{ "id": "bc8740b4-1b2c-4496-8625-3c964a862f2f", "created_at": "2026-04-06T00:19:35.547225Z", "updated_at": "2026-04-10T03:33:49.424406Z", "deleted_at": null, "sha1_hash": "99f459338f37f1c848cbc3343d59f16eb658b7ae", "title": "New and Improved Madi Spyware Campaign Continues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33326, "plain_text": "New and Improved Madi Spyware Campaign Continues\r\nBy Chris Brook\r\nPublished: 2012-07-25 · Archived: 2026-04-02 10:38:13 UTC\r\nMadi, the religiously-titled spyware that was discovered last week and thought to be dead, appears to be making a\r\ncomeback, complete with updates.\r\nMadi, the religiously-titled spyware that was discovered last week and thought to be dead, appears to be making a\r\ncomeback, complete with updates.\r\nKaspersky Lab researcher Nicolas Brulez reverse-engineered the new iteration of the malware, which surfaced on\r\nWednesday. Unlike last week’s original variant of Madi however, this version doesn’t wait for instructions from\r\nthe Command and Control (C\u0026C) server and instead uploads all of the data it hijacks from users directly to the\r\nserver, Brulez wrote in a blog post on Kaspersky Lab’s Securelist.\r\nThis appears to be the largest difference between the new version and the version discovered last week as most of\r\nMadi’s code has been copied from one variant to another.\r\nNew research has deduced the spyware, first unearthed by Kaspersky and Israeli security firm Seculert, “stays\r\nsilent for two days before it starts its activities,” according to Brulez.\r\nThe latest version of Madi also has the ability to monitor the Russian social network Vkontakte (VK) along with\r\nthe Jabber messaging platform to look for users who visit websites that contain words like “USA,” “Skype,” and\r\n“gov.” With each occurrence, Madi will capture screenshots of the incident and send them to the C\u0026C server.\r\nWhile Madi’s C\u0026C server was initially linked to Iran, recent variants of the spyware, including this one, can be\r\ntraced to a C\u0026C server in Montreal.\r\nMadi was found capturing computer screens, recording audio and stealing screenshots, keystrokes, documents and\r\ne-mail correspondence from “Middle Eastern critical infrastructure engineering firms, government agencies,\r\nfinancial houses and academia.” The spyware, which sometimes is referred to as Mahdi, takes its name from\r\n“Mahdi.txt,” a malicious word document spread by the malware. The name also refers to a Shiite central religious\r\nidea that a foretold redeemer, the Mahdi, will appear before the Day of Judgment.\r\nSource: https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/\r\nhttps://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/" ], "report_names": [ "76849" ], "threat_actors": [ { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775792029, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99f459338f37f1c848cbc3343d59f16eb658b7ae.pdf", "text": "https://archive.orkl.eu/99f459338f37f1c848cbc3343d59f16eb658b7ae.txt", "img": "https://archive.orkl.eu/99f459338f37f1c848cbc3343d59f16eb658b7ae.jpg" } }