The Inception Framework - Cloud-Hosted Targeted Malware Framework.

The Inception Framework - Cloud-Hosted Targeted Malware Framework.

Back to CIRCL Newsroom - Press Release

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Blue Coat researchers, with the participation of CIRCL (Computer Incident Response Center Luxembourg) and various partners, have uncovered highly sophisticated and automated attacks targeting embassies, major corporations, politics, military and the financial sector, all over the globe.

The framework set for performing these targeted attacks is named Inception. It uses a cloud-based infrastructure located in Sweden, CloudMe, and the WebDAV protocol. It also includes randomized file names to prevent detection (in Hindi, Russian, Swedish and English), and malware components embedded in Rich Text Format (RTF) files. These malware payloads have been recovered in home routers and mobile devices. The malware indicators can be found on the MISP (Malware Information Sharing Platform), operated by CIRCL.

The Blue Coat Labs’ whitepaper describes Inception as being a “very slick operation” that can “in theory be the creation of nation states or resourceful private entities”.

“The success rate of this method has been remarkably high. Inception relies on a network of compromised wireless routers and mobile devices and users should therefore pay close attention to their infrastructure and OS set-up. The origin of Inception not known yet and attackers usually use an intricate network of router proxies and rented hosts”, explains a security researcher from CIRCL.

CIRCL has contributed to the whitepaper in addition to Crowdstrike, F-Secure Corporation, iSight Partners, Kaspersky Labs, Symantec Corporation

Find the full report here: