{
	"id": "5a52c090-4a5c-46ad-900e-b5545aaf63ad",
	"created_at": "2026-04-06T00:22:20.734671Z",
	"updated_at": "2026-04-10T03:21:59.965384Z",
	"deleted_at": null,
	"sha1_hash": "3dfd4f9a2743a2dbe360dd90ae14b5a1914c4041",
	"title": "MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4688751,
	"plain_text": "MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with\r\nEpic Troll - SentinelLabs\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2021-07-29 · Archived: 2026-04-05 13:15:42 UTC\r\nExecutive Summary\r\nOn July 9th, 2021 a wiper attack paralyzed the Iranian train system.\r\nThe attackers taunted the Iranian government as hacked displays instructed passengers to direct their\r\ncomplaints to the phone number of the Iranian Supreme Leader Khamenei’s office.\r\nSentinelLABS researchers were able to reconstruct the majority of the attack chain, which includes an\r\ninteresting never-before-seen wiper.\r\nOPSEC mistakes let us know that the attackers refer to this wiper as ‘Meteor’, prompting us to name the\r\ncampaign MeteorExpress.\r\nAt this time, we have not been able to tie this activity to a previously identified threat group nor to\r\nadditional attacks. However, the artifacts suggest that this wiper was developed in the past three years and\r\nwas designed for reuse.\r\nTo encourage further discovery of this new threat actor, we are providing indicators as well as hunting\r\nYARA rules for fellow security researchers.\r\nIntroduction\r\nOn July 9th, 2021 reports began to surface of a wiper attack disrupting service for the Iranian railway system. The\r\nattack included epic level trolling as reports suggest that train schedule displays cited “long delay[s] because of\r\ncyberattack” along with instructions to contact ‘64411’ –the number for the office of Supreme Leader Ali\r\nKhamenei.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 1 of 15\n\nIran International (Twitter)\r\nEarly reporting did not pick up much steam as it’s not uncommon for Iranian authorities to vaguely point the\r\nfinger towards cyber attacks only to retract the claims later. But it doesn’t hurt to check.\r\nWe would like to acknowledge security researcher Anton Cherepanov who pointed out an early analysis (Farsi) by\r\nan Iranian antivirus company. Despite a lack of specific indicators of compromise, we were able to recover most\r\nof the attack components described in the post along with additional components they had missed. Behind this\r\noutlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker.\r\nThe Attack Chain\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 2 of 15\n\nMeteorExpress Attack Chain\r\nThough early reports did not include technical specifics, we were able to reconstruct most of the attack\r\ncomponents relying on a combination of factors – early analysis by Padvish security researchers as well as a\r\nrecovered attacker artifact that included a longer list of component names. The attackers abused Group Policy to\r\ndistribute a cab file to conduct their attack.\r\nThe overall toolkit consists of a combination of batch files orchestrating different components dropped from RAR\r\narchives. The archives decompressed with an attacker supplied copy of Rar.exe coupled with the password\r\n‘hackemall’. The wiper components are split by functionality: Meteor encrypts the filesystem based on an\r\nencrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.\r\nWhile we were able to recover a surprising amount of files for a wiper attack, some have eluded us. The MBR\r\ncorrupter, nti.exe , is most notable among those missing components as Padvish researchers noted that the\r\nsectors overwritten by this component are the same as those overwritten by NotPetya. Until we are able to find\r\nthis file, we can’t corroborate their finding.\r\nThe following is a breakdown of the central components of this attack.\r\nThe Batch Files\r\nThe majority of the attack is orchestrated via a set of batch files nested alongside their respective components and\r\nchained together in successive execution.\r\nThe following is a short description of the main functionality of these batch files.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 3 of 15\n\nsetup.bat\r\nsetup.bat is the first component executed via group policy. Interestingly, it deletes a scheduled task called\r\n‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory. At this time, we haven’t been able to\r\nidentify this task. This batch file is responsible for copying the initial components via a CAB file in a network\r\nshare within the Iranian railways network. The CAB file is expanded and update.bat is executed with the\r\nparameters ‘hackemall’, relevant paths, and the Meteor wiper executable (env.exe).\r\nenvxp.bat\r\nenvxp.bat appears to be a simpler alternative version of setup.bat. As the name suggests, perhaps it’s intended\r\nfor Windows XP.\r\nupdate.bat is a well written batch script that takes care of placing the remaining files and directing the\r\nremainder of the execution flow by calling the successive batch scripts. It takes three arguments: the password for\r\nthe rar archives, the working directory, and the location of the payload. If the first two parameters are empty, it’ll\r\nexit smoothly. In the absence of a payload, the script attempts to run msapp.exe . That component is listed in the\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 4 of 15\n\nPadvish security writeup but the execution flow via setup.bat points to env.exe as the intended payload. We’ll\r\ndelve into this component below.