{ "id": "b540a483-a4b0-4bca-8c7c-48f2f4f10a2f", "created_at": "2026-04-06T00:11:26.651078Z", "updated_at": "2026-04-10T03:31:49.134Z", "deleted_at": null, "sha1_hash": "9fe27fefac95ea4f1c6381b378eb71fdd3a59024", "title": "Operation Ghoul: targeted attacks on industrial and engineering organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 507551, "plain_text": "Operation Ghoul: targeted attacks on industrial and engineering\r\norganizations\r\nBy Mohamad Amin Hasbini\r\nPublished: 2016-08-17 · Archived: 2026-04-05 17:56:41 UTC\r\nIntroduction\r\nKaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly\r\nactive in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets\r\nthrough spear phishing emails that include compressed executables. The malware collects all data such as passwords,\r\nkeystrokes and screenshots, then sends it to the attackers.\r\n#OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries\r\nTweet\r\nWe found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in\r\nmore than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the\r\nKaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back\r\nto March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial,\r\nwhether through the victims’ banking accounts or through selling their intellectual property to interested parties, most\r\ninfiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization\r\nof commercial off-the-shelf malware makes the attribution of the attacks more difficult.\r\nIn total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul\r\nTweet\r\nIn ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a\r\nMesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.\r\nMain infection vector: malicious emails\r\nThe following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment\r\ndocument. The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z\r\nfile with malware. In other cases, victims received phishing links. A quick analysis of the email headers reveals fake sources\r\nbeing utilised to deliver the emails to victims.\r\nMalicious attachments\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 1 of 7\n\nIn the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware\r\nexecutable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s:\r\nMalware MD5 hashes\r\nfc8da575077ae3db4f9b5991ae67dab1\r\nb8f6e6a0cb1bcf1f100b8d8ee5cccc4c\r\n08c18d38809910667bbed747b2746201\r\n55358155f96b67879938fe1a14a00dd6\r\nEmail file MD5 hashes\r\n5f684750129e83b9b47dc53c96770e09\r\n460e18f5ae3e3eb38f8cae911d447590\r\nThe spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because\r\nthe attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who\r\nhave the following positions or similar:\r\nChief Executive Officer\r\nChief Operations Officer\r\nGeneral Manager\r\nGeneral Manager, Sales and Marketing\r\nDeputy General Manager\r\nFinance and Admin Manager\r\nBusiness Development Manager\r\nManager\r\nExport manager\r\nFinance Manager\r\nPurchase manager\r\nHead of Logistics\r\nSales Executive\r\nSupervisor\r\nEngineer\r\nTechnical details\r\nMalware functionality\r\nThe malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition\r\nto malware anonymity from attribution. It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including:\r\nKeystrokes\r\nClipboard data\r\nFileZilla ftp server credentials\r\nAccount data from local browsers\r\nAccount data from local messaging clients (Paltalk, Google talk, AIM…)\r\nAccount data from local email clients (Outlook, Windows Live mail…)\r\nLicense information of some installed applications\r\n#OpGhoul malware collects all data such as #passwords, keystrokes and screenshots\r\nTweet\r\nData exfiltration\r\nData is collected by the attackers using primarily:\r\nHttp GET posts\r\nSent to hxxp://192.169.82.86\r\nEmail messages\r\nmail.ozlercelikkapi[.]com (37.230.110.53), mail to info@ozlercelikkapi[.]com\r\nmail.eminenture[.]com (192.185.140.232), mail to eminfo@eminenture[.]com\r\nBoth ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing\r\nand technology services.