MalwareUsed by 1 actor

Gauss

Gauss is malware linked in reporting to the same development ecosystem or group associated with Flame, MiniFlame, Duqu, and Stuxnet. The provided content describes Gauss as one of two malicious programs identified through code similarity as belonging to the same group as Flame, and as either a more widespread successor to MiniFlame or a side operation. Reporting cited in the content also states that researchers examined possible links between the destructive Wiper malware and Flame, Duqu, and Gauss, and that Flame, Duqu, and Gauss were found to have been spawned by the same software developers as Stuxnet. A Kaspersky Gauss whitepaper excerpt in the content indicates Gauss used environmental keying: target-specific values for deriving decryption or execution conditions could include network shares, physical devices, installed software and versions, files, joined Active Directory domains, system time, and local or external IP addresses. This implies Gauss employed tightly scoped execution guardrails to restrict payload decryption or operation to intended victim environments, complicating sandboxing, antivirus detection, reverse engineering, and incident response. No additional high-confidence infection vector, victim sector, or IOC details for Gauss are directly provided in the content beyond the cited environmental keying inputs and its relationship to the broader Flame/Stuxnet malware ecosystem.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

GOSSIPGIRL

First from Flame to Mini-Flame, it’s likely predecessor, and then to Gauss, considered a more widespread successor or perhaps a side operation.

via web archiveweb.archive.org

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

securelistNews

May 13, 2021

Lessons learned from Flame, three years later | Securelist

A malicious program identified through code similarity as being from the same group behind Flame.

web archiveNews

Apr 12, 2019

Who is GOSSIPGIRL?. Revisiting the O.G. Threat Actor… | by Chronicle | Chronicle Blog | Medium

A modular espionage malware family discussed as a more widespread successor or side operation related to Flame, notable for an encrypted payload that had not been cracked.

tidal cyberNews

Feb 1, 2015

Tidal Cyber - Equation Group: Questions and Answers

Gauss is referenced as an example of malware using environmental keying, deriving decryption keys from target-specific environmental values to constrain execution and evade analysis.

arstechnica securityNews

Aug 29, 2012

The perfect crime: Is Wiper malware connected to Stuxnet, Duqu? - Ars Technica

A malware family mentioned as potentially linked to Wiper and described as originating from the same software developers as Stuxnet.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.