\r\nupdate.bat’s makeshift mutex\r\nThe script checks for a hardcoded ‘lock_file’ under C:WindowsTemp__lock6423900.dat . The file serves as a\r\nmakeshift mutex to avoid double execution and could double as a vaccine to avoid infection during development.\r\nupdate.bat directing the execution flow to subsequent batch files\r\nThe batch file uses its own copy of WinRAR to decompress additional components from three additional archives\r\n( programs.rar , bcd.rar , ms.rar ) using the same Pokemon-themed password, “hackemall” (Hack ’Em All).\r\nWith each RAR archive, update.bat calls a subsequent batch archive before deleting the respective archive. The\r\ndevelopers are very careful about cleaning up their components as soon as they’re used.\r\nAt this point the execution begins to bifurcate into other scripts. The first one is cache.bat , which focuses on\r\nclearing obstacles and preparing the ground for subsequent elements with the use of PowerShell.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 5 of 15\n\ncache.bat disabling network adapters and checking for Kaspersky antivirus\r\ncache.bat performs three main functions. First, it will disconnect the infected device from the network. Then it\r\nchecks to see if Kaspersky antivirus is installed on the machine, in which case it’ll exit.\r\ncache.bat creating Windows Defender exclusions for attack components\r\nFinally, cache.bat will create Windows Defender exclusions for all of its components, effectively clearing the\r\nway for a successful infection without impediments. This script proved particularly valuable for us in rebuilding\r\nthe entire attack chain as it lists most of the attack components giving us a threat hunting shopping list of sorts. It’s\r\nworth noting that this is the only batch script we’ve recovered that embeds PowerShell.\r\nSubsequently, update.bat calls bcd.bat , which serves two functions: rendering the machine unbootable and\r\ncleaning up event logs.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 6 of 15\n\nbcd.bat script overwrites boot.ini\r\nIn order to disable the machine’s ability to boot up, bcd.bat creates an alternative boot.ini file that points the\r\nbootloader to impossibly high disk and partition numbers (10000000) and overwrites the system’s copy of\r\nboot.ini . The script then uses the native bcdedit command to list boot option identifiers and deletes each.\r\nbcd.bat clears event logs\r\nThe attackers then use the native wevtutil command to clear Security, System, and Application event logs. And\r\nfinally, it abuses a legitimate SysInternals tool called Sync (the equivalent of the native UNIX sync() ) to\r\nmanually flush the cache of filesystem data to disk.\r\nupdate.bat will then call msrun.bat , passing the Meteor wiper executable as a parameter. That script will in\r\nturn set the stage for its execution.\r\nmsrun.bat preparing to execute the Meteor wiper\r\nmsrun.bat moves several components into place including a screen locker ( mssetup.exe ) and the encrypted\r\nconfiguration for the Meteor wiper ( msconf.conf ). The script also moves four additional files: mscap.bmp ,\r\nmscap.jpg , mssetup.reg , msuser.reg . At the time of writing, we were unable to recover the .reg files and\r\nhave no indication of what role they play. The image files are the background images that will replace the\r\nwallpaper on locked machines.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 7 of 15\n\nmscap.jpg lockscreen image\r\nThe same script then creates a scheduled task called mstask set to execute the Meteor wiper at five minutes to\r\nmidnight.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 8 of 15\n\nupdate.bat calls the wiper and screen locker\r\nThe final portion of update.bat checks whether mssetup.exe and the Meteor wiper are running, taking\r\nappropriate actions like exiting the script or restarting the machine as necessary.\r\nA Wiper Triad\r\nThere’s a strange level of fragmentation to the overall toolkit. Batch files spawn other batch files, different rar\r\narchives contain intermingled executables, and even the intended action is separated into three payloads: Meteor\r\nwipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR. We have\r\nbeen able to identify two out of three components and detail their inner workings below.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 9 of 15\n\nInternal naming convention visible within the wiper binary\r\nThe main payload of this convoluted attack chain is an executable dropped under env.exe or msapp.exe .\r\nInternally, the coders refer to it as ‘Meteor’. While this particular instance of Meteor suffers from a crippling\r\nOPSEC failure (the inclusion of verbose debug strings presumably intended for internal testing), it’s an externally\r\nconfigurable wiper with an extensive set of features.