{ "id": "b5923b78-393c-4262-904f-195a44cba46b", "created_at": "2026-04-06T00:07:42.378469Z", "updated_at": "2026-04-10T03:37:37.076955Z", "deleted_at": null, "sha1_hash": "6541d25d4696d47bf832d3655d7f24352cb03341", "title": "APT34 targets Jordan Government using new Saitama backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2813863, "plain_text": "APT34 targets Jordan Government using new Saitama backdoor\r\nPublished: 2022-05-10 · Archived: 2026-04-05 15:04:06 UTC\r\nThreat Intelligence Team\r\nMay 10, 2022\r\nThreat Intelligence Team\r\nOn April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry.\r\nThe email contained a malicious Excel document that drops a new backdoor named Saitama. Following our\r\ninvestigation, we were able to attribute this attack to the known Iranian Actor APT34.\r\nAlso known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat group that has\r\ntargeted Middle Eastern countries and victims worldwide since at least 2014. The group is known to focus on the\r\nfinancial, governmental, energy, chemical, and telecommunication sectors.\r\nIn this blog post, we describe the attack flow and share details about the Saitama backdoor.\r\nMalicious email file\r\nThe malicious email was sent to the victim via a Microsoft Outlook account with the subject “Confirmation\r\nReceive Document” with an Excel file called “Confirmation Receive Document.xls”. The sender pretends to be a\r\nperson from the Government of Jordan by using its coat of arms as a signature.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 1 of 12\n\nExcel document\r\nThe Excel attachment contains a macro that performs malicious activities. The document has an image that tries to\r\nconvince the victim to enable a macro.\r\nArticle continues below this ad.\r\nAfter enabling the macro, the image is replaced with the Jordan government’s the coat of the arms:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 2 of 12\n\nThe macro has been executed on WorkBook_Open(). Here are the main functionalities of this macro:\r\nHides the current sheet and shows the new sheet that contains the coat of arms image.\r\nCalls the “eNotif’ function which is used to send a notification of each steps of macro execution to its\r\nserver using the DNS protocol. To send a notification it builds the server domain for that step that contains\r\nthe following parts: “qw” + identification of the step (in this step “zbabz”) + random number + domain\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 3 of 12\n\nname (joexpediagroup.com)=qwzbabz7055.joexpediagroup.com. Then it uses the following WMI query to\r\nget the IP address of the request: Select * From Win32_PingStatus Where Address=’” \u0026 p_sHostName \u0026\r\n“‘” which performs the DNS communication the the created subdomain.\r\nCreates a TaskService object and Gets the task folder that contains the list of the current tasks\r\nCalls ENotif function\r\nChecks if there is a mouse connected to PC and if that is the case performs the following steps\r\nCreates %APPDATA%/MicrosoftUpdatedirectory\r\nCreates “Update.exe”, “Update.exe.config” and “Microsoft.Exchange.WenServices.dll”\r\nReads the content of the UserForm1.label1, UserForm2.label1 and UserForm3.label1 that are in\r\nbase64 format, decodes them and finally writes them into the created files in the previous step\r\nCalls a ENotif function for each writes function\r\nChecks the existence of theUpdate.exefile and if for some reason it has not been written to disk, it writes it\r\nusing a technique that loads a DotNet assembly directly using mscorlib and Assembly.Load by manually\r\naccessing the VTable of the IUnknown. This technique was taken from Github (link). Even though, this\r\ntechnique was not used in this macro since the file was already written, the function name (“Test”) suggests\r\nthat the threat actor is trying to implement this technique in future attacks.\r\nFinally, it calls the ENotif function.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 4 of 12\n\nDefines a xml schema for a scheduled task and registers it using the RegisterTask function. The name of\r\nthe scheduled task is MicrosoftUpdate and is used to make update.exepersistent.\r\nSaitama Backdoor – A finite state machine\r\nThe dropped payload is a small backdoor that is written in .Net. It has the following interesting pdb\r\npath: E:SaitamaSaitama.AgentobjReleaseSaitama.Agent.pdb.