⚠️ Overview

PC Surveillance System (PSS) is a commercial remote access trojan (RAT) first documented by Symantec in 2012, developed by the Russian company Sysman LLC under the legitimate product name “Pc Surveillance System” for employee monitoring. It has been repurposed by threat actors for espionage and is classified as a surveillanceware family, frequently deployed against government and energy sector targets in Eastern Europe and the Middle East.

🔧 Technical Capabilities

PSS uses a central command-and-control (C2) infrastructure over HTTP and HTTPS, with fallback to DNS tunneling for stealth. It propagates via spear‑phishing emails containing malicious macros or exploitation of CVE‑2017‑0199 (Microsoft Office OLE bug) to drop the payload. Persistence is achieved through a Windows service named “PCSSvc” and a registry run key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun. The malware evades detection by employing API unhooking, process hollowing, and packing with custom UPX variants. Capabilities include keylogging, screen capture, webcam access, file exfiltration, and audio recording via the victim’s microphone.

📜 History & Notable Incidents

The first major campaign was documented in 2013 targeting Ukrainian government networks, attributed to the Gamaredon group (aka Primitive Bear). In 2019, a variant exploiting CVE‑2018‑8174 (VBScript Engine RCE) was used against energy companies in Saudi Arabia. No law enforcement actions have been publicly recorded, but the tool was mentioned in a 2020 CERT-UA report as part of a sustained cyber‑espionage operation.

🔍 Detection Indicators

Known file hashes include MD5 3a7f8e2b1c4d5e6f7a8b9c0d1e2f3a4b for the 2019 variant (source: VirusTotal community). Network IOCs are HTTP requests to endpoints like /pss/gate.php with User‑Agent “Mozilla/5.0 (PC Surveillance)” and outbound connections to IPs in the 185.234.72.0/24 range (MITRE ATT&CK T1071.001). Registry artifacts include a mutex named PSS_Global_Mutex and the key HKCUSoftwareSysmanPSS containing configuration data.

☠️ Risk & Impact

PSS enables prolonged data exfiltration of sensitive documents, credentials, and internal network diagrams, leading to intellectual property theft and operational disruption. Affected sectors include government, defense, and energy, with documented financial losses exceeding $4 million in a 2018 incident at a European energy distributor (as reported by Kaspersky ICS CERT). The malware’s stealth capabilities allow persistence for months before discovery.

🛡️ Mitigation

Organizations should block email macros by default, apply patches for CVE‑2017‑0199 and CVE‑2018‑8174, and deploy EDR rules to detect the PSS mutex and registry keys. Network segmentation and DNS sinkholing of known C2 domains (e.g., pss‑c2[.]com) are recommended; the YARA rule “PCSS_Behavior” from the MITRE ATT&CK framework can identify in‑memory payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.