Flame is a highly sophisticated malware platform and threat actor activity cluster also known as Flamer and sKyWIper. It was extensively analyzed by Crysys Lab, Kaspersky Lab, and Symantec around 2011. The content describes Flame as linked to other major cyberespionage operations, particularly Stuxnet, Duqu, MiniFlame, Gauss, and interactions with the Equation Group. Kaspersky researchers found that an older version of Stuxnet contained a Flame plugin known as Resource 207, connecting Flame to Stuxnet development. The content also states that Equation Group activity had solid links with the Stuxnet and Flame operators, including access to zero-days before they were later used by Stuxnet and Flame and exploit sharing. A notable technique attributed to Flame is a novel cryptographic attack that allowed it to impersonate a Windows Update server and spread malware as if it were legitimately signed by Microsoft. The content also references TeDi signatures identified for Flame and MiniFlame. Flame appeared to shut down after operators deployed the SUICIDE module in May 2012, but the content claims the platform continued as "Flame 2.0," with samples reportedly compiled as early as February 2014, including 64-bit Windows variants and AES-256-encrypted second-stage embedded resources, and with samples appearing in VirusTotal as early as October 2016. The content further places Flame within a broader collaborative, state-linked cyberespionage ecosystem described by the authors as a "Supra Threat Actor" umbrella associated with the cryptonym GOSSIPGIRL. This framing is presented as encompassing collaborative relationships among the operators behind Flame, Stuxnet, Duqu, and Equation-related activity. High-confidence aliases directly mentioned in the content are Flamer and sKyWIper.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular cyberespionage platform tied into the broader GOSSIPGIRL cluster and Stuxnet development; later research in the article claims Flame survived via a retooled Flame 2.0.
A modular cyberespionage platform tied to the GOSSIPGIRL umbrella and Stuxnet collaboration; known for impersonating Windows Update via a cryptographic attack, deploying a SUICIDE cleanup module in 2012, and later resurfacing as Flame 2.0.
Referenced as a separate operator group/platform linked via shared exploit code/modules with Equation Group and Stuxnet (per Kaspersky’s linkage discussion).
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.