SandCat | Threat Actor Profile

An Uzbek state intelligence operation attributed to Uzbekistan's State Security Service (SSS, also known as the NSS or SNB) — notable less for its capabilities than for its catastrophic operational security failures, which led Kaspersky researchers to discover four separate Windows zero-day exploits in under four months simply by monitoring the group. SandCat's developers installed Kaspersky antivirus on their own malware development machines with telemetry enabled, handed every exploit to the security vendor the moment they received it on a USB drive, and embedded screenshots of their own file systems in test documents. The resulting intelligence disaster burned zero-days purchased from Israeli brokers, exposed parallel operations run by Saudi Arabia and the UAE, and gave Kaspersky researchers enough attribution data to identify the group down to military unit numbers and individual names.

attributed origin Uzbekistan — Tashkent (Military Unit 02616, SSS)

suspected sponsor Uzbekistan State Security Service (SSS / NSS / SNB)

first observed 2008 (est.); formally tracked from Oct 2018

primary motivation Espionage — journalists, human rights activists, dissidents, regional targets

primary targets Journalists, dissidents, activists — Middle East, Central Asia

notable distinction 4 Windows zero-days burned via self-inflicted OPSEC failures

exploit vendors NSO Group (suspected), Candiru (suspected), Hacking Team (confirmed client)

target regions Middle East, Central Asia, Africa (early campaigns)

threat level High (state resources; goals remain active)

Overview

SandCat is a state-sponsored espionage operation linked to Uzbekistan's State Security Service (SSS), also referred to as the NSS or SNB. The group's existence was largely unknown to the security research community before October 2018, when Kaspersky researcher Brian Bartholomew encountered an unusual instance of a known malware family — Chainshot — on a victim's machine in the Middle East. Chainshot had been associated with Saudi Arabian and Emirati nation-state operations, but the infrastructure in this case belonged to a group no one had seen before. That discovery led Bartholomew on a months-long investigation into what he would present at the Virus Bulletin 2019 conference in London as one of the most operationally incompetent state intelligence actors ever documented.

Kaspersky has since attributed the group to Military Unit 02616, an entity in Tashkent, Uzbekistan that has registered infrastructure used in SandCat campaigns since at least 2008. The Uzbek SSS's interest in offensive cyber tools was first publicly documented in 2015 when a hacker known as Phineas Fisher breached the Italian surveillance vendor Hacking Team and published internal correspondence revealing that the SSS had spent nearly $1 million on Hacking Team tools between 2011 and 2015. Privacy International has also documented the SSS's use of tools from surveillance vendors Verint and Nice Systems.

By 2018, the SSS had apparently graduated to purchasing more powerful zero-day exploits from third-party brokers, which Kaspersky assesses with medium confidence to include the Israeli firms NSO Group and Candiru. The exploits, delivered to SandCat via USB drive, were scanned and uploaded to Kaspersky's servers by the antivirus software the group had installed on its own development machines — in one case, Bartholomew believes Kaspersky obtained a fresh exploit before SandCat had even deployed it operationally.

The group began developing in-house malware in 2018, producing a platform called Sharpa alongside a trojanized Telegram desktop application and a password stealer. This pivot likely followed the repeated burning of purchased exploits, which may have prompted commercial vendors to end their relationship with the SSS. Even during in-house development, the same OPSEC failures continued: SandCat tested Sharpa components against Kaspersky antivirus with telemetry enabled, and a developer embedded a screenshot of their own file system in a Word test document, exposing the development environment's structure.

Bartholomew described SandCat as "trash actors" due to their operational carelessness, while also noting this may reflect regional bravado and institutional inexperience rather than malice. "A lot of the nation-state threat actors in that region have the same bravado," he said. "They just don't care. They adamantly deny everything. And if they get caught they get caught." Despite this, the SSS's targets — journalists, human rights activists, and dissidents — are consistent with the priorities of a domestic and regional intelligence service with a long history of transnational repression.

collateral damage to other actors

SandCat's OPSEC failures did not only expose its own operations. Saudi Arabian and Emirati nation-state groups were using some of the same purchased zero-day exploits. When SandCat's OPSEC failures caused those exploits to be discovered and patched, all other purchasers simultaneously lost access to those tools. As Bartholomew noted: "All it takes is one sloppy customer. One customer who is bad at OPSEC ruins it for all the others."

