{
	"id": "0f61a474-03c5-46a8-a5a0-b9bb733515e3",
	"created_at": "2026-04-06T00:07:04.180754Z",
	"updated_at": "2026-04-10T03:23:52.313857Z",
	"deleted_at": null,
	"sha1_hash": "9aefa585906aff1e892415e3077f0ed9676b3265",
	"title": "Oil and Gas Industries in Middle East Targeted | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2909250,
	"plain_text": "Oil and Gas Industries in Middle East Targeted | blog\r\nBy Sudeep Singh, Sahil Antil\r\nPublished: 2020-09-29 · Archived: 2026-04-05 16:25:18 UTC\r\nCybercriminals are known to look to current events to make their schemes and campaigns more engaging and relevant to\r\nunsuspecting victims. These events don't need to be global in nature, and are often only of local or regional interest. This\r\nhelps the bad actors narrow their target hoping for a greater chance of success.\r\nSo when the Abu Dhabi National Oil Company (ADNOC) terminates engineering, procurement and construction (EPC)\r\ncontracts it had previously awarded, attentive cybercriminals have new fodder for another scheme. \r\nSince July 2020, the Zscaler ThreatLabZ team has observed an increase in targeted attacks against multiple supply chain-related organizations in the oil and gas sector in the Middle East. We discovered multiple instances of malicious PDF files\r\nsent as email attachments and were used to distribute an information-stealing Trojan, AZORult, to these organizations.\r\nIn this blog, we describe the details of this campaign, explaining the attack vectors, the malware distribution strategy, and\r\nthe threat attribution.\r\nDistribution strategy\r\nThe attack chain begins with an email that appears to be from an official working at the ADNOC and is targeted at officials\r\nworking in the supply chain and government sectors in the Middle East.\r\nEach email in this campaign has an attached PDF file. This PDF contains download links on the first page that lead to\r\nlegitimate file sharing sites, such as wetransfer and mega.nz where a ZIP archive is hosted. The ZIP archive contains a\r\nmalicious and packed .NET executable that will decrypt, load, and execute the embedded AZORult binary. Figure 1 shows a\r\ngraphical representation of the attack flow.\r\nFigure 1: The flow of attack\r\nEmail analysis\r\nFigure 2 shows an email message that pretends to come from a senior chemist of lab operations of ADNOC Sour Gas.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 1 of 20\n\nFigure 2: A fake email sent to officials in the supply chain industry in the Middle East.\r\nIn all the cases, the emails were sent from Gmail-based address. The two Gmail addresses observed in the attacks were:\r\nsalessigma87@gmail.com\r\nprocurment.chefsfirst.com@gmail.com\r\nThe threat actor also leveraged anonymous email services from Tutanota to create emails registered with keemail.me and\r\ntuta.io which were also used in this email campaign.