{
	"id": "17f1137a-9f73-4109-b463-1cd12ecb1174",
	"created_at": "2026-04-06T00:08:17.795054Z",
	"updated_at": "2026-04-10T03:21:14.477747Z",
	"deleted_at": null,
	"sha1_hash": "65c8cfc1167bea5bb3ff2c10bb5ac2df1e3bc9e2",
	"title": "Targeted Attacks In The Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1038236,
	"plain_text": "Targeted Attacks In The Middle East\r\nBy Paul Rascagneres\r\nPublished: 2018-02-07 · Archived: 2026-04-02 11:54:26 UTC\r\nWednesday, February 7, 2018 00:48\r\nThis blog post is authored by Paul Rascagneres with assistance of Martin Lee.\r\nExecutive Summary\r\nTalos has identified a targeted attacks affecting the Middle East. This campaign\r\ncontains the following elements, which are described in detail in this article.\r\nThe use of allegedly confidential decoy documents purported to be written by the Jordanian publishing and\r\nresearch house, Dar El-Jaleel. This institute is known for their research of the Palestinian-Israeli conflict\r\nand the Sunni-Shia conflict within Iran.\r\nThe attacker extensively used scripting languages (VBScript, PowerShell, VBA) as part of their attack.\r\nThese scripts are used to dynamically load and execute VBScript functions retrieved from a Command \u0026\r\nControl server.\r\nThe attacker demonstrates excellent operational security (OPSEC). The attacker was particularly careful to\r\ncamouflage their infrastructure. During our investigation, the attacker deployed several reconnaissance\r\nscripts in order to check the validity of victim machine, blocking systems that don't meet their criteria. The\r\nattacker uses the reputable CloudFlare system to hide the nature and location of their infrastructure.\r\nAdditionally, the attacker filters connections based on their User-Agent strings, and only enables their\r\ninfrastructure for short periods of time before blocking all connections.\r\nThis is not the first targeted campaign against the region that uses Dar El-Jaleel decoy documents which we\r\nhave investigated. However, we have no indication that the previous campaigns are related.\r\nVBS Campaign\r\nStage 1: VBScript\r\nThe campaign starts with a VBScript named سوريا في السرية ايران حرب داخل من.vbs (\"From inside\r\nIran's secret war in Syria.vbs\"). Here are the script contents:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 1 of 15\n\nThe purpose of this script is to create the second stage PowerShell script described in the next section.\r\nStage 2: PowerShell Script\r\nThe goal of the generated PowerShell script is to create a Microsoft Office document named\r\nReport.doc and to open it.\r\nStage 3: Office Document With Macros\r\nHere is a screenshot of the Office document:\r\nThis document purports to be written by Dar El-Jaleel. Dar El-Jaleel is a publishing and studies house based in\r\nAmman, Jordan. This institute is well-known for their research concerning the Palestinian-Israeli conflict and the\r\nSunni-Shia conflict in Iran. Tagged as confidential, the document is an analysis report on Iranian activities within\r\nthe Syrian civil war.\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 2 of 15\n\nThis document contains a Macro:\r\nThe purpose of this Macro in to create a WSF (Windows Script File) file and to execute it.\r\nStage 4: WSF Script\r\nThe created WSF script is the main part of the infection:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 3 of 15\n\nThe top of the script contains configuration information:\r\nthe hostname of the Command \u0026 Control - office-update[.]services,\r\nthe port - 2095,\r\nthe User-Agent - iq.46-|-377312201708161011591678891211899134718141815539111937189811\r\nThe User-Agent is used to identify the targets. The CC filters network connections based on this string,\r\nonly allowing through connections made with authorised User-Agent strings.\r\nThe first task of the script is to register the infected system by performing an HTTP request to http://office-update[.]services:2095/store. Next, the script executes an infinite loop, attempting to contact the /search URI every\r\n5 seconds in order to download and execute additional payloads.\r\nAdditional Payloads\r\nThe WSF script receives payloads of three types, named s0, s1, s2. The payloads are VBScript\r\nfunctions loaded and executed on the fly with the ExecuteGlobal() and GetRef() APIs. The only\r\ndifferences between s0,s1 and s2 type payloads are the number of arguments supplied to the\r\nexecuting function. s0 does not require any arguments, s1 accepts one argument, and s2 two\r\narguments.