{
	"id": "c48d9d44-c97a-4b74-b854-a3a1006fd31d",
	"created_at": "2026-04-06T00:12:38.612225Z",
	"updated_at": "2026-04-10T03:33:49.488598Z",
	"deleted_at": null,
	"sha1_hash": "4b2aab5dade4e3de59291bdafc82f6ec9153216b",
	"title": "The Madi Campaign - Part II",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145661,
	"plain_text": "The Madi Campaign - Part II\r\nBy GReAT\r\nPublished: 2012-07-26 · Archived: 2026-04-05 14:04:50 UTC\r\nIn our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner\r\nSeculert (http://blog.seculert.com/2012/07/mahdi-cyberwar-savior.html).\r\nIn this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data\r\ncollection, and victims.\r\nThe Madi infrastructure performs its surveillance operations and communications with a simple implementation as\r\nwell. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server\r\nalong with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C#\r\nserver manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly\r\norganized on the server side, requiring multiple operators to log in and investigate the data per each of the\r\ncompromised systems that they are managing over time.\r\nThe services at these IP addresses have been cycled through by the operators for unknown reasons. There does not\r\nappear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other\r\nreliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but\r\nsome are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and\r\nacademia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the\r\nworld:\r\nHere is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP\r\ndata. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic,\r\nit helps to understand the Madi reach:\r\nhttps://securelist.com/the-madi-campaign-part-ii-53/33701/\r\nPage 1 of 4\n\nSome related domains not under our sinkhole were quickly sinkholed by other security groups the day after our\r\npost. But the problem with the timing and approach by these newcomers is that the spyware and downloaders\r\ncurrently active do not “speak” with those domains, for the most part. Instead, they speak directly with the web\r\nservers running according to their hard-coded IP addresses, avoiding any DNS name resolution. To help with this\r\nprocess, the malware authors built update functionality into the downloaders. If they were switching their pool of\r\ninfected systems to another domain or IP address, a Madi downloader or infostealer would communicate with its\r\nassigned C2 server and then retrieve the IP or domain of its new C2, store the new locator in a plain text file on the\r\ndrive, and then switch over and begin communicating with the new C2. This approach also seems crude in\r\ncomparison to other resilient cybercrime infrastructure.\r\nWhen source IP addresses are examined from systems checking in to the C2 by hand and matched up with their\r\nASN, the most activity is clearly coming from within Iran:\r\nIran 84%\r\nPakistan 6%\r\nUS 3%\r\nIL 1%\r\nUAE \u003c1%\r\nSaudi Arabia \u003c1%\r\nWe distributed the largest collection of related samples so far to multiple vendors and incident response handlers.\r\nOnly a couple of vendors have responded in kind with only a few binaries that are new to our collection.\r\nAccordingly, these numbers are the most accurate that research has to offer at this point, even as new Madi\r\nsamples are uploaded to our backend services:\r\nhttps://securelist.com/the-madi-campaign-part-ii-53/33701/\r\nPage 2 of 4\n\nC2 locators hard-coded into Madi downloaders\r\nA timeline of new activity can be scoped out for the group, with the greatest number of related downloaders\r\ncreated by the developers in December 2011, Feb and March of 2012, followed by June of 2012. Also, the oldest\r\nMadi trojan currently in the collection was created in Sept. 2011, most likely during the testing phase of the\r\nproject. The domain that it reports to was created on August 10, 2011.\r\nThis information tends to make sense, as other researchers discussed privately that spear-phishing campaign\r\nvolumes appeared to be heaviest in February 2012, but this information was collected from the targets outside of\r\nIran. We don-t know about any sort of activity intensity timeline within Iran, although the trends above may help\r\ninform those questions.\r\nWe also know that the infostealers are a much smaller pool of code, and were released on a separate timeline. We\r\nhave discovered five months in which the Madi infostealers were created, and the matching URL that they\r\ncommunicated with for instructions and to upload victim screenshots, keylogged data, stolen documents and\r\ncontracts:\r\nhttps://securelist.com/the-madi-campaign-part-ii-53/33701/\r\nPage 3 of 4\n\nIn addition to the information we presented here, our partner Seculert posted their own analysis of the Madi C2\r\ninfrastructure here: http://blog.seculert.com/2012/07/mahdi-numbers-and-flame-connection.html.\r\nNote: On July 25, we received a new variant of Madi which connects to a new C2 server in Canada. We are still\r\ninvestigating it and the data from this post does not include this new C2 server.\r\nSource: https://securelist.com/the-madi-campaign-part-ii-53/33701/\r\nhttps://securelist.com/the-madi-campaign-part-ii-53/33701/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://securelist.com/the-madi-campaign-part-ii-53/33701/"
	],
	"report_names": [
		"33701"
	],
	"threat_actors": [
		{
			"id": "322a0ef1-136b-400e-89d0-0d62ee2bd319",
			"created_at": "2023-01-06T13:46:38.662109Z",
			"updated_at": "2026-04-10T02:00:03.05924Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [],
			"source_name": "MISPGALAXY:Madi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2",
			"created_at": "2022-10-25T16:07:23.826594Z",
			"updated_at": "2026-04-10T02:00:04.760416Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [
				"Mahdi"
			],
			"source_name": "ETDA:Madi",
			"tools": [
				"Madi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775792029,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b2aab5dade4e3de59291bdafc82f6ec9153216b.pdf",
		"text": "https://archive.orkl.eu/4b2aab5dade4e3de59291bdafc82f6ec9153216b.txt",
		"img": "https://archive.orkl.eu/4b2aab5dade4e3de59291bdafc82f6ec9153216b.jpg"
	}
}