\r\nThe PDF files attached to the email are multipage documents (containing 14 pages) that appear to be Requests for\r\nQuotations (RFQ) for supply contracts and legal tenders for various projects related to ADNOC and the Doha airport. The\r\ndecoy documents are carefully crafted to appear legitimate for social engineering purposes. The first page of each document\r\ncontains the instructions to access the specifications and drawings using embedded download links that lead to malicious\r\nZIP archives as described in the attack flow above.\r\nSome examples of the content in the PDFs include:\r\nPDF Filename: PI-18031 Dalma Gas Development Project (Package B) -TENDER BULLETIN-01.pdf\r\nMD5 hash: e368837a6cc3f6ec5dfae9a71203f2e2\r\nFigure 3 shows a PDF that pretends to be a legitimate Request for Quotation (RFQ) related to the Dalma gas development\r\nproject. It bears the logo of ADNOC at the top right and the first page contains the malicious download links.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 2 of 20\n\nFigure 3: The fake letter contained in the PDF associated with this attack.\r\nPDF Filename: AJC-QA HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf\r\nMD5 hash: abab000b3162ed6001ed8a11024dd21c\r\nFigure 4 shows a PDF that pretends to be a Request for Quotation for Hamad International Airport expansion plan for\r\nDoha and supposedly comes from a supply chain trading contractor in Qatar.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 3 of 20\n\nFigure 4: The fake RFQ for a local airport expansion project. \r\nThreat attribution\r\nThe threat actor is specifically interested in Middle East targets, such as organisations in the supply chain and government\r\nsectors of the Middle East, especially the United Arab Emirates (UAE) and Qatar.\r\nBased on the target recipients of the email, the contents of the email, and the attached PDF files, along with the metadata and\r\ninfrastructure analysis, we conclude that this is a targeted attack on organisations in the Middle East.\r\nMetadata analysis\r\nAfter investigating the metadata of PDF files, we were able to discover several PDFs that we associate with the same threat\r\nactor. The distribution method has been used in the wild from January 2020 through May 2020 in low volume.\r\nStarting from July 2020, we observed an increase in the activity of this threat actor, returning with a new campaign.\r\nThe metadata of the PDF files indicates that they were generated using Microsoft Office Word 2013. The only unique author\r\nnames used in all the PDF samples were:\r\nDonor1\r\nMr. Adeel\r\nFigure 5 shows an example of the metadata for the PDF file with the MD5 hash e368837a6cc3f6ec5dfae9a71203f2e2.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 4 of 20\n\nFigure 5: The metadata of one of the PDFs used in this campaign.\r\nThe complete list of all the PDF samples identified in this campaign is provided in the Appendix.\r\nInfrastructure analysis\r\nIn addition to the contents of the emails and the documents that were used for threat attribution, we can also infer from the\r\nCommand and Control (C\u0026C) infrastructure that the threat actor has specifically chosen a C\u0026C server that blends with the\r\ntheme.\r\nThe C\u0026C server in the samples we discovered was crevisoft.net.