Highly sophisticated group using air-gap-defeating modular malware platform active since 2011, discovered by Kaspersky in 2016. This profile is mapped to MITRE ATT&CK G0041 and covers attribution, tooling, targeting, and defensive recommendations based on observed campaigns.
Overview & Attribution
Strider (also tracked as ProjectSauron) is a threat group attributed to Unknown (state-sponsored). The group primarily targets Government, military, telecoms, scientific for intelligence collection and operational objectives aligned with state interests.
This group is tracked as G0041 in the MITRE ATT&CK framework. All techniques referenced in this report are mapped to ATT&CK for consistent threat modeling and detection engineering.
Arsenal & Tools
Known tools and malware associated with Strider include:
- Remsec/ProjectSauron platform
Targeting & Operations
Strider operations focus on Government, military, telecoms, scientific. The group typically gains initial access through spear-phishing, exploitation of public-facing applications, or strategic web compromises before deploying custom implants for persistent access and data exfiltration.
Organizations in the Government sector should treat Strider as a relevant threat and validate their detection coverage against the MITRE ATT&CK techniques listed below.
MITRE ATT&CK Mapping
Key techniques observed in Strider operations:
| Technique ID | Technique Name | Tactical Context |
|---|---|---|
| T1091 | T1091 | Observed in Strider campaigns |
| T1059.001 | T1059.001 | Observed in Strider campaigns |
| T1027 | T1027 | Observed in Strider campaigns |
| T1056.001 | T1056.001 | Observed in Strider campaigns |
Full ATT&CK mapping: https://attack.mitre.org/groups/G0041/
Notable Campaigns
This threat group has been active in operations targeting Government, military, telecoms, scientific. Security researchers have documented campaigns involving Remsec/ProjectSauron platform and other tools deployed against organizations in multiple countries. Attribution confidence varies by campaign, but consistent infrastructure and TTP overlap links activity to Unknown (state-sponsored)-nexus operations.
Detection & Defense
Recommended defensive measures against Strider:
- Network monitoring: Detect C2 beaconing patterns associated with Remsec/ProjectSauron platform and related implants
- Endpoint detection: Deploy behavioral rules for the ATT&CK techniques above, particularly T1091 and T1059.001
- Email security: Implement robust phishing defenses including URL sandboxing and attachment detonation
- Patch management: Prioritize patching of internet-facing applications exploited by this group
- Threat hunting: Proactively hunt for IOCs and behavioral indicators mapped to G0041 in MITRE ATT&CK
How Mjolnir Security Can Help
Defend Against Strider
Mjolnir Security provides tailored threat intelligence, detection engineering, and incident response services to help organizations defend against Unknown (state-sponsored)-nexus threat actors.
Contact us: mjolnirsecurity.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts