{
	"id": "f5edbf6a-248d-43d4-a4b1-196951fe7a7a",
	"created_at": "2026-04-06T00:15:45.846375Z",
	"updated_at": "2026-04-10T03:30:32.803195Z",
	"deleted_at": null,
	"sha1_hash": "40a93f8ac56267479f24134510d6adc69062b7d3",
	"title": "ESET Wiper: Iranian APT Group Toufan’s Politically Motivated Attack on Israeli Firms | Idan Malihi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55233,
	"plain_text": "ESET Wiper: Iranian APT Group Toufan’s Politically Motivated\r\nAttack on Israeli Firms | Idan Malihi\r\nArchived: 2026-04-05 13:22:03 UTC\r\nWiper Diagram Execution\r\nThe hacktivist group expressed a political opinion through the ESET wiper that the hacktivist group is attacking\r\nESET customers due to the war between Israel and Hamas that started on October 07th, and Hamas started their\r\nattack at 06:29 AM.\r\nThe hacktivist group delivers a threat through the wiper to the ESET company: “Hey ESET, wait for the\r\nleak.. Doing business with the occupiers puts you in scope!”\r\nDuring its operation, the ESET wiper executes a file with administrator privileges using the runas command. It\r\nappears that the wiper uses the ShellExecute API function to execute the file specified in the open string.\r\nAdditionally, the wiper will execute a file located in the Users\\Public path.\r\nAdditionally, the wiper generates a conf.conf file in the Users\\Public directory and drops three files:\r\nMicrosoftEdge.exe, csrs.exe, and SecurityHealthSystray.exe.\r\nRegarding the following string, it appears the wiper will play an MP4 video during its execution.\r\nThe wiper is connected to the URL www.oref.org.il/alerts/RemainderConfig_eng.json, which is Israel’s\r\ncivil defense alert system. This indicates that the wiper might be trying to access or misuse information from this\r\nURL.\r\nThe ESET wiper loaded the winhttp.dll file to import several API functions related to HTTP/S connections to the\r\nwww.oref.org.il/alerts/RemainderConfig_eng.json, Israel’s civil defense alert system. This\r\ncommunication purpose is to check the returned status code to determine whether the system’s IP address\r\nis related to Israel. If the IP address is not related to Israel, the response will be 403, forbidden, and the wiper will\r\nnot continue with the infection process.\r\nOtherwise, it continues with the infection process.\r\nThen, the ESET wiper creates a new file named conf.conf using the CreateFileW function, located in the\r\nC:\\Users\\Public directory.\r\nThe wiper employs the fwrite() C function to write the buffer in the EDI register to the conf.conf file.\r\nThe content of conf.conf appears to consist of the first 7 bytes from\r\nwww.oref.org.il/alerts/RemainderConfig_eng.json. If the wiper successfully extracts these bytes, it\r\nindicates that the system is related to Israel.\r\nhttps://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/\r\nPage 1 of 3\n\nThen, the wiper replicates itself using the CopyFileA function to the C:\\Users\\Public directory, naming it\r\nSecurityHealthsSystray.exe.\r\nAfter the wiper replicates itself, it loads the Shell32.dll file into the process’s address space using the\r\nLoadLibraryA function. This allows the use of the ShellExecuteExA function to execute the\r\nSecurityHealthSystray.exe file with administrator privileges via the runas system command.\r\nThe wiper initially executes the SecurityHealthSystray.exe file, but it checks the specific path from which the\r\nfile is run. If it runs from the Desktop path, it will execute one part of the code. However, if it runs from the\r\nC:\\Users\\Public path, it will execute a different part of the code, which contains the next malicious code.\r\nWhen the wiper is executed from the C:\\Users\\Public path, it suspends the execution of the process’s thread for\r\na specified number of milliseconds.\r\nThe wiper utilizes several API functions to capture a snapshot of the endpoint’s running processes. It also checks\r\nfor the presence of known monitoring, debugging, or disassembling tools on the operating system. The functions\r\nused for this purpose include CreateToolhelp32Snapshot, Process32First, and Process32Next.\r\nIf the wiper detects known tools like procexp.exe, procmon.exe, and xdbg32.exe, it prompts error messages\r\nrelated to the MicrosoftEdge.exe and csrs.exe files.\r\nOtherwise, the wiper fails to detect the tools and uses the CreateProcessA function to execute the\r\nMicrosoftEdge.exe file.\r\nAfter running several malicious processes in the background, the wiper utilizes the SystemParametersInfoA API\r\nto modify the desktop wallpaper. The operation push dword ptr ds:[D59398] corresponds to the pvParam\r\nparameter, which points to the wallpaper file path. During execution, this is a pointer to a memory location that\r\ncontains the string C:\\Users\\Public\\image.jpg. The operation push 14 pertains to the uiAction parameter.\r\nThe decimal value 14 represents the SPI_SETDESKWALLPAPER parameter, which is responsible for setting the\r\ndesktop wallpaper to the file specified in the pvParam parameter.\r\nThe SendInput function clicks the Volume Up button on the keyboard to set the speaker volume to 100 percent\r\nfor the video displayed on the victim’s screen.\r\nThen, the wiper uses the ShellExecuteA function to execute the video.mp4 file, playing a video related to the\r\nHamas-ISIS Israel war, which began on October 7th, on the victim’s screen.\r\nOnce the wiper detects the connected system drives, it generates multiple threads to expedite the wiping process.\r\nContent of private.txt prior to wiping:\r\nContent of private.txt after wiping:\r\nUpon execution, the program first hides the console window using Program.FreeConsole(), effectively\r\nconcealing its presence from the user. It then attempts to access the Windows registry to check for the presence of\r\nMicrosoft Outlook by locating the OUTLOOK.EXE path. If this search is successful, the malware proceeds to\r\ndownload a malicious ZIP file from a remote URL https://share-center.com/files/Attachment.zip and\r\nsaves it to the public user directory. Next, the malware constructs an email with the subject line “The Files You\r\nhttps://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/\r\nPage 2 of 3\n\nRequested” including the infected ZIP file as an attachment. This action is intended to spread the ZIP file to other\r\nusers. Additionally, if the system is part of an Active Directory environment, the malware checks for domain\r\nmembership and attempts to execute a function called InfectAD to propagate throughout the network,\r\nhighlighting its intent to spread laterally within enterprise environments.\r\nThe InfectOutlook function is designed to automate Microsoft Outlook’s sending of phishing emails with\r\nattachments to a large number of recipients. It starts by creating an instance of the Outlook application using a\r\nCreateInstance call with a COM object. Once the Outlook instance is generated, it accesses the MAPI\r\nnamespace to retrieve the global address list. The function then iterates through all the entries in the address list,\r\nextracting email addresses. These addresses are stored in the uniqueEmails list, ensuring that no duplicates are\r\nadded by checking for the presence of each email address before including it. Additionally, the function appends a\r\npredefined email address, brunomartin@tutamail.com, to this list, likely to send copies of the email to the\r\nattacker’s email.\r\nMITRE ATT\u0026CK\r\nYara Rule\r\nSource: https://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/\r\nhttps://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://idanmalihi.com/eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms/"
	],
	"report_names": [
		"eset-wiper-iranian-apt-group-toufans-politically-motivated-attack-on-israeli-firms"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40a93f8ac56267479f24134510d6adc69062b7d3.pdf",
		"text": "https://archive.orkl.eu/40a93f8ac56267479f24134510d6adc69062b7d3.txt",
		"img": "https://archive.orkl.eu/40a93f8ac56267479f24134510d6adc69062b7d3.jpg"
	}
}