\r\nAt the time of analysis, this domain was resolving to the IP address 167.114.57.136. We observed that this domain, when\r\naccessed directly, would redirect to a service consulting company from Egypt hosted at crevisoft.com as shown in Figure 6.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 5 of 20\n\nFigure 6: A legitimate Middle East-based site hosted at crevisoft.com.\r\nAll of the following four domains would redirect to the above domain:\r\ncrevisoft.net\r\ncis.sh\r\ncrevisoft.org\r\ncrevisoft.co\r\nWith a high confidence level, we can conclude that this threat actor is interested in stealing information and gaining access\r\nto infrastructure of supply chain-related organisations located in the Middle East.\r\nTechnical analysis of the .NET payload\r\nFor the purpose of technical analysis, we will consider the .NET binary with MD5 hash:\r\n84e7b5a60cd771173b75a775e0399bc7\r\nThis payload, which is present inside the downloaded ZIP archive, is a packed and obfuscated .NET binary.\r\nBased on static analysis, we can see that the payload pretends to be a Skype application with spoofed metadata as shown in\r\nFigure 7.\r\nFigure 7: Metadata of the main .NET executable.\r\nUpon execution, it unpacks another payload that is embedded in the resource section. Figure 8 shows the custom algorithm\r\nthat decrypts the payload using a hardcoded key “GXR20”.\r\nFigure 8: The subroutine used to decrypt the second stage .NET DLL.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 6 of 20\n\nSecond stage\r\nFigure 9 shows the decrypted payload, which is a .NET DLL with the MD5 hash 0988195ab961071b4aa2d7a8c8e6372d\r\nand the name Aphrodite.dll\r\nFigure 9: The unpacked and loaded second stage DLL called Aphrodite.\r\nThe code execution is transferred to the DLL by creating an object for class named “Mortiz.Anton” along with the following\r\nthree parameters, as shown in Figure 10.\r\nugz1: “ddLPjs” (name of the bitmap image resource)\r\nugz3: ”KKBxPQsGk” (the decryption key)\r\nprojName: “Skype” (name of the project of main executable)\r\nFigure 10: The code control passed to the Aphrodite DLL.\r\nThis DLL further unpacks another binary, which is embedded as a bitmap image in the resource section of the main\r\nexecutable, as shown in Figure 11.\r\nFigure 11: The bitmap image inside the resource section that contains the next stage payload.\r\nSimilar to the second stage (Aphrodite), it is also encrypted with a custom algorithm. The custom algorithm is based on\r\nXOR using the key indicated by the parameter ugz3.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 7 of 20\n\nThird stage\r\nThe resulting unpacked binary is a .NET DLL with MD5 hash ae5f14478d5e06c1b2dc2685cbe992c1 and the name Jupiter.\r\nThe code control is transferred to the third stage DLL via a call to one of its routines as shown in Figure 12.\r\nFigure 12: The unpacked and loaded third stage DLL called Jupiter.\r\nThis third stage DLL uses various methods to detect the presence of a virtualization or an analysis environment.\r\nEvasion techniques\r\nBelow is a summary of the methods used by this DLL to detect the analysis environment.