OPSEC Failures — The Case Study

SandCat's operational security record is unique in the nation-state threat actor landscape. The following failures were documented by Kaspersky during a single investigation period and collectively constitute one of the most comprehensive self-exposures in the history of state-sponsored cyber operations.

failure 1 — antivirus telemetry on malware development machines

SandCat installed Kaspersky antivirus on the machines used to write and test malware, with the telemetry reporting feature enabled. This caused Kaspersky's software to detect suspicious files on those machines and automatically transmit copies back to Kaspersky servers for analysis — including malware still in development that had never been deployed against a victim. Bartholomew: "Every time they would test it, our software would pull the binaries back."

failure 2 — USB delivery of exploits scanned automatically

Each time a new exploit was delivered to SandCat from a commercial vendor via USB drive, a team member would insert the drive into a machine running Kaspersky antivirus. The software would automatically scan the drive, identify the exploit files as malicious, and upload them to Kaspersky. Bartholomew believes Kaspersky received at least one exploit before SandCat had used it operationally, effectively voiding the purchase.

failure 3 — developer screenshot embedded in test document

SandCat developers uploaded a Word document used in testing that contained a screenshot of one developer's machine, exposing the file directory structure, application data, and details about the group's development environment and attack platform under construction. This gave Kaspersky direct visibility into SandCat's internal infrastructure as it was being built.

failure 4 — military unit name used for domain registration

SandCat used the name of a military group associated with the SSS to register a domain used in its attack infrastructure. IP addresses in the campaign resolved to the domain itt.uz, which had been registered to Military Unit 02616 in Tashkent, Uzbekistan since 2008. This single error provided enough attribution data for Kaspersky to identify not only the responsible organization but also the specific military unit and the names of individuals involved.

failure 5 — same domain used for enterprise email and malware testing

SandCat used the same domain for internal enterprise email communications and for testing its malware infrastructure — meaning the domain appeared in both internal operational communications and in external attack infrastructure analysis, creating a clear linkage between the group's internal identity and its offensive operations.

Target Profile

SandCat's targeting reflects the SSS's broad mandate for domestic surveillance and transnational repression of dissidents, journalists, and civil society actors. The group has also conducted operations against regional targets in the Middle East.

Journalists: Uzbek and regional journalists are a confirmed primary target. Kaspersky noted that historically SandCat pursued journalists who have been subjected to email hacking and dumping in Uzbekistan. This targeting aligns with the SSS's documented history of surveilling domestic and diaspora media.
Human Rights Activists and Dissidents: Candiru, a suspected exploit supplier to SandCat, powered attacks against dissidents and free speech defenders in Uzbekistan. The SSS has operated government blacklists of dissidents, and SandCat's tools provide the surveillance capability to monitor individuals on those lists regardless of their physical location.
Middle East targets: SandCat's initial discovery came from a Chainshot infection on a victim in the Middle East. Kaspersky's Costin Raiu noted that targets of SandCat were "mostly observed in Middle East, including but not limited to Saudi Arabia." The precise nature of SSS's interest in Middle Eastern targets — whether counterterrorism intelligence, regional intelligence sharing, or operational overlap with commercial exploit vendors — is not publicly documented.
African targets: CVE-2018-8611 exploitation by SandCat was observed in attacks aimed at entities in both the Middle East and Africa, suggesting a wider operational scope than Uzbekistan's immediate regional interests alone would suggest.

Tactics, Techniques & Procedures

SandCat's TTPs span two distinct phases: a vendor-dependent phase using commercial exploits and off-the-shelf spyware frameworks, and an in-house development phase beginning in 2018 with the Sharpa platform. Both phases reflect significant financial backing despite poor operational discipline.

