{
	"id": "8a807c6d-679e-42f4-8d64-e4cf434fa0ec",
	"created_at": "2026-04-06T00:07:38.963776Z",
	"updated_at": "2026-04-10T03:33:49.427745Z",
	"deleted_at": null,
	"sha1_hash": "9a8c7d73e61dfcf0015fd439b6b025cd6c47f130",
	"title": "The Madi Campaign - Part I",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 742346,
	"plain_text": "The Madi Campaign - Part I\r\nBy GReAT\r\nPublished: 2012-07-17 · Archived: 2026-04-05 17:06:02 UTC\r\nFor almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted\r\nindividuals across Iran, Israel, Afghanistan and others scattered across the globe.\r\nTogether with our partner, Seculert, weve thoroughly investigated this operation and named it the Madi, based on\r\ncertain strings and handles used by the attackers. You can read the Seculert analysis post here:\r\nhttp://blog.seculert.com/2012/07/mahdi-cyberwar-savior.html”.\r\nThe campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a\r\nbit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on\r\nMiddle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia.\r\nAnd individuals within this victim pool and their communications were selected for increased monitoring over\r\nextended periods of time.\r\nThis post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware\r\ntools used, and quirks about both. In some cases, targeted organizations themselves don’t want to provide further\r\nbreach information about the attack, so some perspective into the parts of the campaign can be limited.\r\nThe Arrival\r\nSocial engineering schemes to drop and run spyware\r\nThe Madi attackers rely mostly on social engineering techniques to distribute their spyware:\r\nThe first of the two social engineering schemes that define spreading activity for this surveillance campaign is the\r\nuse of attractive images and confusing themes embodied in PowerPoint Slide Shows containing the embedded\r\nMadi trojan downloaders. An “Activated Content” PowerPoint effect enables executable content within these\r\nspearphish attachments to be run automatically. These embedded trojan downloaders in turn fetch and install the\r\nbackdoor services and related “housekeeping” data files on the victim system. One example,\r\n“Magic_Machine1123.pps”, delivers the embedded executable within a confusing math puzzle PowerPoint Slide\r\nShow where the amount of math instructions may overwhelm a viewer. Note that while PowerPoint presents users\r\na dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these\r\nwarnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 1 of 11\n\nAnother PowerPoint Slide Show named Moses_pic1.pps walks the viewer through a series of calm, religious\r\nthemed, serene wilderness, and tropical images, confusing the user into running the payload on their system as\r\nseen below:\r\nAnd:\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 2 of 11\n\nAnd:\r\nSome of the downloaders also drop and open documents with Middle Eastern news content and religious themes\r\nas well, as seen here.\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 3 of 11\n\nSocial engineering – Right to left override (RTLO) techniques\r\nLike many pieces of this puzzle, most of the components are simple in concept, but effective in practice. No\r\nextended 0-day research efforts, no security researcher commitments or big salaries were required. In other words,\r\nattacking this set of victims without 0-day in this region works well enough.\r\nIn addition to the attractive PowerPoint Slide Shows frequently delivered within password protected zip archives,\r\nthe attackers sent out executables maintaining misleading file names using the publicly known “Right to Left\r\nOverride” technique. These file names appear to the user as image files with harmless .jpg extensions, .pdf\r\nextensions, or whatever a determined attacker might craft along with the matching file type icons, leading users to\r\nbelieve they can just click on what is not a data file, but an executable file.\r\nThe issue exists with the way Windows handles Unicode character sets. The technique has been written up here\r\nand here. Madis related incident files included filenames that appeared on victim systems as “picturcs..jpg”, along\r\nwith a common .jpg icon. But when that Unicode, or UTF-8 based filename is copied to an ANSI file, the name is\r\ndisplayed as “pictu?gpj..scr”. So some Madi victims were tricked into clicking on what they thought was a\r\nharmless .jpg, and instead ran the executable “.scr” file. A screenshot presents an example filename here, with the\r\nflawed Widows explorer display above, and the command line display below:\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 4 of 11\n\nWhen executed, these PE droppers will attempt to show misleading images or videos, once again, tricking the\r\nvictim into believing nothing is wrong. Heres a video about a missile test:\r\nAnd a nuclear explosion photo:\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 5 of 11\n\nFinding Presence\r\nThe backdoors that were delivered to approximately 800 victim systems were all coded in Delphi. This would be\r\nexpected from more amateur programmers, or developers in a rushed project. Here is a screenshot of the interface\r\nfor the admins:\r\nThe executables are packed with a recent version of the legitimate UPX packer such as UPX 3.07. Unfortunately,\r\nthat technique and quickly shifting code will get the code past some gateway security products.\r\nWhen run, most versions of the dropper create a large volume of files in c:documents and settingsPrinthood.\r\nAlong with UpdateOffice.exe or OfficeDesktop.exe (and other variations on the Office name), hundreds of mostly\r\nempty, housekeeping files are created. Heres a short list of files keeping configuration data:\r\nFIE.dll Filename extension\r\nxdat.dll Last check-in date\r\nBIE.dll Distraction filename extension\r\nSHK.dll,\r\nnam.dll\r\nVictim directory path prefix (i.e. abamo9 \u003c- this is the operator/handler name for this\r\nvictim)\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 6 of 11\n\nSIK.dll Domain check-in (i.e. www.maja.in)\r\nAlso dropped and opened are any one of several distraction images and documents. One of the documents is the\r\nJesus image posted above (dropped as encoded content within Motahare.txt), and one of the documents is a copy\r\nand paste job of an article at The Daily Beast on electronic warfare in the region, which was dropped as encoded\r\ncontent within Mahdi.txt.\r\nInfostealers are downloaded and run as iexplore.exe from within the templates directory mentioned above.\r\nFunctionality list:\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 7 of 11\n\nThe functionality in the backdoor software mirrors the options present in the configuration tool. Notice the nine\r\ndifferent options:\r\n1. 1 Keylogging\r\n2. 2 Screenshot capture at specified intervals. (see timers below)\r\n3. 3 Screenshot capture at specified intervals, initiated exclusively by a communications-related event. The\r\nevent may be that the victim is interacting with webmail, an IM client or social networking site. These\r\ntriggering sites include Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, google+, Facebook and more.\r\n4. 4 Update this backdoor\r\n5. 5 Record audio as .WAV file and save for upload\r\n6. 6 Retrieve any combination of 27 different types of data files\r\n7. 7 Retrieve disk structures\r\n8. 8 Delete and bind these are not fully implemented yet\r\nThe various operations of the backdoor are controlled by Delphi Timers, as seen below:\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 8 of 11\n\nUsing a disinfected version of Resource Hacker\r\nIt’s common behavior for malware to maintain malicious code in their resource section, decompress it on the fly\r\nand drop it to disk. Or, for attackers to modify the icons of their RTLO spearphish.\r\nThe Madi attackers maintain two copies of ResHacker (see http://www.angusj.com/resourcehacker/ ) for\r\ndistribution on their websites, embedded within files “SSSS.htm” and “RRRR.htm”. They not only created more\r\nnoise on the wire by instructing their malware to download ResHacker, a well known resource section editor, but\r\nit looks like they have had problems with virus infections on their own networks. These copies differed by one\r\nbyte. That difference is the value in the SizeofImage section, 0xdc800 in one file, and 0xde000 in the other. The\r\ndifference presents itself because both were infected with Virus.Win32.Parite.b\r\n(https://threats.kaspersky.com/en/threat/Virus.Win32.Parite.b) at some point, and then cleaned by Anti-Virus\r\nscanners. So it’s possible and likely that the attackers are bumbling through infections of their own.