\r\nRegistry checks:\r\nRegistry key: \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\"\r\nValue: \"Identifier\"\r\nData contains: \"VBOX\" OR \"VMWARE\" OR \"QEMU\"\r\nRegistry key: \"HARDWARE\\\\Description\\\\System\"\r\nValue: \"SystemBiosVersion\"\r\nData contains: \"VBOX\" OR \"QEMU\"\r\nRegistry key: \"HARDWARE\\\\Description\\\\System\"\r\nValue: \"VideoBiosVersion\"\r\nData contains: \"VIRTUALBOX\"\r\nChecks if key present: \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\" OR \"SOFTWARE\\\\VMware, Inc.\\\\VMware\r\nTools\"\r\nRegistry key: \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\"\r\nValue: \"Identifier\"\r\nData contains: \"VMWARE\"\r\nRegistry key: \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\"\r\nValue: \"Identifier\"\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 8 of 20\n\nData contains: \"VMWARE\"\r\nRegistry key: \"SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum\"\r\nValue: \"0\"\r\nData contains: \"VMWARE\"\r\nRegistry key: \"SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\"\r\nValue: \"DriverDesc\"\r\nData contains: \"VMWARE\"\r\nRegistry key:\r\n\"SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\Settings\"\r\nValue: \"Device Description\"\r\nData contains: \"VMWARE\"\r\nRegistry key: \"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\"\r\nValue: \"InstallPath\"\r\nData contains: \"C:\\\\PROGRAM FILES\\\\VMWARE\\\\VMWARE TOOLS\\\\\"\r\nWine environment detection:\r\nChecks if the export functions of kernel32.dll contains: wine_get_unix_file_name\r\nWindows Management Instrumentation (WMI) query-based checks:\r\nWMI Query: \"SELECT * FROM Win32_VideoController\"\r\nProperty: \"Description\"\r\nChecks for the presence of the following keywords in the description field:\r\n\"VM Additions S3 Trio32/64\"\r\n\"S3 Trio32/64\"\r\n\"VirtualBox Graphics Adapter\"\r\n\"VMware SVGA II\"\r\n\"VMWARE\"\r\nDLL name-based checks:\r\nChecks for the presence of a DLL with the name: \"SbieDll.dll\" in the process address space.\r\nUsername-based checks:\r\nChecks if the system username contains either of the following strings:\r\n\"USER\"\r\n\"SANDBOX\"\r\n\"VIRUS\"\r\n\"MALWARE\"\r\n\"SCHMIDTI\"\r\n\"CURRENTUSER\"\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 9 of 20\n\nFilename or filepath-based checks:\r\nFilePath contains: \"//VIRUS\" OR \"SANDBOX\" OR \"SAMPLE\" OR \"C:\\\\file.exe\"\r\nWindow class check:\r\n\"Afx:400000:0\"\r\nAfter all the above environment checks are performed, the AZORult payload (MD5 hash:\r\n38360115294c49538ab15b5ec3037a77) is injected using the process hollowing technique in a new instance of the main\r\nprocess.\r\nWe will not describe the details of the functionality of AZORult information stealer since it is already well-documented in\r\nthe public domain.\r\nIt is important to note that based on the flow of the code execution and the anti-analysis techniques used, the .NET packed\r\npayload appears to be created using the CyaX packer. More details about this packer can be found here.\r\nNetwork communication\r\nThe final unpacked payload, AZORult, will perform information stealing activities on the machine and exfiltrate the\r\ninformation by sending an HTTP POST request to the URL: hxxp://crevisoft.net/images/backgrounds/ob/index.php\r\nUpon inspection, we discovered that opendir was enabled on the C\u0026C server as shown in Figure 13.