mitre id	technique	description
T1203	Exploitation for Client Execution	SandCat deployed multiple Windows kernel zero-day exploits for privilege escalation and initial execution. Chainshot was installed via a zero-day Flash Player exploit (CVE-2018-5002) before SandCat pivoted to Windows LPE vulnerabilities.
T1068	Exploitation for Privilege Escalation	Four Windows Local Privilege Escalation zero-days were exploited: CVE-2018-8589 ("Alice"), CVE-2018-8611 ("Jasmine"), CVE-2019-0797, and a fourth vulnerability. CVE-2018-8611 could escape the Chrome and Edge browser sandboxes when combined with a compromised renderer.
T1195	Supply Chain Compromise	SandCat operated as a consumer of commercial offensive tools from Hacking Team, NSO Group (suspected), and Candiru (suspected) — representing the threat actor as an endpoint in the surveillance-vendor supply chain rather than an independent developer.
T1059	Command and Scripting Interpreter	FinFisher/FinSpy framework used alongside Chainshot for post-exploitation and surveillance. FinSpy provides keylogging, screen capture, microphone/webcam activation, and encrypted C2 communications.
T1566	Phishing	SandCat used spear phishing to deliver malicious documents to journalists and activists. A trojanized Telegram desktop application was developed during the Sharpa in-house phase as an alternative delivery mechanism.
T1555	Credentials from Password Stores	A custom password stealer was developed as part of SandCat's in-house tool suite alongside the Sharpa platform, targeting credential harvesting from victim systems.
T1036	Masquerading	The trojanized Telegram desktop application masquerades as a legitimate messaging client to establish persistence and conduct surveillance while appearing as a trusted application to the victim.
T1496	Resource Development: Infrastructure	SandCat registered domains using organizationally identifying names (Military Unit 02616, SSS-affiliated military groups), and maintained the same small set of infrastructure across a long operational period — a consistency that simplified tracking once the initial linkage was established.

Known Campaigns

Hacking Team Client — SSS Pre-SandCat Operations 2011 — 2015

Before SandCat was formally identified, the Uzbek SSS was a documented paying customer of Italian surveillance vendor Hacking Team. Internal emails published by Phineas Fisher after the 2015 Hacking Team breach show the SSS spent approximately $1 million on Hacking Team surveillance tools between 2011 and 2015. This predates the group's use of higher-capability exploits from NSO Group and Candiru, indicating a decade-plus investment in commercial offensive tools by Uzbek intelligence.

Chainshot / FinFisher Middle East Operations 2018

SandCat was first formally tracked in October 2018 when Kaspersky discovered Chainshot malware on a victim in the Middle East using infrastructure not associated with any known actor. SandCat was deploying Chainshot alongside FinFisher/FinSpy, using a zero-day Flash Player exploit (CVE-2018-5002) for initial delivery. Targets were primarily observed in the Middle East. The use of Chainshot — previously seen in Saudi Arabian and Emirati campaigns — suggested SandCat had access to the same commercial exploit supply chain as those actors.

Windows Zero-Day Exploitation Campaign Series Oct 2018 — Mar 2019

In an approximately four-month window, Kaspersky discovered four Windows zero-day Local Privilege Escalation exploits in use by or associated with SandCat: CVE-2018-8589 (patched October 2018), CVE-2018-8611 (patched December 2018), CVE-2019-0797 (patched March 2019), and a fourth vulnerability. All were discovered directly as a result of SandCat's OPSEC failures — specifically the group's practice of testing exploits on machines running Kaspersky antivirus with telemetry enabled. CVE-2018-8611 was of particular concern as a race condition in the Windows Kernel Transaction Manager capable of escaping the Chrome and Edge browser sandboxes.

Sharpa In-House Platform Development Late 2018 — 2019+

Following the repeated burning of commercially purchased exploits, SandCat began developing an in-house attack platform called Sharpa in late 2018. The suite included a trojanized Telegram desktop application, a password stealer, and additional components under active development. Kaspersky observed this development in real time due to SandCat continuing to test components against Kaspersky antivirus with telemetry enabled — the same practice that had exposed all prior exploits. A developer also embedded a screenshot of their machine in a Word test document, giving Kaspersky a view into the Sharpa development environment as it was being built.

Tools & Infrastructure

Chainshot: A multi-stage malware framework used to establish initial access and execute next-stage payloads. Originally attributed to Middle Eastern nation-state actors; SandCat was identified as a separate purchaser. Delivered via CVE-2018-5002 (Flash Player zero-day) in early SandCat campaigns.
FinFisher / FinSpy: Commercial government spyware providing keylogging, screen and audio capture, webcam activation, file system access, and encrypted C2. Used in conjunction with Chainshot in SandCat's initial documented campaign phase. The SSS was a known client of FinFisher vendor Gamma International.
Sharpa: SandCat's in-house attack platform, under rapid development from late 2018. Specific capabilities beyond password stealing are not fully public, but Kaspersky observed the development environment via telemetry and developer-exposed screenshots.
Trojanized Telegram Client: A modified version of the Telegram desktop messaging application designed to conduct surveillance while appearing legitimate to victims. Developed as part of the in-house tool suite alongside Sharpa.
Password Stealer: Custom credential harvesting tool developed as part of the in-house tool suite, targeting stored passwords on victim systems.
Windows LPE Zero-Days (×4): Four separate Windows Local Privilege Escalation vulnerabilities — CVE-2018-8589, CVE-2018-8611, CVE-2019-0797, and a fourth — purchased from commercial vendors and used in SandCat campaigns before being discovered and patched as a direct result of SandCat's OPSEC failures.
Infrastructure: A small, consistent set of domains registered to Military Unit 02616 via the itt.uz registrar since 2008. The same domain was used for both enterprise email and malware infrastructure testing, and a domain registered using an SSS-linked military group name served as attack infrastructure.