\r\nSHA256\r\n2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\r\nSHA1\r\n86e4f73c384d84b6ecd5ad9d7658c1cc575b54df\r\nMD5\r\n04633656756847a79c7a2a02d62e5522\r\nCompilation Timestamp\r\n2021-01-17 18:59:25\r\nFirst Submission\r\n2021-07-12 06:01:11\r\nSize\r\n587KB\r\nITW names\r\nenv.exe / msapp.exe\r\nThe Meteor wiper is executed as a scheduled task, called mstask and set to run at five minutes to midnight. It’s\r\nsupplied with a single argument, an encrypted JSON configuration file, msconf.conf\r\n(68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7), that holds values for\r\ncorresponding keys contained in cleartext within the binary:\r\nstate_path\r\nlog_encryption_key\r\nprocesses_to_kill\r\nprocess_termination_timeout\r\nlog_server_port\r\nlocker_background_image_jpg_path\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 10 of 15\n\nauto_logon_path\r\nlocker_background_image_bmp_path\r\nstate_encryption_key\r\nlog_server_ip\r\nlog_file_path\r\npaths_to_wipe\r\nwiping_stage_logger_interval\r\nlocker_installer_path\r\nlocker_exe_path\r\nlocker_registry_settings_files\r\nlocker_password_hash\r\nusers_password\r\ncleanup_scheduled_task_name\r\nself_scheduled_task_name\r\ncleanup_script_path\r\nis_alive_loop_interval\r\nAt its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these\r\npaths, wiping files. It also makes sure to delete shadow copies and removes the machine from the domain to avoid\r\nmeans of quick remediation. The wiper includes a wealth of additional functionality, most of which isn’t used in\r\nthis particular attack, including:\r\nChanging passwords for all users\r\nDisabling screensavers\r\nProcess termination based on a list of target processes\r\nInstalling a screen locker\r\nDisabling recovery mode\r\nChanging boot policy error handling\r\nCreating scheduled tasks\r\nLogging off local sessions\r\nChanging lock screen images for different Windows versions (XP, 7, 10)\r\nCreating processes and executing commands\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 11 of 15\n\nMeteor wiper attempts two different methods to remove victim machine from Domain\r\nThe developers resort to multiple redundant methods to accomplish each of their objectives. For example, Meteor\r\nwill attempt to remove the machine from the domain via WinApi functions. If that fails it will then attempt to do\r\nthe same via an equivalent WMI command.\r\nTaking a step back to evaluate the development of Meteor and what it might tell us about the threat group\r\ninvolved, we must note that the composition of this binary is beset by contradictory practices.\r\nFirst, the code is rife with sanity checks, error checking, and redundancy in accomplishing its goals. However, the\r\noperators clearly made a major mistake in compiling a binary with a wealth of debug strings meant for internal\r\ntesting. The latter is an indication that despite whatever advanced practices the developers have in their arsenal,\r\nthey lack a robust deployment pipeline that ensures such mistakes do not happen. Moreover, note that this sample\r\nwas compiled six months before its deployment and the mistake was not caught.\r\nLock My PC 4 embedded within Meteor\r\nSecondly, the code is a bizarre amalgam of custom code that wraps open-source components (cpp-httplib v0.2)\r\nand practically ancient abused software (FSProLabs’ Lock My PC 4). While that might suggest that the Meteor\r\nwiper was built to be disposable, or meant for a single operation, that’s juxtaposed with an externally configurable\r\ndesign that allows efficient reuse for different operations. Many of the available keys are not instantiated in this\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 12 of 15\n\noperation, like the ability to kill specific processes. Additionally, that external configuration is encrypted,\r\npresumably to limit analysis, but all of the configurable keys are hardcoded in plaintext within the main binary.\r\nMeteor overwrites boot.ini with the same template as bcd.bat\r\nTaking a step back to look at the entire toolkit deployed in this operation, there are also some overlaps between the\r\nfunctionality contained within Meteor and that of other components executed beforehand that suggest some\r\noperational segmentation between developers of different components and the operators themselves. Functionality\r\ncarried out with batch scripts is also embedded within Meteor such as disabling network adapters and corrupting\r\nboot.ini. The wiper also includes a commercial screen locker and yet this functionality is redundantly instantiated\r\nthrough a separate binary, mssetup.exe .\r\nThe externally configurable nature of the wiper entails that it wasn’t created for this particular operation.\r\nHowever, at the time of writing, we’ve been unable to find other attacks or variants of the Meteor wiper. For that\r\nreason, we are supplying a very broad (but well tested) hunting YARA rule below.