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 10 of 20\n\nFigure 13: Opendir enabled on the C\u0026C server.\r\nThe AZORult panel on the C\u0026C server can be accessed at the\r\nURL: hxxp://crevisoft.net/images/backgrounds/ob/panel/admin.php.\r\nFigure 14: The AZORult panel\r\nPHP mailer script\r\nAmong other artifacts we discovered on the C\u0026C server, we found a PHP mailing script deployed\r\nat hxxp://crevisoft[.]net/images/-/leaf.php.\r\nThis enables the threat actor to send emails using the C\u0026C server’s SMTP.\r\nFigure 15: The PHP mailing script on the C\u0026C server.\r\nZscaler Cloud Sandbox detection\r\nFigure 16 shows the Zscaler Cloud Sandbox successfully detecting this .NET-based threat.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 11 of 20\n\nFigure 16: Zscaler Cloud Sandbox detection.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen\r\nhere:\r\nWin32.PWS.Azorult\r\nWin64.PWS.Azorult\r\nPDF.Downloader.Azorult\r\nConclusion\r\nThis threat actor is targeting employees in the supply chain industries in Oil and Gas sector in the middle east region. As\r\nalways, users should be cautious when receiving emails out of the blue, even if those emails appear to be related to\r\nsomething you are interested in, such as a legal tender for a project which might appear relevant. And always be wary of\r\nlinks embedded inside file formats such as PDF since these links could lead to download of malicious files on your system.\r\nThe Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.\r\nMITRE ATT\u0026CK TTP Mapping\r\nID Tactic Technique\r\nT1566.001 Spearphishing Attachment Uses PDF attachments containing malicious URLs\r\nT1204.002 User Execution: Malicious File\r\nUser opens pdf file. Click the URL link. Downloads\r\nZIP file. Extracts zip file and executes the binary.\r\nT1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payload.\r\nT1036.005\r\nMasquerading: Match Legitimate Name or\r\nLocation\r\nFile names used related to projects directly linked to\r\nthe Middle East.\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 12 of 20\n\nT1027.002\r\nObfuscated Files or Information: Software\r\nPacking\r\nPayloads are packed with a multilayer packer.\r\nT1497 Virtualization/Sandbox Evasion\r\nUses Registry, WMI, UserName-based anti-VM\r\ntechniques\r\nT1134.002\r\nAccess Token Manipulation: Create Process\r\nwith Token\r\nOne of AZORult capabilities\r\nT1555.003\r\nCredentials from Password Stores: Credentials\r\nfrom Web Browsers        \r\nOne of AZORult capabilities\r\nT1140 Deobfuscate/Decode Files or Information     One of AZORult capabilities\r\nT1573.001 Encrypted Channel: Symmetric Cryptography One of AZORult capabilities\r\nT1083 File and Directory Discovery One of AZORult capabilities\r\nT1070.004 Indicator Removal on Host: File Deletion One of AZORult capabilities\r\nT1105 Ingress Tool Transfer One of AZORult capabilities\r\nT1057 Process Discovery One of AZORult capabilities\r\nT1055.012 Process Injection: Process Hollowing One