Microsoft Windows NT, 2000, XP, Vista, and 7
On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.
Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.
Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. 
Users and administrators are recommended to take the following preventive measures to protect their computer networks:
- Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). 
- Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.
Stage 1 files, 32 bit:
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:
Stage 1, 64-bit system infection:
Stage 2, 32 bit:
Stage 2, 64 bit:
Stage 3, 32 bit:
Stage 4, 32 bit:
Stage 4, 64 bit:
Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.
Registry branches used to store malware stages 2 and 3:
IP IOCs :
November 25, 2014: Initial Release
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.