Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla and then installs Gazer components. Gazer receives encrypted commands from a remote command-and-control server and evades detection by using compromised, legitimate websites (that mostly use the WordPress CMS) as a proxy. Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server — a common tactic employed by the Turla APT group. Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information. Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network. Gazer Backdoor Detector matches all known IOC's and threat intelligence published by ESET company which discovered the threat.