of AZORult capabilities\r\nT1012 Query Registry One of AZORult capabilities\r\nT1113 Screen Capture One of AZORult capabilities\r\nT1082 System Information Discovery One of AZORult capabilities\r\nT1016 System Network Configuration Discovery One of AZORult capabilities\r\nT1033 System Owner/User Discovery One of AZORult capabilities\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 13 of 20\n\nT1124 System Time Discovery One of AZORult capabilities\r\nT1552.001 Unsecured Credentials: Credentials In Files One of AZORult capabilities\r\nIndicators of compromise\r\nScheduled task names\r\nNaming convention: “Updates\\”\r\nUpdates\\YJSlNpkH\r\nUpdates\\WWOsRUUn\r\nUpdates\\NcojkRtJmDPru\r\nXML file names\r\nScheduled tasks are created using dropped XML files in %temp% directory with random names.\r\nC:\\Users\\user\\AppData\\Local\\Temp\\tmp9AA2.tmp\r\nC:\\Users\\user\\AppData\\Local\\Temp\\tmp23B7.tmp\r\nC:\\Users\\user\\AppData\\Local\\Temp\\tmp24CC.tmp\r\nDropped filenames\r\nFiles are dropped in the “AppData\\Roaming” directory with the same name as a scheduled task.\r\nC:\\Users\\User\\AppData\\Roaming\\YJSlNpkH.Exe\r\nC:\\Users\\User\\AppData\\Roaming\\WWOsRUUn.Exe\r\nC:\\Users\\user\\AppData\\Roaming\\NcojkRtJmDPru.exe\r\nFile hashes\r\nPDF hashes\r\nAuthor: Donor1\r\ne368837a6cc3f6ec5dfae9a71203f2e2\r\n741f66311653f41f226cbc4591325ca4\r\nfe928252d87b18cb0d0820eca3bf047a\r\n8fe5f4c646fd1caa71cb772ed11ce2e5\r\nd8e3637efba977b09faf30ca49d75005\r\nc4380b4cd776bbe06528e70d5554ff63\r\n34cae3ae03a2ef9bc4056ca72adb73fc\r\n363030120a612974b1eb53cc438bafcb\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 14 of 20\n\n2710cc01302c480cd7cd28251743faf0\r\n1693f1186a3f1f683893b41b91990773\r\n7a016c37fa50989e082b7f1ca2826f04\r\n709895dd53d55eec5a556cf1544fc5b9\r\n5d9ed128316cfa8ee62b91c75c28acd1\r\nc2ac9c87780e20e609ba8c99d736bec1\r\n269cfd5b77ddf5cb8c852c78c47c7c4c\r\n653f85816361c108adc54a2a1fadadcf\r\n6944f771f95a94e8c1839578523f5415\r\n8e5c562186c39d7ec4b38976f9752297\r\n3d019ede3100c29abea7a7d3f05c642b\r\n67f178fd202aee0a0b70d153b867cb5e\r\n39598369bfca26da8fc4d71be4165ab4\r\n70a92fdba79eaca554ad6740230e7b9a\r\n9db3d79403f09b3d216ee84e4ee28ed3\r\nbafdeef536c4a4f4acef6bdea0986c0b\r\n8d7785c8142c86eb2668a3e8f36c5520\r\n653e737fd4433a7cfe16df3768f1c07e\r\nebdcb07d3de1c8d426f1e73ef4eb10f4\r\nd258ba34b48bd0013bfce3308576d644\r\na74c619fd61381a51734235c0539e827\r\n6f1bd3cb6e104ed6607e148086b1e171\r\ncf04d33371a72d37e6b0e1606c7cd9a2\r\nede5fa9b9af1aeb13a2f54da992e0c37\r\n5321cd5b520d0d7c9100c7d66e8274e1\r\nde521f9e4bc6e934bb911f4db4a92d36\r\n36e5726399319691b6d38150eb778ea7\r\n1c5cb47fd95373ade75d61c1ae366f8b\r\nb7b41d93709777780712f52a9acf7a26\r\n62a05b00c7e7605f7b856c05c89ee748\r\nb520f4f9d87940a55363161491e69306\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 15 of 20\n\n40c1156d98c39ac08fd925d86775586d\r\nAuthor: Mr. Adeel\r\nf2319ddb303c2a5b31b05d8d77e08b4e\r\n24e67f40ccb69edb88cc990099ef2ffe\r\n54fc7650a8b5c1c8dc85e84732a6d2c7\r\n9cf615982d69d25b1d0057617bd72a95\r\ne9dfa14e4f6048b6f3d0201b2f3c62fe\r\nabab000b3162ed6001ed8a11024dd21c\r\n5c857bf3cf52609ad072d6d74a4ed443\r\n73ddf9f8fc3dc81671ea6c7600e68947\r\n3510cbf8b097e42745cfb6782783af2b\r\n694a6568b7572125305bdb4b24cebe98\r\n7fa5028f2394dcea02d4fdf186b3761f\r\n2260d015eacdc14e26be93fbc33c92aa\r\nd51d5e4c193617fa676154d1fe1d4802\r\n912dbb9e0400987c122f73e0b11876c0\r\n0f4cd9e8111d4eeda89dbe2ce08f6573\r\nd03fb3e473bd95c314987a1b166a92ed\r\n549a06cb43563dad994b86e8f105323a\r\n80149a26ee10786d6f7deaf9fb840314\r\nc7ced41f38b2d481d1910663a14fbec4\r\n3ce6cc6dee4563eb752e55103cdb84d4\r\nZIP hashes\r\n6d0241bc7d4a850f3067bc40124b3f52\r\ncdfde809746759074bcd8ba54eb19ccd\r\n40b5976eb7ddd1d372e34908f74ba0c4\r\n93c8ed2915d8a3ff7285e0aa3106073e\r\n2b719eeca275228fbead4c1d3016b8e4\r\nExe hashes\r\n42aec0b84a21fa36fc26b8210c197483\r\n02ae44011006e358a3b1ccbd85ba01f2\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 16 of 20\n\n131772a1bb511f2010da66c9c7dca32f\r\n7860c138e3b8f40bfb6efec08f4a4068\r\n3bcbe4d2951987363257a0612a107101\r\n328aa4addb7e475c3721e2ae93391446\r\n84e7b5a60cd771173b75a775e0399bc7\r\n3c83b0fe45e15a2fd65ed64a8e1f65e9\r\nf626e64f57d3b8c840a72bbfbe9fb6ca\r\nfcf7a9b93cffddf0a242a8fc83845ee3\r\nUnpacked file hashes\r\n0988195ab961071b4aa2d7a8c8e6372d - Aphrodite\r\nAe5f14478d5e06c1b2dc2685cbe992c1 - Jupiter\r\n38360115294c49538ab15b5ec3037a77 - Azorult\r\nUnique PDF file names\r\nAuthor: Donor1\r\nRFQ #88556524.pdf\r\nADNOC RFQ 97571784 - Purchase - core store Mussafah - Tehnical and Commercial.pdf\r\nALJABER-GROUP-RFQ-38982254237312018-848000071984-03-19-Rev-1.1.pdf\r\nDalma Gas Development Project (Package B) -TENDER BULLETIN-01.pdf\r\nRFQ-VENDOR 3 YEARS SUPPLY CONTRACT (RENEWAL OF LTPA 62431092).pdf\r\nAuthor: Mr. Adeel\r\nRFQ-ALJ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf\r\nRFQ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA QATAR.pdf\r\nRFQ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf\r\nRFQ#ENQ34640-ALJ24.pdf\r\nAJC-QA HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf\r\nC\u0026C servers\r\nhxxp://crevisoft[.]net/images/backgrounds/ob/index.php\r\nhxxp://nsseinc[.]com/lingo/index.php\r\nEmail address\r\nsalessigma87@gmail.com\r\nZIP hosted URLs:\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 17 of 20\n\nAuthor of PDF: Donor1\r\nhxxps://we[.]tl/t-lBcWz3Rcbs\r\nhxxps://mega[.]nz/#!Ov41xapb!M-COPorpfcQ7j1G61afFVruLbDVwzNfujRIwERqlIQw\r\nhxxps://we[.]tl/t-P2Lt34YUcf\r\nhxxps://we[.]tl/t-7XwI9xNjQj\r\nhxxps://we[.]tl/t-AgAdhMTWIm\r\nhxxps://mega[.]nz/file/fkImWKab#zvyeMmsYgGiu-hK-FT0o4OBozg0r4gWPRUtAr6iRvwM\r\nhxxps://we[.]tl/t-utJr50o6uf\r\nhxxp://bit[.]ly/32qQFah\r\nhxxps://mega[.]nz/file/zsIB2aLK#pyTNpp8H4pZhpq0i7w0OB8itu3Rj_02n9BksARDrlzc\r\nhxxps://mega[.]nz/#!nrozSBoL!Pc5ApemPW46RC8b0kgiTIyuIa0MnQV9GDUPXGK8__LM\r\nhxxps://we[.]tl/t-TbbBN9VnEZ\r\nhxxps://mega[.]nz/#!KuRElKZT!5F_FfxkyPI7tvJ-mnL7LppAU5X5wA1XbpTM-z8DpVB8\r\nhxxps://mega[.]nz/file/q55WVIKB#zm3CTH6XEv63mwacATKpo2AMe7yjFmp-KpQXUBkhZJ4\r\nhxxp://bit[.]ly/3a3CwSX\r\nhxxps://we[.]tl/t-MFcMWYK7HL\r\nhxxps://mega[.]nz/#!Tmw0EK5Q!zSLa_Ell7Ti5sz-ca-plgqc4vZM7S813Hb9Yk5Jk81Y\r\nhxxps://we[.]tl/t-0NlciPHf5y\r\nhxxps://mega[.]nz/#!y6w1BAqS!DMfA221sRvIyqVqPNhsKMZEAtBNkjY_jLUWEmCpxMfo\r\nhxxps://mega[.]nz/#!j2JSwQYb!LaAP2L2WBKLU3DlR6BViQxZ4b8fsmt53Hl3RKHMfb