\r\nIndicators of compromise\r\nAll known compromised systems are known to communicate over HTTP with one of several web servers, such as:\r\n174.142.57.* (3 servers) and 67.205.106.* (one server).\r\nIn addition, ICMP PING packets are sent to these servers to check their status.\r\nThe infostealers are downloaded and executed from the c:Documents and Settings%USER%Templates folder. The\r\ndownloader itself runs from c:documents and settings%USER%Printhood, which may contain over 300 files with\r\n.PRI, .dll, and .TMP extensions. The infostealers are named “iexplore.exe”, while the downloaders maintained\r\nnames like UpdateOffice.exe or OfficeDesktop.exe.\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 9 of 11\n\nAt the time of writing, the campaign continues to be in operation and we are working with various organizations\r\nto clean up and prevent further infections. Kaspersky products detect the malware as Trojan.Win32.Madi.*; some\r\nof the older variants are detected as “Trojan.Win32.Upof.*”.\r\nRelated MD5s, not a complete list:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n7b7abab9bc4c49743d001cf99737e383\r\na9774d6496e1b09ccb1aeaba3353db7b\r\n885fcebf0549bf0c59a697a7cfff39ad\r\n4be969b977f9793b040c57276a618322\r\nea90ed663c402d34962e7e455b57443d\r\naa6f0456a4c2303f15484bff1f1109a0\r\ncaf851d9f56e5ee7105350c96fcc04b5\r\n1fe27986d9d06c10e96cee1effc54c68\r\n07740e170fc9cac3dcd692cc9f713dc2\r\n755f19aa99a0ccba7d210e7f79182b09\r\n35b2dfd71f565cfc1b67983439c09f72\r\nd9a425eac54d6ca4a46b6a34650d3bf1\r\n67c6fabbb0534090a079ddd487d2ab4b\r\ne4eca131cde3fc18ee05c64bcdd90299\r\nc71121c007a65fac1c8157e5930d656c\r\na86ce04694a53a30544ca7bb7c3b86cd\r\n7b22fa2f81e9cd14f1912589e0a8d309\r\n061c8eeb7d0d6c3ee751b05484f830b1\r\n3ab9c5962ab673f62823d8b5670f0c07\r\n1c968a80fa2616a4a2822d7589d9a5b4\r\n1593fbb5e69bb516ae32bec6994f1e5d\r\n133f2735e5123d848830423bf77e8c20\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 10 of 11\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n01dc62abf112f53a97234f6a1d54bc6f\r\n18002ca6b19c3c841597e611cc9c02d9\r\n046bcf4ea8297cdf8007824a6e061b63\r\n89057fc8fedc7da1f300dd7b2cf53583\r\n461ba43daa62b96b313ff897aa983454\r\nd0dd88d60329c1b2d88555113e1ed66d\r\n9c072edfb9afa88aa7a379d73b65f82d\r\nb86409e2933cade5bb1d21e4e784a633\r\n3fc8788fd0652e4f930d530262c3d3f3\r\n15416f0033042c7e349246c01d6a43a3\r\nf782d10eab3a7ca3c4a73a2f86128aad\r\ncfd85a908554e0921b670ac9e3088631\r\nabb49a9d81ec2cf8a1fb4d82fb7f1915\r\nb2b4d7b5ce7c134df5cb40f4c4d5aa6a\r\n8b01fc1e64316717a6ac94b272a798d4\r\n81b2889bab87ab25a1e1663f10cf7e9e\r\n3702360d1192736020b2a38c5e69263a\r\n8139be1a7c6c643ae64dfe08fa8769ee\r\n331f75a64b80173dc1d4abf0d15458cc\r\n398168f0381ab36791f41fa1444633cc\r\nd6f343e2bd295b69c2ce31f6fe369af9\r\nf45963376918ed7dc2b96b16af976966\r\nPart II of this blogpost will examine the broader picture infrastructure, communications, data collection, and\r\nvictims.\r\nSource: https://securelist.com/the-madi-campaign-part-i-5/33693/\r\nhttps://securelist.com/the-madi-campaign-part-i-5/33693/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://securelist.com/the-madi-campaign-part-i-5/33693/"
	],
	"report_names": [
		"33693"
	],
	"threat_actors": [
		{
			"id": "322a0ef1-136b-400e-89d0-0d62ee2bd319",
			"created_at": "2023-01-06T13:46:38.662109Z",
			"updated_at": "2026-04-10T02:00:03.05924Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [],
			"source_name": "MISPGALAXY:Madi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2",
			"created_at": "2022-10-25T16:07:23.826594Z",
			"updated_at": "2026-04-10T02:00:04.760416Z",
			"deleted_at": null,
			"main_name": "Madi",
			"aliases": [
				"Mahdi"
			],
			"source_name": "ETDA:Madi",
			"tools": [
				"Madi"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775792029,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a8c7d73e61dfcf0015fd439b6b025cd6c47f130.pdf",
		"text": "https://archive.orkl.eu/9a8c7d73e61dfcf0015fd439b6b025cd6c47f130.txt",
		"img": "https://archive.orkl.eu/9a8c7d73e61dfcf0015fd439b6b025cd6c47f130.jpg"
	}
}