Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Massimiliano Brolli : 12 November 2025 22:27
Flame, (also known as Flamer, sKyWIper, Skywiper), is a modular computer malware discovered in 2012 that attacked Middle Eastern target computers running the Microsoft Windows operating system.
The program’s primary purpose was cyber espionage, aimed at gathering intelligence in Middle Eastern countries. Russian cybersecurity firm Kaspersky Labs told the BBC that it believes the malware, known as Flame, has been operational since August 2010, so it’s likely that its development occurred very close to the time the Stuxnet malware was written.
The malware is highly sophisticated, though unconfirmed, and appears to have been written by US-sponsored experts in conjunction with the Israeli government. Flame has been described by many cybersecurity researchers as “one of the most complex threats ever discovered.”
Flame was an unusually large program, weighing in at a staggering 20 megabytes (40 times larger than the Stuxnet code). It was written partly in the Lua scripting language with compiled and linked C++ code, which allowed additional attack modules to be loaded after the initial infection.
The malware uses five different encryption methods and an SQLite database to store the information it retrieves from the environment in a structured way.
This malware was not created to cause physical harm, but only to collect huge amounts of sensitive information and send it to its command and control server.
“Once a system is infected, Flame begins a complex series of operations, including sniffing network traffic, capturing screenshots, recording audio conversations, intercepting keyboard input, and so on.”
said Kaspersky chief malware expert Vitaly Kamluk.
Stuxnet, unlike Flame, was intended to damage equipment, specifically those used in the uranium enrichment process. Stuxnet succeeded in damaging hundreds of centrifuges at the Natanz uranium enrichment facility in Iran, delaying the Iranian nuclear program by one to two years, according to experts.
The first instance of Flame recorded by Kaspersky dates back to August 2010, although it has been said that it is very likely operational earlier. Professor Alan Woodward of the Department of Computer Science at the University of Surrey said the attack was significant because, as a toolkit, Flame could target virtually anything it could replicate.
Once the malware had infected a machine, it was possible, if necessary, to add additional modules and perform specific tasks, much the same way you add an app to a smartphone today.
Flame was created to gather intelligence on Iran’s nuclear program, enabling cyber operations that would slow Iran’s alleged strategic plans to develop nuclear weapons.
Spread of Flame malware
The virus is most likely the result of a classified collaborative project between the United States and Israel, launched more than five years earlier, according to the Washington Post. Flame’s creators hoped their efforts would buy more time for multilateral talks and UN-backed sanctions, negating the option of military intervention.
Flame hit more than 600 specific targets, infecting around 1,000 computers, Kaspersky’s Kamluk said, ranging from individuals, businesses, academic institutions and government systems.
Iran’s National Computer Emergency Response Team issued a security advisory stating that it believed Flame was responsible for “recent mass data loss incidents” in the country.
It’s considered a modular cyberespionage toolkit. Flame installs a backdoor on computers and has at least 20 known modules that can be mixed and matched to steal documents, sniff network traffic, record audio communications, and take screenshots, among other things. The 20 MB of code can be instructed to propagate across a network.
The program also records Skype conversations and can turn infected computers into Bluetooth beacons that attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent to one of several command and control servers located around the world, while the malware awaits further instructions from these servers.
Some Flame components spoofed a Microsoft security certificate for Terminal Server to trick computers into accepting the software as legitimate. Microsoft released a security patch to patch the vulnerability in Terminal Server, which is used for remote desktop connections.
Kaspersky’s analysis of Flame’s code suggests a strong relationship between Flame and Stuxnet; the first version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.
To better analyze the malware, GoDaddy set up servers controlled by researchers to receive communications from infected computers. Approximately 50 percent of the connections to the researchers’ sinkhole were from Windows 7 machines, 45 percent were Windows XP, and just under 5 percent were running Windows Vista.
The malware used the password “LifeStyle2” when communicating with C&C servers. According to Roel Schouwenberg, a senior security researcher at Kaspersky Lab , the data was uploaded in small blocks of 8 kilobytes, likely to accommodate the slow Internet speeds in the Middle East.
The creators of Flame were interested in receiving PDF files, Microsoft Office documents, and AutoCAD files, which are typically used to design things, “anything from industrial turbines to building designs,” according to Schouwenberg.
The interesting thing about Flame was that it could transport data from Air Gap networks to networks with Internet access. Flame creates a covert channel between computers in the protected environment and computers outside the perimeter that have an Internet connection.
The main idea behind this is something we’ve never seen before in malware: an “information mule,” a person used to transport information between two systems. The information is stored on a memory stick that a user can insert into an infected computer. The memory stick actually stores the malware’s database containing the exfiltrated information.
Iran’s CERT described the Flame malware’s encryption as ” a special pattern seen only in Israel.” The Daily Telegraph reported that because of Flame’s apparent targets, which included Iran, Syria, and the West Bank, Israel had become “many commentators’ prime suspect.”
Others have pointed to China and the United States as possible perpetrators. Richard Silverstein, a critic of Israeli policies, said he had confirmed with a “high-level Israeli source” that the malware was created by Israeli cybersecurity experts.
The Jerusalem Post reported that Israeli Deputy Prime Minister Moshe Ya’alon appeared to imply that his government was responsible, but an Israeli spokesman later denied this implication.
Israeli security officials have suggested that the infected machines found in Israel may have originated in the United States or other Western nations. The United States has officially denied responsibility.
In fact, to date, as always in these situations, there are presumed attributions, but almost never a certain attribution.
Massimiliano Brolli