\r\n‘mssetup.exe’ Screenlocker\r\nmssetup.exe’s WinMain() function\r\nThe MeteorExpress operators drop a standalone screenlocker. Despite a wealth of C++ template and exception\r\nhandling code, mssetup.exe is simple. Most of its functionality is pictured above. It blocks user input before\r\ncreating a Window that fills the entire screen. If an image is available at the hardcoded path C:tempmscap.bmp\r\n(dropped by the msrun.bat script), then it’ll use this image to fill the screen. Otherwise, it’ll draw a black\r\nrectangle. It’ll then disable the cursor and effectively lock the user out entirely. It’s worth noting that though this\r\nbinary was clearly developed by the same production pipeline, it doesn’t include any of the verbose debug strings\r\nnor overt logging functionality.\r\nSHA256\r\n074bcc51b77d8e35b96ed444dc479b2878bf61bf7b07e4d7bd4cf136cc3c0dce\r\nSHA1\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 13 of 15\n\ne55cee8b49f80e957b52976b2da6379e329466a3\r\nMD5\r\n9a49102f53291a644bd14c8202d8fbe3\r\nCompilation Timestamp\r\n2021-01-17 18:59:28\r\nFirst Submission\r\n2021-07-12 06:04:15\r\nSize\r\n85KB\r\nITW names\r\nmssetup.exe\r\nA Missing MBR Corruptor\r\nFinally, the Padvish security blog makes reference to an additional executable, nti.exe , that serves as an MBR\r\ncorruptor. We’ve been unable to recover this at this time and suspect that the incident responders were unable to\r\nrecover it themselves as their analysis centers on the corrupted MBRs rather than the binary.\r\nDescription of nti.exe Google translated from Farsi\r\nOne interesting claim in the Padvish blog is that the manner in which nti.exe corrupts the MBR is by\r\noverwriting the same sectors as the infamous NotPetya. While one’s first instinct might be to assume that the\r\nNotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember\r\nthat NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations.\r\nAn additional inconsistency from the Padvish blog is their claim that update.bat runs nti.exe . While they’re\r\nlikely referring to a different version in their possession, our copy of update.bat makes no overt reference to\r\nnti.exe.\r\nConclusion\r\nConflict in cyberspace is overpopulated with increasingly brazen threat actors. Behind the artistry of this epic troll\r\nlies an uncomfortable reality where a previously unknown threat actor is willing to leverage wiper malware\r\nagainst public railways systems. The attacker is an intermediate level player whose different operational\r\ncomponents sharply oscillate from clunky and rudimentary to slick and well-developed.\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 14 of 15\n\nOn the one hand, we have a new externally-configurable wiper packed full of interesting capabilities, involving a\r\nmature development process, and redundant means to accomplish their goals. Even their batch scripts include\r\nextensive error checking, a feature seldom encountered with deployment scripts. Their attack is designed to\r\ncripple the victim’s systems, leaving no recourse to simple remediation via domain administration or recovery of\r\nshadow copies.\r\nOn the other hand, we see an adversary that doesn’t yet have a handle on their deployment pipeline, using a\r\nsample of their malware that contains extensive debug features and burning functionality irrelevant to this\r\nparticular operation. There’s feature redundancy between different attack components that suggests an\r\nuncoordinated division of responsibilities across teams. And files are dispensed in a clunky, verbose, and\r\ndisorganized manner unbecoming of advanced attackers.\r\nWe cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group.\r\nOr the latent effects of external training coming to bear on a region’s nascent operators. At this time, any form of\r\nattribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with\r\nvested interests, means, and motive.\r\nBehind this epic troll/stunning provocation there’s a lot more to uncover in getting to know the actor behind\r\nMeteorExpress. We should keep in mind that the attackers were already familiar with the general setup of their\r\ntarget, features of the domain controller, and the target’s choice of backup system (Veeam). That implies a\r\nreconnaissance phase that flew entirely under the radar and a wealth of espionage tooling that we’ve yet to\r\nuncover.\r\nHappy Hunting.\r\nIndicators of Compromise\r\nIoCs and Yara hunting rules available on SentinelLABS GitHub.\r\nReferences\r\nhttps://www.timesofisrael.com/hack-causes-chaos-on-iran-trains-posts-supreme-leaders-number-for-complaints/\r\nhttps://www.voanews.com/middle-east/voa-news-iran/hackers-disrupt-irans-rail-service-fake-delay-messages\r\nhttps://www.reuters.com/world/middle-east/hackers-breach-iran-rail-network-disrupt-service-2021-07-09/\r\nhttps://twitter.com/cherepanov74/status/1416643609131114497?s=20\r\nhttps://threats.amnpardaz.com/malware/trojan-win32-breakwin/\r\nhttps://www.malwaretech.com/2017/06/petya-ransomware-attack-whats-known.html\r\nhttps://www.reuters.com/article/us-emirates-tech-israel/uae-target-of-cyber-attacks-after-israel-deal-official-says-idUSKBN28G0BW\r\nSource: https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"
	],
	"report_names": [
		"meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll"
	],
	"threat_actors": [],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3dfd4f9a2743a2dbe360dd90ae14b5a1914c4041.pdf",
		"text": "https://archive.orkl.eu/3dfd4f9a2743a2dbe360dd90ae14b5a1914c4041.txt",
		"img": "https://archive.orkl.eu/3dfd4f9a2743a2dbe360dd90ae14b5a1914c4041.jpg"
	}
}