\r\nThe downloaded payload functions are obfuscated, here is an example of the raw data:\r\nThe first element is the function type (s0), followed by a separator '-|-'. The second element is the obfuscated\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 4 of 15\n\nfunction; this consists of ASCII values, separated by '*'. For example the above data decodes as:\r\n45: -\r\n54: 6\r\n53: 5\r\n43: +\r\n49: 1\r\n52: 4\r\n56: 8\r\n42: *\r\n53: 5\r\n51: 3\r\n53: 5\r\n45: -\r\n52: 4\r\n49: 1\r\n56: 8\r\n42: * Hence, the decoded data is \"-65+148*535-418*\". Then follows a second step, again using '*' as a\r\nseparator. Each mathematical operation is resolved to obtain a new ASCII value:\r\n-65+148 = 83 -\u003e \"S\"\r\n535-419 = 117 -\u003e \"u\" This technique is used to construct a new VBScript function.\r\nDuring our investigation we received 5 different functions.\r\nReconnaissance Functions\r\nDuring our investigation we received a reconnaissance function a few minutes after the initial compromise.\r\nThe purpose of the function was to retrieve several pieces of information from the infected system,\r\npresumably in order to check if the target is valuable or not (or a sandbox system).\r\nFirst, the attacker retrieves the disk volume serial number:\r\nSecondly, the payload retrieves any installed anti-virus software:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 5 of 15\n\nThirdly, it obtains the Internet IP address of the infected system by querying ipify.org (the code includes a hint that\r\nthe attacker previously used wtfismyip.com):\r\nThirdly, it retrieves the computer name, the username, the Operating System and the architecture:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 6 of 15\n\nAll these data are sent to the previously mentioned CC using the /is-return URI. The data are stored in the User-Agent separated by \"-|-\".\r\nSubsequently, we received a second reconnaissance function:\r\nThe function acts to list the drives of the infected system and their type (internal drive, usb driver etc.)\r\nPersistence Functions\r\nIn addition to the reconnaissance functions we received 2 functions linked to the persistence of the WSF\r\nscript. The first script is used to persist, the second is used to clean the infected system. Our machine was\r\nserved this after taking too much time to send a request to the C2 Presumably the attacker determined we\r\nwere examining their systems and decided to remove the malware to prevent further analysis:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 7 of 15\n\nPivot Function\r\nFinally, we received a pivot function. The function is the only non-s0 function we obtained during our\r\nresearch. This is a s1 function that takes one argument:\r\nHere is the argument:\r\nThe purpose is to execute a powershell script:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 8 of 15\n\nThe PowerShell script executes a second base64 encoded script. The attacker forces the the system to use the 32\r\nbit version of Powershell even if the operating system architecture is 64 bits.\r\nFinally we obtain the last PowerShell script:\r\nThe purpose of this script is to download shellcode from 176[.]107[.]185[.]246 IP, to map it in memory and to\r\nexecute it. The attacker takes many precautions before delivering the shellcode, these will be explained in the next\r\nchapter. Unfortunately during our investigation we weren't served the anticipated shellcode.\r\nAttackers OPSEC\r\nThe attacker behind this campaign put a lot of effort into protecting its infrastructure and to\r\navoid leaking code to analysts. The first Command \u0026 Control server is protected by CloudFlare.\r\nThis choice complicates the analysis and tracking of the campaign. Additionally, the attacker\r\nfilters on the User-Agent; if your web requests do not fit a specific pattern, your request will be\r\nignored. During our analysis the attacker was only active during the morning (Central European\r\nTimezone), similarly the various different payloads were only sent during mornings (Central\r\nEuropean Time). When an infected system receives the pivot function, the attacker disables their\r\nfirewall for a few minutes to allow this unique IP to download the shellcode. Afterwards, the\r\nserver becomes unreachable. Here is a schema of this workflow:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 9 of 15\n\nAdditionally, we saw that the attackers blocklisted some of our specific User-Agent strings and IP addresses used\r\nduring our investigation\r\nThis high level of OPSEC is exceptional even among presumed state sponsored threat actors...\r\nLinks with Jenxcus (a.k.a. Houdini/H-Worm)?\r\nIf you are familiar with Jenxcus (a.k.a. Houdini/H-Worm) you should see some similarities\r\nbetween the VBScript used during this campaign and this well-known malware: usage of the user-agent to exfiltrate data, reconnaissance techniques etc…\r\nWe cannot tell if the attacker used a new version of Jenxcus or if this malware served as the inspiration for their\r\nown malicious code. The source code of Jenxcus can be easily found on the Internet. However, the adaptation\r\nused in this campaign is more advanced: the features/functions are loaded on demand and the initial script does\r\nnot include all the malicious code unlike Jenxcus.