{
	"id": "567c2330-3639-466a-812a-7c7d4cb61b71",
	"created_at": "2026-04-06T00:12:16.117225Z",
	"updated_at": "2026-04-10T03:29:45.2992Z",
	"deleted_at": null,
	"sha1_hash": "38fa23b9506b2f598d4d5564e61d0e51a5d58a38",
	"title": "Ali Baba, the APT group from the Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 432899,
	"plain_text": "Ali Baba, the APT group from the Middle East\r\nBy Pierluigi Paganini\r\nPublished: 2015-02-17 · Archived: 2026-04-05 17:03:08 UTC\r\n Pierluigi Paganini February 17, 2015\r\nAdrian Nish of BAE System presented the results of its investigation on the Ali\r\nBaba APT group operating from the Middle East that hit Western companies.\r\nYesterday the Kaspersky Lab team revealed the results of its investigation on the hacking crew dubbed the\r\nEquation group, a team of hackers that demonstrate extraordinary capabilities and sophisticated tactics,\r\ntechniques, and procedures. Unfortunately, the number of ATPs is growing over the years, the majority of them\r\ngoes under the radar for a long period.\r\nIn 2013, Adrian Nish of BAE Systems investigated on a cyber attack suffered by an engineering company in the\r\nUK that operates in the national power industry. The security experts discovered that hackers have compromised\r\nthe company network for some time, exfiltrating any kind of information.\r\n“The group has probably been working for about two years now,” Nish explained. “It’s an emerging\r\ntrend in the Middle East. That’s a complicated region and the offensive side of things is becoming\r\ncomplicated there too. There’s offensive cyber companies and local malware authoring now.”\r\nNish identified the C\u0026C servers used by the threat actors and discovered that Google was indexing some of the\r\nmachines used by the hackers to siphon data. According to the researcher, the bad actors could be members of\r\na pro-Iranian group and proved to have access to a wide set of hacking tools.\r\nhttps://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html\r\nPage 1 of 3\n\nBAE firm dubbed the APT group Ali Baba because a code name in one of the tools belonging to their arsenal.\r\n“They had taken network diagrams, usernames and credentials from an Israeli university and even an\r\nentire Web app that they stole from a group in the Middle East,” Nish said in a talk at the Kaspersky\r\nLab Security Analyst Summit here Monday. “They had even stolen some signatures, physical signatures\r\nfrom people who had scanned them for some reason. What could possibly go wrong with that?”\r\nNish confirmed to have discovered nearly 40 distinct hacking tools, including five modules of custom malware, a\r\nkey logger, a custom hash cracker and many others. The expert highlighted some interesting methods for defeating\r\nincident response on compromised networks and for data exfiltration.\r\nNish detailed one of the tools in the arsenal of the Ali Baba APT, Fakeddos.exe, that was used the hackers to\r\ngenerate large amounts of junk traffic on compromised networks, a tactic used by the threat actor to overwrite the\r\nlogs of legitimate traffic making difficult investigation from security firms.\r\n“That really makes incident response quite a pain, really,” Nish said.\r\nAli Baba hackers used a singular exfiltration technique based on email, they disguised the outbound emails as\r\nViagra spam messages to avoid detection of defense systems.\r\nAccording to a report published by the security company Cylance, the UK firm wasn’t the unique known victim of\r\nthe Ali Baba, the APT also had compromised transportation companies in South Korea and Pakistan. Cylance\r\nidentified the hacking team as OpCleaver.\r\nPierluigi Paganini\r\n(Security Affairs –  Ali Baba APT, cyber espionage)\r\nhttps://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html\r\nPage 2 of 3\n\nSource: https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html\r\nhttps://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html"
	],
	"report_names": [
		"ali-baba-apt-middle-east.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434336,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38fa23b9506b2f598d4d5564e61d0e51a5d58a38.pdf",
		"text": "https://archive.orkl.eu/38fa23b9506b2f598d4d5564e61d0e51a5d58a38.txt",
		"img": "https://archive.orkl.eu/38fa23b9506b2f598d4d5564e61d0e51a5d58a38.jpg"
	}
}