\r\nSaitama backdoor abuses the DNS protocol for its command and control communications. This is stealthier than\r\nother communication methods, such as HTTP. Also, the actor cleverly uses techniques such as compression and\r\nlong random sleep times. They employed these tricks to disguise malicious traffic in between legitimate traffic.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 5 of 12\n\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 6 of 12\n\nAnother element that we found interesting about this backdoor is the way that it is implemented. The whole flow\r\nof the program is defined explicitly as a finite-state machine, as shown in the Figure 7. In short, the machine will\r\nchange its state depending on the command sent to every state. Graphically, the program flow can be seen as this:\r\nBEGIN\r\nIt is the initial state of the machine. It just accepts the start command that puts the machine into the ALIVE state.\r\nALIVE\r\nThis state fetches the C\u0026C server, expecting to receive a command from the attackers. These servers are generated\r\nby using the PRNG algorithm that involves transformations like the Mersenne Twister. These transformations will\r\ngenerate subdomains of the hard coded domains in the Config class (Figure 8).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 7 of 12\n\nFigure 9 shows an example of the generated subdomain:\r\nThis state has two possible next stages. If the performed DNS request fails, the next stage is SLEEP. Otherwise,\r\nthe next stage is RECEIVE.\r\nSLEEP and SECOND SLEEP\r\nThese states put the backdoor in sleep mode. The amount of time that the program will sleep is determined by the\r\nprevious stage. It is clear that one of the main motivations of the actor is to be as stealthy as possible. For\r\nexample, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours! There are\r\ndifferent sleep times depending on the situations (values are expressed in milliseconds):\r\nThere is also a “Second Sleep” state that puts the program on sleep mode a different amount of time.\r\nRECEIVE\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 8 of 12\n\nThis state is used to receiving commands from the C\u0026C servers. Commands are sent using the IP address field\r\nthat is returned by the DNS requests. Further details about the communication protocol are provided later in this\r\nreport. In a nutshell, every DNS request is capable of receiving 4 bytes. The backdoor will concatenate responses,\r\nbuilding buffers in that way. These buffers will contain the commands that the backdoor will execute.\r\nDO (DoTask)\r\nThat state will execute commands received from the server. The backdoor has capabilities like executing remote\r\npre-established commands, custom commands or dropping files. The communication supports compression,\r\nalso. The following figure shows the list of possible commands that can be executed by the backdoor.\r\nID Type Command\r\n1 PS Get-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress\r\n2 PS Get-NetNeighbor -AddressFamily IPv4 | Select-Object “IPADDress”\r\n3 CMD whoami\r\n4 PS [System.Environment]::OSVersion.VersionString\r\n5 CMD net user\r\n6 — ———[NOT USED]———\r\n7 PS Get-ChildItem -Path “C:Program Files” | Select-Object Name\r\n8 PS Get-ChildItem -Path ‘C:Program Files (x86)’ | Select-Object Name\r\n9 PS Get-ChildItem -Path ‘C:’ | Select-Object Name\r\n10 CMD hostname\r\n11 PS\r\nGet-NetTCPConnection | Where-Object{$_.State -eq “Established”} | Select-Object “LocalAddress”, “LocalPort”, “RemoteAddress”, “RemotePort”\r\n12 PS\r\n$(ping -n 1 10.65.4.50 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.51 | findstr /i\r\nttl) -eq $null;$(ping -n 1 10.65.65.65 | findstr /i ttl) -eq $null;$(ping -n 1\r\n10.65.53.53 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.21.200 | findstr /i ttl) -eq\r\n$null\r\n13 PS\r\nnslookup ise-posture.mofagov.gover.local | findstr /i Address;nslookup\r\nwebmail.gov.jo | findstr /i Address\r\n14 PS\r\n$(ping -n 1 10.10.21.201 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.19.201 |\r\nfindstr /i ttl) -eq $null;$(ping -n 1 10.10.19.202 | findstr /i ttl) -eq $null;$(ping -n\r\n1 10.10.24.200 | findstr /i ttl) -eq $null\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 9 of 12\n\nID Type Command\r\n15 PS\r\n$(ping -n 1 10.10.10.4 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.50.10 | findstr /i\r\nttl) -eq $null;$(ping -n 1 10.10.22.50 | findstr /i ttl) -eq $null;$(ping -n 1\r\n10.10.45.19 | findstr /i ttl) -eq $null\r\n16 PS\r\n$(ping -n 1 10.65.51.11 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.6.1 | findstr /i\r\nttl) -eq $null;$(ping -n 1 10.65.52.200 | findstr /i ttl) -eq $null;$(ping -n 1\r\n10.65.6.3 | findstr /i ttl) -eq $null\r\n17 PS\r\n$(ping -n 1 10.65.45.18 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.28.41 | findstr\r\n/i ttl) -eq $null;$(ping -n 1 10.65.36.13 | findstr /i ttl) -eq $null;$(ping -n 1\r\n10.65.51.10 | findstr /i ttl) -eq $null\r\n18 PS\r\n$(ping -n 1 10.10.22.42 | findstr /i ttl) -eq $null;$(ping -n 1 10.10.23.200 |\r\nfindstr /i ttl) -eq $null;$(ping -n 1 10.10.45.19 | findstr /i ttl) -eq $null;$(ping -n\r\n1 10.10.19.50 | findstr /i ttl) -eq $null\r\n19 PS\r\n$(ping -n 1 10.65.45.3 | findstr /i ttl) -eq $null;$(ping -n 1 10.65.4.52 | findstr /i\r\nttl) -eq $null;$(ping -n 1 10.65.31.155 | findstr /i ttl) -eq $null;$(ping -n 1 ise-posture.mofagov.gover.local | findstr /i ttl) -eq $null\r\n20 PS\r\nGet-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object\r\nNextHop\r\n21 PS\r\nGet-DnsClientServerAddress -AddressFamily IPv4 | Select-Object\r\nSERVERAddresses\r\n22 CMD systeminfo | findstr /i “Domain”\r\nFigure 12: List of predefined commands\r\nIt is pretty shocking to see that even when attackers have the possibility of sending any command, they choose to\r\nadd that predefined list in the backdoor in Base64 format. As we can see, some of them are common\r\nreconnaissance snippets, but some of them are not that common. In fact, some of the commands contain internal\r\nIPsand also internal domain names(like ise-posture.mofagov.gover.local). That shows that this malware was\r\nclearly targeted and also indicates that the actor has some previous knowledge about the internal infrastructure of\r\nthe victim.\r\nSEND – SEND AND RECEIVE\r\nThe Send state is used to send the results generated by commands to the actor’s server. In this case, the name of\r\nthe subdomain will contain the data. As domain names are used to exfiltrate unknown amounts of data, attackers\r\nhad to split this data in different buffers. Every buffer is then sent through a different DNS request. As it can be\r\nseen in the Figure 12, all the required information in order to reconstruct original data is sent to the attackers. The\r\nsize of the buffer is only sent in the first packet.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 10 of 12\n\nAttribution\r\nThere are several indicators that suggest that this campaign has been operated by APT34.\r\nMaldoc similarity: The madoc used in this campaign shared some similarities with maldocs used in\r\nprevious campaigns of this actor. More specifically similar to what was mentioned in\r\nCheckPoint’s reportthis maldoc registers a scheduled task that would launch the executable every X\r\nminutes, also it uses the same anti sandboxing technique (checking if there is a mouse connected to the PC\r\nor not). Finally, we see a similar pattern to beacon back to the attacker server and inform the attacker about\r\nthe current stage of execution.\r\nVictims similarity: The group is known to target the government of Jordan and this is the case in this\r\ncampaign.\r\nPayload similarity: DNS is the most common method used byAPT34 for its C\u0026C communications. The\r\ngroup is also known to use uncommon encodings such as Base32 and Base36 in its previous campaigns.\r\nThe Saitama backdoor uses a similar Base32 encoding for sending data to the servers that is used\r\nby DNSpionage. Also, to build subdomains it uses Base32 encoding that is similar to what was reported\r\nby Mandiant.\r\nMalwarebytes customers are protected from this attack via our Anti-Exploit layer.\r\nIOCs\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 11 of 12\n\nMaldoc:\r\nConfirmation Receive Document.xls\r\n26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b\r\nSaitama backdoor:\r\nupdate.exe\r\ne0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d\r\nC2s:\r\nuber-asia.com\r\nasiaworldremit.com\r\njoexpediagroup.com\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/" ], "report_names": [ "apt34-targets-jordan-government-using-new-saitama-backdoor" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434062, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6541d25d4696d47bf832d3655d7f24352cb03341.pdf", "text": "https://archive.orkl.eu/6541d25d4696d47bf832d3655d7f24352cb03341.txt", "img": "https://archive.orkl.eu/6541d25d4696d47bf832d3655d7f24352cb03341.jpg" } }