\r\nAdditional Targets\r\nWe can identify different targets based on the User-Agent used by the attacker to identify victims.\r\nThese are a few examples:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 10 of 15\n\nc = \"U.15.7\"\r\na = \"738142201756240710471556115716122461214187935862381799187598\"\r\nc = \"1X.134\"\r\na = \"130427201706151111209123451288122413771234715862388136654339\"\r\nc = \"Fb-20.9\"\r\na = \"585010201750201110021112344661899112271619123139116684543113\"\r\nOther Campaigns Using Dar El-Jaleel Decoy Documents\r\nThis is not the first time Talos has investigated targeted campaigns using Dar El-Jaleel decoy documents. During 2017, we identified several campaigns using the\r\nsame decoy documents:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 11 of 15\n\nThis document is a weekly report about the major events occuring during the 1st week of November 2017, talking\r\nabout the most important events happening in Jordan, Iraq, Syria, Lebanon, Palestine, Israel, Russia, ISIS and the\r\nongoing Gulf Countries conflict with Qatar.\r\nWe encountered this document in campaigns using .NET malware (with the CC: foxlive[.]life) and C++ malware\r\n(with the CC: download[.]share2file[.]pro). The purpose of the malwares was to retrieve information relating to\r\nthe targeted systems and to download an additional payload. Moreover, we identified another campaign using a\r\nshare2file[.]pro subdomain. Here is the decoy document in this campaign:\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 12 of 15\n\nThis document is a pension list of military personnel dated June 2017, containing names of individuals which we\r\nhave redacted, alongside a military rank.\r\nWe don't know if these campaigns are performed by the same actor or different groups interested in this region.\r\nThese campaigns are still under investigation.\r\nConclusion\r\nThese campaigns show us that at least one threat actor is interested in and\r\ntargeting the Middle East. Due to the nature of the decoy documents, we can\r\nconclude that the intended targets have an interest in the geopolitical context of the\r\nregion. The attackers used an analysis report alleged to be written by Dar El-https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 13 of 15\n\nJaleel, a Jordanian institute specialising in studies of the region. Some of these\r\ndocuments are tagged as confidential.\r\nDuring the VBS Campaign, we were surprised by the level of OPSEC demonstrated by the attacker and their\r\ninfrastructure. Legitimate service such as CloudFlare were used to hide malicious activities. Additionally the\r\nattacker used user-agent filtering and firewall rules in order to grant access to specific infected systems for only a\r\nfew minutes in order to deliver shellcode. Following this, the server became unreachable. Another notable\r\nobservation is the fact that the attacker was active only during the morning (Central European timezone) during\r\nour investigation.\r\nThe usage of script languages is an interesting approach from the attackers' point of view. These languages are\r\nnatively available on Windows system, provide a high degree of flexibility, and can easily stay under the radar.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 14 of 15\n\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nVBS Campaign:\r\nInitial script:\r\n15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b\r\nDomain #1: office-update[.]services\r\nIP #2: 176[.]107[.]185[.]246\r\n.NET Campaign:\r\nInitial dropper: 4b03bea6817f0d5060a1beb8f6ec2297dc4358199d4d203ba18ddfcca9520b48\r\n.NET #1: d49e9fdfdce1e93615c406ae13ac5f6f68fb7e321ed4f275f328ac8146dd0fc1\r\n.NET #2: e66af059f37bdd35056d1bb6a1ba3695fc5ce333dc96b5a7d7cc9167e32571c5\r\nDomain #1: jo[.]foxlove[.]life\r\nDomain #2: eg[.]foxlove[.]life\r\nDomain #3: fox[.]foxlove[.]life\r\nCampaign #3:\r\nInitial Dropper: af7a4f04435f9b6ba3d8905e4e67cfa19ec5c3c32e9d35937ec0546cce2dd1ff\r\nPayload: 76a9b603f1f901020f65358f1cbf94c1a427d9019f004a99aa8bff1dea01a881\r\nDomain: download[.]share2file[.]pro\r\nCampaign #4:\r\nInitial Dropper: 88e4f306f126ce4f2cd7941cb5d8fcd41bf7d6a54cf01b4a6a4057ed4810d2b6\r\nPayload #1: c5bfb5118a999d21e9f445ad6ccb08eb71bc7bd4de9e88a41be9cf732156c525\r\nPayload #2: 1176642841762b3bc1f401a5987dc55ae4b007367e98740188468642ffbd474e\r\nDomain: update[.]share2file[.]pro\r\nSource: https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nhttps://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
	],
	"report_names": [
		"targeted-attacks-in-middle-east.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434097,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65c8cfc1167bea5bb3ff2c10bb5ac2df1e3bc9e2.pdf",
		"text": "https://archive.orkl.eu/65c8cfc1167bea5bb3ff2c10bb5ac2df1e3bc9e2.txt",
		"img": "https://archive.orkl.eu/65c8cfc1167bea5bb3ff2c10bb5ac2df1e3bc9e2.jpg"
	}
}