Flame
A twenty-megabyte espionage platform aimed at Iran turned out to be a cousin of Stuxnet — and forged Microsoft's own update signature to spread.
In May 2012, Iran's national CERT, Kaspersky, and CrySyS Lab simultaneously disclosed the discovery of a piece of malware unlike anything previously catalogued: a sprawling, modular espionage platform that researchers named Flame. The codebase weighed in at around twenty megabytes — orders of magnitude larger than typical targeted implants — and bundled functionality to record audio from microphones, sniff Bluetooth devices, capture screenshots, log keystrokes, and exfiltrate documents.
A forged Microsoft signature
Flame's most striking technical detail was its propagation method. The malware was able to disguise itself as a legitimate Windows Update by forging a valid Microsoft code-signing certificate. The forgery exploited a cryptographic weakness — a chosen-prefix collision attack on the MD5 hash function — to mint a certificate that Windows would accept as if it had been issued by Microsoft itself. The collision required novel cryptographic work, the kind associated with state-level research budgets.
Microsoft revoked the underlying certificates within days and pushed a hardened code-signing policy across Windows in subsequent updates.
A confirmed relative
Researchers at Kaspersky later established a code-sharing relationship between Flame and the earlier Stuxnet, suggesting overlapping authorship. US and Israeli officials, speaking on background to American reporters, confirmed Flame as a US intelligence collection tool aimed at Iran, the espionage counterpart to Stuxnet's sabotage.
What the chronicle remembers
Flame is the case that proved a state could afford to develop a novel-cryptography attack just to make malware look like a routine system update. It also made clear that Stuxnet had been part of a family, and that the rest of the family was already running.