APT / THREAT GROUP

Gazavat

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Gazavat (which is often tagged as Expiro by AV vendors) is a multi-functional backdoor that has code overlaps with the POS malware DMSniff. Functionality includes:

- Loading other executables

- Load hash cracking plugin

- Load DMSniff plugin

- Perform webinjection and webfakes

- Form grabbing

- Command execution

- Download file from infected system

- Convert infection into proxy

- DDOS

- Spreading and EXE infecting

Threat Analysis

Gazavat is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.gazavatGazavat

External Intelligence

Malpedia: win.gazavat

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Gazavat — APT / Threat Group | Threat Intelligence | CTIWATCH.COM