known as Rocra. Oracle had patched CVE-2011-3544 in October 2011, and Seculert assessed this Java-based path was probably not the main infection vector because a server misconfiguration disabled the exploit-delivery PHP code.
After public disclosure, domain registrars and hosting providers reportedly shut down as many as 60 attacker-controlled domains used for command-and-control and data collection, and the operators also shut down their side of the infrastructure. Attribution was not conclusive. Kaspersky reported Russian slang in the malware code, while also assessing that parts of the malware appeared to be built on existing exploits previously developed by Chinese hackers and used against Tibetan activists. Separate reporting cited artifacts linking Red October with Agent.BTZ and Turla. Kaspersky also reported that a small number of NetTraveler victims were co-infected with Red October malware, including a military contractor in Russia, embassies in Iran, Belgium, Kazakhstan, and Belarus, and a government entity in Tajikistan.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Seculert researchers explained that a special folder on the Red October command-and-control servers contained a PHP page that could exploit the Java flaw, causing the hapless victim's browser to download and execute Red October's "Rocra" malware automatically.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware platform cited as a possible dual-country collaboration example.
Referenced as a possible dual-country collaborative malware operation in the article's methodological discussion of supra threat actors.
See also ... Red October (malware)
Named global cyber-espionage operation targeting diplomatic, military, and nuclear research networks; reported publicly in January 2013 and then shut down shortly after reporting.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.