4w\r\nhxxps://mega[.]nz/file/Ptp1CL6R#EvbG9Gh435cDmmXXyU1_l4dM3Bq9fP2B8VdjirGiK_c\r\nhxxps://we[.]tl/t-feLBFQVV1P\r\nhxxps://we[.]tl/t-ad5X6peqHj\r\nhxxps://www[.]dropbox[.]com/s/cym2723azwnb364/ADNOC%202020%20REQUEST%20FOR%20QUOTATION-REQUEST%20FOR%20TENDER%20CODE%2076384_pdf[.]zip?dl=0\r\nhxxps://we[.]tl/t-uwwupT1WNc\r\nhxxps://mega[.]nz/#!K6xgGCYJ!1cJY91IlILLrGGrDVVrkbb7vNRKL9CAFD4tB9_jP8ts\r\nhxxps://mega[.]nz/#!yrBGmQBA!EhgekpU4VUafMvfJKlNVFej1KsgxYWv1mfzCKXejjEc\r\nhxxps://we[.]tl/t-ZcyzrvcBkP\r\nhxxps://mega[.]nz/file/GpB3VIyS#3-tKCJ8d-y782IN0570wHMMKQ244ttzBRpUmFXh6LZQ\r\nhxxps://mega[.]nz/#!OvJFjQaY!UBgEDtTE_Gn4B4vYrn-d7rYeO5CBMTxt83NyXQGWh0E\r\nhxxps://mega[.]nz/file/G5YmjCYJ#jvqrZX2ZLXn3SAI9nzf8w6mWtxTM4_fwx7VzHdqzfqM\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 18 of 20\n\nhxxps://mega[.]nz/#!zygWnKAS!5kp8IWNec2HK-YPK2gk-hmLa416PZLtr6VpbNZediSk\r\nhxxps://mega[.]nz/#!uu40wQxJ!HXlLJw7KDJgqnpwCzgrnBt9vu_W1-FZlSIvn0JU5rDw\r\nhxxps://mega[.]nz/#!66hWzACL!_6klTwfD-JaSkwjWrKRIBqX1ghXr-SZGk1Utc2-VJPc\r\nhxxps://www[.]aljaber-llc[.]com/projects/files/ALJABER-RFQ-38982254237312018-848000071984-04-23-Rev-1[.]1[.]zip\r\nhxxps://we[.]tl/t-cJa4jY9Egz\r\nhxxps://we[.]tl/t-Out44emJ9t\r\nhxxps://we[.]tl/t-QuCLQY3cTh\r\nhxxps://we[.]tl/t-nMKuKWbMlE\r\nhxxps://mega[.]nz/file/f1RTVa4A#2uGmQV64RKkNYZEECYXFKjGPS-nalF2ZshufSgqsA_k\r\nhxxps://we[.]tl/t-oAkwGNORsR\r\nhxxps://we[.]tl/t-cFvm5QQlyV\r\nhxxps://www[.]dropbox[.]com/s/5b0bti9r6xhf3pq/ADNOC%202020%20REQUIREMENT%20TENDER%20RFQ%2056774387_PDF\r\ndl=0\r\nhxxps://we[.]tl/t-Didobux8kG\r\nhxxps://we[.]tl/t-FkBOHwy1ME\r\nhxxps://mega[.]nz/file/u7xRlS7T#I8L3NL_zi-JizZagSF-E1Gcj5I8ednV6YdqyWs5RnNo\r\nhxxps://we[.]tl/t-XsVO5hewBu\r\nAuthor of PDF: Mr. Adeel\r\nhxxps://we[.]tl/t-NwSigkLd2E\r\nhxxps://we[.]tl/t-wQB6ioE8dL\r\nhxxps://we[.]tl/t-u3NL7Wnplr\r\nhxxps://we[.]tl/t-zC6Wz4CpfZ\r\nhxxps://we[.]tl/t-5wQSJsFUlC\r\nhxxps://we[.]tl/t-egfvdBvESW\r\nhxxps://we[.]tl/t-2a9aq4LJSn\r\nhxxps://we[.]tl/t-4BnTk2Hwiv\r\nhxxps://we[.]tl/t-hSqtTJDi1f\r\nhxxps://we[.]tl/t-1VyVEAtzAf\r\nhxxps://we[.]tl/t-E1iDs5Bghr\r\nhxxps://we[.]tl/t-YlbV0AIU5b\r\nhxxps://we[.]tl/t-1yLti4IfaN\r\nhxxps://we[.]tl/t-dGN9sRTnch\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 19 of 20\n\nhxxps://we[.]tl/t-spOqYklJIQ\r\nhxxps://we[.]tl/t-cunxjPBouY\r\nhxxps://we[.]tl/t-39SvbwCY2E\r\nhxxps://we[.]tl/t-9RVc3dflK6\r\nhxxps://we[.]tl/t-aBUVx3EMdx\r\nhxxps://we[.]tl/t-XdOjUbrcK8\r\nhxxps://we[.]tl/t-MkUZugwABd\r\nhxxps://we[.]tl/t-ikxwkPtSBi\r\nhxxps://we[.]tl/t-1hWeuMe1h7\r\nhxxps://we[.]tl/t-2L7ajlJSCG\r\nhxxps://we[.]tl/t-HZygDd5TUJ\r\nhxxps://we[.]tl/t-MtgNnMbTij\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nhttps://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east"
	],
	"report_names": [
		"targeted-attacks-oil-and-gas-supply-chain-industries-middle-east"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434024,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9aefa585906aff1e892415e3077f0ed9676b3265.pdf",
		"text": "https://archive.orkl.eu/9aefa585906aff1e892415e3077f0ed9676b3265.txt",
		"img": "https://archive.orkl.eu/9aefa585906aff1e892415e3077f0ed9676b3265.jpg"
	}
}