{
	"id": "b538e859-fe01-46a2-ad5b-b97256b8b072",
	"created_at": "2026-04-06T00:09:31.023778Z",
	"updated_at": "2026-04-10T03:20:05.533851Z",
	"deleted_at": null,
	"sha1_hash": "4e356e93378b13f4d1e66de12f41978166af1c5b",
	"title": "Saudi Arabia CNA report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30139,
	"plain_text": "Saudi Arabia CNA report\r\nArchived: 2026-04-05 21:28:56 UTC\r\n \r\nDestructive Attack “DUSTMAN”\r\n 3\r\nTechnical Report\r\n1.\r\nOverview\r\nDestructive attacks are quite extraordinary as threat actors employ their malware to disrupt or disable availability\r\nof the victim’s resources by wiping contents on storage devices of the targeted systems. In these attacks, threat\r\nactors have already compromised the victim’s network and gained privilege access to the internal infrastructure\r\nprior to the destruction activities. In 2019, multiple destructive attacks were observed targeting entities within the\r\nMiddle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA),\r\ndetected a new malware named “DUSTMAN” that was detonated on December 29, 2019. Based on analyzed\r\nevidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess\r\nthat the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due\r\nto multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack\r\n“DUSTMAN” after the filename and string embedded in the malware. “DUSTMAN” has different characteristics\r\nwhen compared to the multiple wiper malwares that have been observed through the years, especially the\r\n“Shamoon” variants although they all use the same third-party driver “Eldos RawDisk”. Furthermore,\r\n“DUSTMAN” varies in terms of techniques and capability when compared to “Shamoon” and from the observed\r\nbehavior and capabilities, “DUSTMAN” can be considered as a new variant of “ZeroCleare” malware, published\r\nin December 2019\r\n(1)\r\n. This report will shed the light on the attack life cycle, technical analysis of the malware, and the preventive\r\nrecommendation with the Yara rules. It is worth mentioning that NCSC is still coordinating all efforts in\r\nunderstanding the extent of the attack, malware and attribution.\r\n(1): New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East, December 2019, IBM X-Force.\r\nSource: https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report\r\nhttps://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report"
	],
	"report_names": [
		"Saudi-Arabia-CNA-report"
	],
	"threat_actors": [],
	"ts_created_at": 1775434171,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e356e93378b13f4d1e66de12f41978166af1c5b.pdf",
		"text": "https://archive.orkl.eu/4e356e93378b13f4d1e66de12f41978166af1c5b.txt",
		"img": "https://archive.orkl.eu/4e356e93378b13f4d1e66de12f41978166af1c5b.jpg"
	}
}