Indicators of Compromise

Attribution infrastructure and behavioral indicators from Kaspersky's investigation, presented for historical and analytical reference.

opsec note

Following public exposure of SandCat's failures at Virus Bulletin 2019, the group was expected to significantly shift its infrastructure and practices. The IOCs listed below reflect observed infrastructure from 2018–2019 campaign activity. Current SandCat infrastructure is likely substantially changed. Operational IOC intelligence should be sourced from current Kaspersky threat intelligence reporting.

indicators of compromise — historical attribution infrastructure

registrar itt.uz — domain registrar associated with Military Unit 02616, Tashkent, Uzbekistan; linked to SandCat infrastructure since 2008

attribution Military Unit 02616 — Tashkent, Uzbekistan — registered infrastructure entity identified via domain registration records

malware Chainshot — multi-stage malware framework; deployed via CVE-2018-5002 (Flash zero-day) in Middle East operations

malware FinFisher/FinSpy — commercial government spyware framework used alongside Chainshot in 2018 campaign phase

cve CVE-2018-8589 ("Alice") — Windows Win32k LPE zero-day; patched October 2018; exploited by SandCat and other Middle East actors

cve CVE-2018-8611 ("Jasmine") — Windows Kernel Transaction Manager race condition; patched December 2018; capable of Chrome and Edge sandbox escape

cve CVE-2019-0797 — Windows Win32k race condition LPE; patched March 2019; targets 64-bit Windows 8 through Windows 10 build 15063

behavioral Small, stable domain infrastructure maintained across multi-year operational periods; same domain used for enterprise email and malware testing — enabling cross-correlation between internal and external activity

Mitigation & Defense

SandCat's targeting profile — journalists, human rights activists, and dissidents — points to a specific at-risk population rather than a broad corporate or government sector. Defense recommendations reflect both the group's technical TTPs and the nature of its intended victims.

Zero-Day Patch Velocity: Three of SandCat's four burned zero-days were Windows Local Privilege Escalation vulnerabilities. Organizations and high-risk individuals should prioritize patching Windows kernel and Win32k vulnerabilities on an accelerated timeline. CISA KEV should be monitored for rapid prioritization signal.
Journalist and Activist Device Security: SandCat's confirmed primary targets are journalists and human rights defenders. High-risk individuals in this category should use hardened devices, consider Chromebooks or iOS devices for lower attack surface, and avoid installing unsolicited or unverified desktop messaging applications — the trojanized Telegram client is a specific delivery mechanism of concern.
Messaging Application Verification: The trojanized Telegram desktop application is an active tool in SandCat's arsenal. Only install Telegram and similar applications from official distribution sources (telegram.org, OS app stores). Verify installer hashes where possible. Be suspicious of Telegram installation offers received via email or messaging.
Browser Sandbox Awareness: CVE-2018-8611 was capable of escaping the Chrome and Edge browser sandboxes when combined with a compromised renderer. Keeping browsers updated is the primary control. Disabling JavaScript execution on untrusted sites via extension (uBlock Origin in strict mode) reduces renderer compromise exposure.
Antivirus Telemetry Configuration: SandCat's self-exposure was enabled by telemetry-reporting antivirus software installed on malware development machines. For blue team purposes, this case is a reminder that security vendors' telemetry features are a significant source of threat intelligence — and that organizations should carefully review what telemetry their endpoints send and to whom.
Threat Intelligence for At-Risk Individuals: Journalists, activists, and NGO workers operating in or covering Central Asian and Middle Eastern regions should treat SandCat as a persistent risk given the SSS's long-standing history of targeting these communities regardless of geographic location. Digital Defenders Partnership and Access Now's Digital Security Helpline provide targeted support for high-risk individuals.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — sandcat — last updated 2025-03-27