{ "id": "bee88f36-7a5b-4168-a247-ed854719811d", "created_at": "2026-04-06T00:21:52.64018Z", "updated_at": "2026-04-10T13:11:45.495441Z", "deleted_at": null, "sha1_hash": "0e4d3da369851568c6b102753c66d7524b110797", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60690, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:45:41 UTC\n APT group: Madi\nNames\nMadi (Kaspersky)\nMahdi (Kaspersky)\nCountry Iran\nMotivation Information theft and espionage\nFirst seen 2011\nDescription\n(Kaspersky) Kaspersky Lab and Seculert worked together to sinkhole the Madi\nCommand \u0026 Control (C\u0026C) servers to monitor the campaign. Kaspersky Lab and\nSeculert identified more than 800 victims located in Iran, Israel and select countries\nacross the globe connecting to the C\u0026Cs over the past eight months. Statistics from\nthe sinkhole revealed that the victims were primarily business people working on\nIranian and Israeli critical infrastructure projects, Israeli financial institutions,\nMiddle Eastern engineering students, and various government agencies\ncommunicating in the Middle East.\nCommon applications and websites that were spied on include accounts on Gmail,\nHotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also\nperformed over integrated ERP/CRM systems, business contracts, and financial\nmanagement systems.\nObserved\nSectors: Education, Engineering, Financial, Government, Oil and gas, Think Tanks.\nCountries: Australia, Ecuador, Greece, Iran, Iraq, Israel, Mozambique, New Zealand,\nPakistan, Saudi Arabia, Switzerland, USA, Vietnam.\nTools used Madi.\nOperations performed Jul 2012\nNew and Improved Madi Spyware Campaign Continues\nMadi, the religiously-titled spyware that was discovered last week\nand thought to be dead, appears to be making a comeback, complete\nwith updates.\nCounter operations The C\u0026C servers have been sinkholed by Kaspersky and Seculert.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2afc9634-8895-4535-bb80-8843d4830e04\nPage 1 of 2\n\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2afc9634-8895-4535-bb80-8843d4830e04\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2afc9634-8895-4535-bb80-8843d4830e04\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2afc9634-8895-4535-bb80-8843d4830e04" ], "report_names": [ "showcard.cgi?u=2afc9634-8895-4535-bb80-8843d4830e04" ], "threat_actors": [ { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434912, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e4d3da369851568c6b102753c66d7524b110797.pdf", "text": "https://archive.orkl.eu/0e4d3da369851568c6b102753c66d7524b110797.txt", "img": "https://archive.orkl.eu/0e4d3da369851568c6b102753c66d7524b110797.jpg" } }