{
	"id": "4c123a16-f94c-4c5b-9106-46c8a7c9c174",
	"created_at": "2026-04-06T00:16:44.910142Z",
	"updated_at": "2026-04-10T03:34:02.99443Z",
	"deleted_at": null,
	"sha1_hash": "2305597122b156bbd6e6cf060cb2e16d36baf1ed",
	"title": "Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39686,
	"plain_text": "Shamoon: Destructive Threat Re-Emerges with New Sting in its\r\nTail\r\nBy About the Author\r\nArchived: 2026-04-05 13:26:12 UTC\r\nAfter a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on December 10 in a\r\nnew wave of attacks against targets in the Middle East. These latest Shamoon attacks are doubly destructive, since\r\nthey involve a new wiper (Trojan.Filerase) that deletes files from infected computers before the Shamoon malware\r\nwipes the master boot record.\r\nNews of the attacks first emerged on December 10 when Italian oil services firm Saipem said that it had been hit\r\nby a cyber attack against its servers in the Middle East. Two days later, the company said that Shamoon had been\r\nused in the attack, which affected between 300 and 400 servers and up to 100 personal computers.\r\nSymantec has found evidence of attacks against two other organizations during the same week, in Saudi Arabia\r\nand the United Arab Emirates. Both organizations are involved in the oil and gas industry.\r\nNew wiper deployed\r\nUnlike previous Shamoon attacks, these latest attacks involve a new, second piece of wiping malware\r\n(Trojan.Filerase). This malware will delete and overwrite files on the infected computer. Shamoon itself will\r\nmeanwhile erase the master boot record of the computer, rendering it unusable.\r\nThe addition of the Filerase wiper makes these attacks more destructive than use of the Shamoon malware alone.\r\nWhile a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable.\r\nHowever, if the files are first wiped by the Filerase malware, recovery becomes impossible.\r\nFilerase is spread across the victim’s network from one initial computer using a list of remote computers. This list\r\nis in the form of a text file and is unique to each victim, meaning the attackers likely gathered this information\r\nduring an earlier reconnaissance phase of the intrusion. This list is first copied by a component called OCLC.exe\r\nand passed on to another tool called Spreader.exe. The Spreader component will then copy Filerase to all the\r\ncomputers listed. It will then simultaneously trigger the Filerase malware on all infected machines.\r\nIt is possible that the Shamoon malware itself was spread via these same tools, but this is unknown. In at least one\r\ninstance, Shamoon was executed using PsExec, indicating that the attackers had access to credentials for the\r\nnetwork.\r\nPossible link to Elfin\r\nOne of the new Shamoon victims Symantec observed the organization in Saudi Arabia had recently also been\r\nattacked by another group Symantec calls Elfin (aka APT33) and had been infected with the Stonedrill malware\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail\r\nPage 1 of 2\n\n(Trojan.Stonedrill). There were additional attacks against this organization in 2018 that may have been related to\r\nElfin or could have been the work of yet another group.\r\nThe proximity of the Elfin and the Shamoon attacks against this organization means it is possible that the two\r\nincidents are linked.\r\nA history of destructive attacks\r\nShamoon (W32.Disttrack) first emerged in 2012 when it was used in a series of disruptive attacks against the\r\nSaudi energy sector.\r\nActivity then ceased until it made a surprise comeback in late 2016. A slightly modified version of the malware\r\n(W32.Disttrack.B) was used in attacks against a range of targets, again in Saudi Arabia. The attacks appeared\r\ntimed to cause maximum destruction. The malware was configured to trigger at 8:45pm local time on Thursday,\r\nNovember 17, 2016. The Saudi working week runs from Sunday to Thursday, meaning computers were wiped\r\nafter most staff had left for the weekend, minimizing the chance of discovery before the attack was complete.\r\nRecurring menace \r\nWhy Shamoon has suddenly been deployed again remains unknown. However, the fact that the malware seems to\r\nbe taken out of retirement every few years means that organizations need to remain vigilant and ensure that all\r\ndata is properly backed up and a robust security strategy is in place. \r\nThreat Intelligence\r\nCustomers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have\r\nreceived reports on Shamoon which detail methods of detecting and thwarting activities of this adversary..\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail"
	],
	"report_names": [
		"shamoon-destructive-threat-re-emerges-new-sting-its-tail"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b938e2e3-3d1b-4b35-a031-ddf25b912557",
			"created_at": "2022-10-25T16:07:23.35582Z",
			"updated_at": "2026-04-10T02:00:04.55531Z",
			"deleted_at": null,
			"main_name": "APT 33",
			"aliases": [
				"APT 33",
				"ATK 35",
				"Cobalt Trinity",
				"Curious Serpens",
				"Elfin",
				"G0064",
				"Holmium",
				"Magnallium",
				"Peach Sandstorm",
				"Refined Kitten",
				"TA451",
				"Yellow Orc"
			],
			"source_name": "ETDA:APT 33",
			"tools": [
				"Atros2.CKPN",
				"AutoIt backdoor",
				"Breut",
				"CinaRAT",
				"DROPSHOT",
				"DarkComet",
				"DarkKomet",
				"DistTrack",
				"EmPyre",
				"EmpireProject",
				"FYNLOS",
				"FalseFont",
				"Filerase",
				"Fynloski",
				"JuicyPotato",
				"Krademok",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Mimikatz",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Notestuk",
				"POWERTON",
				"PoshC2",
				"PowerBand",
				"PowerShell Empire",
				"PowerSploit",
				"PsList",
				"Pupy",
				"PupyRAT",
				"Quasar RAT",
				"QuasarRAT",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"SHAPESHIFT",
				"Shamoon",
				"Socmer",
				"StoneDrill",
				"TURNEDUP",
				"Tickler",
				"Yggdrasil",
				"Zurten",
				"klovbot",
				"pupy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775792042,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2305597122b156bbd6e6cf060cb2e16d36baf1ed.pdf",
		"text": "https://archive.orkl.eu/2305597122b156bbd6e6cf060cb2e16d36baf1ed.txt",
		"img": "https://archive.orkl.eu/2305597122b156bbd6e6cf060cb2e16d36baf1ed.jpg"
	}
}