{
	"id": "ae0d7fb4-c75e-49ab-bd16-d3437b6cf28a",
	"created_at": "2026-04-06T00:16:35.310493Z",
	"updated_at": "2026-04-10T13:13:02.945948Z",
	"deleted_at": null,
	"sha1_hash": "0a2571ced4ece4672ad6ac9d644c220b53a77eeb",
	"title": "Greenbug cyberespionage group targeting Middle East, possible links to Shamoon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49044,
	"plain_text": "Greenbug cyberespionage group targeting Middle East, possible\r\nlinks to Shamoon\r\nBy By\r\nPublished: 2017-01-23 · Archived: 2026-04-05 14:27:59 UTC\r\nSymantec is currently investigating reports of yet another new attack in the Middle East involving the destructive\r\ndisk-wiping malware used by the Shamoon group (W32.Disttrack, W32.Disttrack.B). Similar to previous attacks,\r\nthe Disttrack malware used by Shamoon is just the destructive payload. It required other means to be deployed on\r\ntargeted organizations’ networks and is configured with previously stolen credentials. \r\nSymantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving\r\nW32.Disttrack.B (aka Shamoon). Shamoon (W32.Disttrack) first made headlines in 2012 when it was used in\r\nattacks against energy companies in Saudi Arabia. It recently resurfaced in November 2016 (W32.Disttrack.B),\r\nagain attacking targets in Saudi Arabia. While these attacks were covered extensively in the media, how the\r\nattackers stole these credentials and introduced W32.Disttrack on targeted organizations’ networks remains a\r\nmystery.\r\nCould Greenbug be responsible for getting Shamoon those stolen credentials?\r\nGreenbug was discovered targeting a range of organizations in the Middle East including companies in the\r\naviation, energy, government, investment, and education sectors. The group uses a custom information-stealing\r\nremote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive\r\ncredentials from compromised organizations.\r\nAlthough there is no definitive link between Greenbug and Shamoon, the group compromised at least one\r\nadministrator computer within a Shamoon-targeted organization’s network prior to W32.Disttrack.B being\r\ndeployed on November 17, 2016.  \r\nIs there a link between Greenbug and the disk-wiping Shamoon attacks?\r\nAttack analysis\r\nActive since at least June 2016, Greenbug most likely uses email to compromise targeted organizations. Symantec\r\nbelieves the group has exclusive access to the malware Trojan.Ismdoor. The group uses additional tools to\r\ncompromise other computers on the network and steal user names and passwords from operating systems, email\r\naccounts, and web browsers.\r\nBetween June and November 2016, Trojan.Ismdoor was used against a number of targets in a wide range of\r\nsectors across the Middle East. As part of the operation, legitimate infrastructure belonging to an organization in\r\nthe energy sector was used to host the Ismdoor payload. Attacks impacted organizations involved in aviation,\r\nhttps://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon\r\nPage 1 of 3\n\ngovernment, investment, and education. Additional regions affected include Saudi Arabia, Iran, Bahrain, Iraq,\r\nQatar, Kuwait, and Turkey. A Saudi organization in Australia was also targeted.\r\nIt is believed that the attacks start with an email that asks the recipient to download a RAR archive containing\r\nwhat is purported to be information about a business proposal. These lure documents were hosted on a legitimate\r\nwebsite, which may have been previously compromised by Greenbug. The Ismdoor malware is hidden inside the\r\nRAR archive using an alternate data stream.\r\nWindows Alternate Data Streams (ADS) is a feature of NTFS which is used to store details about a file. The\r\ninformation stored in ADS is hidden to the user, which makes it an attractive feature for attackers. ADS is\r\nsometimes abused by attackers to hide malware or other hacking tools on a compromised computer.\r\nTrojan.Ismdoor\r\nThe downloaded RAR archive contains three components including a .pdf file and a .chm (Compiled HTML\r\nHelp) file, which includes an ADS hiding the payload (Trojan.Ismdoor). The clean .pdf file contains instructions\r\non how to open the .chm file. Opening the .chm file, which includes the malicious ADS, will execute the Ismdoor\r\nTrojan.\r\nOnce executed, Trojan.Ismdoor opens a back door on the compromised computer, leveraging Windows\r\nPowerShell for command and control. The Trojan then has the ability to install other malware as well as collect\r\nsystem data from infected computers that it can use to determine which additional tools to deploy for further data\r\ncollection.\r\nGreenbug has been observed downloading a number of tools used to log keystrokes and collect browser, email,\r\nand other sensitive data such as user credentials.\r\nIs Greenbug responsible for delivering Shamoon?\r\nThe presence of Greenbug within an organization prior to the destructive attack involving W32.Disttrack.B\r\nprovides only a tentative connection to Shamoon. Greenbug’s choice of targets and the fact that Ismdoor and\r\nassociated tools downloaded by the threat appear to have gone quiet a day prior to the November 17, 2016\r\nShamoon attack is, however, suspicious. At this time, Symantec tracks these groups separately unless additional\r\ncorroborating evidence emerges.\r\nSymantec is currently investigating reports of new Shamoon activity in the Middle East. Whether or not evidence\r\nof Greenbug activity will be discovered during the investigation remains to be seen. However, one thing is clear,\r\ndestructive attacks carried out by Shamoon are still a dangerous reality facing organizations in the Middle East.\r\nProtection\r\nSymantec and Norton products protect against the threats discussed in this blog with the following detections:\r\nGreenbug\r\nAntivirus\r\nhttps://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon\r\nPage 2 of 3\n\nTrojan.Ismdoor\r\nTrojan.Ismdoor!gen1\r\nIntrusion prevention system\r\nSystem Infected: Trojan.Ismdoor Activity\r\nShamoon\r\nAntivirus\r\nW32.Disttrack\r\nW32.Disttrack!gen1\r\nW32.Disttrack!gen4\r\nW32.Disttrack!gen6\r\nW32.Disttrack!gen7\r\nW32.Disttrack!gen8\r\nW32.Disttrack.B\r\nPUA.Disttrack!sys\r\nIntrusion prevention system\r\nSystem Infected: Disttrack Trojan Activity 2\r\nSystem Infected: Disttrack Trojan Activity 3\r\nSource: https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-mi\r\nddle-east-possible-links-shamoon\r\nhttps://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
	],
	"report_names": [
		"greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
	],
	"threat_actors": [
		{
			"id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed",
			"created_at": "2022-10-25T16:07:23.918534Z",
			"updated_at": "2026-04-10T02:00:04.789509Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [
				"Greenbug",
				"Volatile Kitten"
			],
			"source_name": "ETDA:Greenbug",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "25896473-161f-411f-b76a-f11bb26c96bd",
			"created_at": "2023-01-06T13:46:38.75749Z",
			"updated_at": "2026-04-10T02:00:03.090307Z",
			"deleted_at": null,
			"main_name": "CHRYSENE",
			"aliases": [
				"Greenbug"
			],
			"source_name": "MISPGALAXY:CHRYSENE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bba8e81-73af-4010-86dc-d43c408ca342",
			"created_at": "2023-01-06T13:46:38.553459Z",
			"updated_at": "2026-04-10T02:00:03.021597Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [],
			"source_name": "MISPGALAXY:Greenbug",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a2571ced4ece4672ad6ac9d644c220b53a77eeb.pdf",
		"text": "https://archive.orkl.eu/0a2571ced4ece4672ad6ac9d644c220b53a77eeb.txt",
		"img": "https://archive.orkl.eu/0a2571ced4ece4672ad6ac9d644c220b53a77eeb.jpg"
	}
}