# Iranian hackers behind the Magic Hound campaign linked to Shamoon **[securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html](https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html)** February 16, 2017 February 16, 2017 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) ## Security researchers discovered cyber espionage operation dubbed Magic Hound campaign that is linked to Iran and the recent Shamoon 2 attacks. Security experts at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East. [The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia. The attackers leverage a wide range of custom tools and an open-source cross-platform remote access tool (RAT) dubbed Pupyfor the Magic Hound campaign. “According to the developer, PupyRAT is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python.” CTU™ analysis confirms that PupyRAT can give the threat actor full access to the victim’s system.” reads the [analysis published by SecureWorks.](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) ----- The arsenal of the threat actor includes different types of custom tools such as droppers, downloaders, executable loaders, document loaders and IRC bots. _“Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East_ _dating back to at least mid-2016 which we have named Magic Hound. This appears to be an_ _attack campaign focused on espionage. Based upon our visibility it has primarily targeted_ _organizations in the energy, government, and technology sectors that are either in in or_ _[business interests in Saudi Arabia.” reads the analysis published by PaloAlto Networks.](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/)_ _“Link analysis of infrastructure and tools also revealed a potential relationship between Magic_ _[Hound and the adversary group called “Rocket Kitten” (AKA](http://securityaffairs.co/wordpress/41865/cyber-crime/rocket-kitten-report.html)_ _[Operation Saffron Rose,](http://securityaffairs.co/wordpress/25355/hacking/iranian-hackers-social-media.html)_ _Ajax_ _Security Team,_ _[Operation Woolen-Goldfish) as well as an older attack campaign called](http://securityaffairs.co/wordpress/35128/cyber-crime/operation-woolen-goldfish.html)_ _Newscasters.”_ The same campaign was also monitored by experts at SecureWorks that [attributed it to a](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) threat actor tracked as COBALT GYPSY that is associated with the Iranian government. The attackers behind the Magic Hound used Word and Excel documents embedding malicious macros that were able to download and execute additional tools using PowerShell. The bait files appear to be holiday greeting cards, job offers, and official government documents from the Ministry of Health and the Ministry of Commerce in Saudi Arabia. ----- An interesting discovery made by the experts is that some of the domains used in the Magic Hound campaign were also uncovered by IBM X-Force researchers in the analysis of the [Shamoon 2 attack chain.](http://securityaffairs.co/wordpress/56327/cyber-crime/shamoon-attack-chain.html) According to the experts at Palo Alto Networks an IRC bot used in the Magic Hound [campaign is very similar to a piece of malware used by Newscaster, aka](http://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation) Charming Kitten and NewsBeef, an Iranian actor that targeted individuals in the U.S., Israel and other countries using fake social media profiles. Iranian hackers appear very active in this period, both Charming Kitten and Rocket Kitten [actors were mentioned in an analysis of MacDownloader used by to exfiltrate data from Mac](http://securityaffairs.co/wordpress/56095/hacking/macdownloader-iranian-hackers.html) computers. **[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)** **[(Security Affairs – Magic Hound camapign, Iranian hackers)](http://securityaffairs.co/wordpress/)** ----- [Ajax Security Teamcyber espionageIranian hackersMagic HoundOperation Saffron](https://securityaffairs.co/wordpress/tag/ajax-security-team) [RoseOperation Woolen-GoldfisRocket KittenSaudi Arabia](https://securityaffairs.co/wordpress/tag/operation-woolen-goldfis) Share On You might also like **[Ex Twitter employee found guilty of spying for Saudi Arabian government](https://securityaffairs.co/wordpress/134266/intelligence/ex-twitter-employee-guilty.html)** ----- August 11, 2022 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) **[China-linked threat actors have breached telcos and network service providers](https://securityaffairs.co/wordpress/132042/apt/us-warns-china-linked-threat-actors.html)** June 8, 2022 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top [Home](http://securityaffairs.co/wordpress/) [Cyber Crime](https://securityaffairs.co/wordpress/category/cyber-crime) [Cyber warfare](https://securityaffairs.co/wordpress/category/cyber-warfare-2) [APT](https://securityaffairs.co/wordpress/category/apt) [Data Breach](https://securityaffairs.co/wordpress/category/data-breach) [Deep Web](https://securityaffairs.co/wordpress/category/deep-web) [Digital ID](https://securityaffairs.co/wordpress/category/digital-id) [Hacking](https://securityaffairs.co/wordpress/category/hacking) [Hacktivism](https://securityaffairs.co/wordpress/category/hacktivism) [Intelligence](https://securityaffairs.co/wordpress/category/intelligence) [Internet of Things](https://securityaffairs.co/wordpress/category/iot) [Laws and regulations](https://securityaffairs.co/wordpress/category/laws-and-regulations) ----- [Malware](https://securityaffairs.co/wordpress/category/malware) [Mobile](https://securityaffairs.co/wordpress/category/mobile-2) [Reports](https://securityaffairs.co/wordpress/category/reports) [Security](https://securityaffairs.co/wordpress/category/security) [Social Networks](https://securityaffairs.co/wordpress/category/social-networks) [Terrorism](https://securityaffairs.co/wordpress/category/terrorism) [ICS-SCADA](https://securityaffairs.co/wordpress/category/ics-scada) [EXTENDED COOKIE POLICY](https://securityaffairs.co/wordpress/extended-cookie-policy) [Contact me](https://securityaffairs.co/wordpress/contact) -----