\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 2 of 7\n\nMalware command center\r\nThe malware connects to 192.169.82.86 to deliver collected information from the victim’s PC. This information includes\r\npasswords, clipboard data, screenshots…\r\nhxxp://192.169.82.86/~loftyco/skool/login.php\r\nhxxp://192.169.82.86/~loftyco/okilo/login.php\r\nThe IP address 192.169.82.86 seems to belong to a compromised device running multiple malware campaigns.\r\nVictim information\r\nVictim organizations are distributed in different countries worldwide with attackers focused on certain countries more than\r\nothers:\r\nNumber of Victim Organisations by Country\r\nCountries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden,\r\nChina, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy.\r\nVictim industry information\r\nVictim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong\r\nto the product life cycle of multiple goods, especially industrial equipment.\r\n#Manufacturing #transportation #travel targets of #OpGhoul\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 3 of 7\n\nTweet\r\nNumber of Victim Organizations by Industry Type\r\nVictim industry description\r\nIndustrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics\r\nEngineering Construction, architecture, automation, chemical, transport, water\r\nShipping International freight shipping\r\nPharmaceutical Production/research of pharmaceutical and beauty products\r\nManufacturing Furniture, decor, textiles\r\nTrading Industrial, electronics and food trading\r\nEducation Training centers, universities, academic publishing\r\nTourism Travel agencies\r\nTechnology/IT Providers of IT technologies and consulting services\r\nUnknown Unidentified victims\r\nThe last attack waves\r\nKaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries\r\nmore than others.\r\n#opghoul highly active in #MiddleEast\r\nTweet\r\nHundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United\r\nArab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany,\r\nIran, Egypt, Japan, Switzerland, Bahrain and Tunisia.\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 4 of 7\n\nOther attack information\r\nPhishing pages have also been spotted through 192.169.82.86, and although they are taken down quickly, more than 150\r\nuser accounts were identified as victims of the phishing links sent by the attackers. Victims were connecting from the\r\nfollowing devices and inserting their credentials, a reminder that phishing attacks do work on all platforms:\r\nWindows\r\nMac OS X\r\nUbuntu\r\niPhone\r\nAndroid\r\nThe malware files are detected using the following heuristic signatures:\r\nTrojan.MSIL.ShopBot.ww\r\nTrojan.Win32.Fsysna.dfah\r\nTrojan.Win32.Generic\r\nConclusion\r\nOperation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations,\r\nKaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments. In addition,\r\nprivileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause\r\nbehind private or corporate data leakage, reputation and financial loss.\r\nIndicators of Compromise\r\nThe following are common among the different malware infections; the presence of these is an indication of a possible\r\ninfection.\r\nFilenames and paths related to malware\r\nC:\\Users\\%UserName%\\AppData\\Local\\Microsoft\\Windows\\bthserv.exe\r\nC:\\Users\\%UserName%\\AppData\\Local\\Microsoft\\Windows\\BsBhvScan.exe\r\nC:\\Users\\%UserName%\\AppData\\Local\\Client\\WinHttpAutoProxySync.exe\r\nC:\\Users\\%UserName%\\AppData\\Local\\Client\\WdiServiceHost.exe\r\nC:\\Users\\%UserName%\\AppData\\Local\\Temp\\AF7B1841C6A70C858E3201422E2D0BEA.dat\r\nC:\\Users\\%UserName%\\AppData\\Roaming\\Helper\\Browser.txt\r\nC:\\Users\\%UserName%\\AppData\\Roaming\\Helper\\Mail.txt\r\nC:\\Users\\%UserName%\\AppData\\Roaming\\Helper\\Mess.txt\r\nC:\\Users\\%UserName%\\AppData\\Roaming\\Helper\\OS.txt\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 5 of 7\n\nC:\\ProgramData\\Mails.txt\r\nC:\\ProgramData\\Browsers.txt\r\n55358155f96b67879938fe1a14a00dd6\r\nf9ef50c53a10db09fc78c123a95e8eec\r\nb8f6e6a0cb1bcf1f100b8d8ee5cccc4c\r\n07b105f15010b8c99d7d727ff3a9e70f\r\nae2a78473d4544ed2acd46af2e09633d\r\n21ea64157c84ef6b0451513d0d11d02e\r\n08c18d38809910667bbed747b2746201\r\nfc8da575077ae3db4f9b5991ae67dab1\r\n8d46ee2d141176e9543dea9bf1c079c8\r\n36a9ae8c6d32599f21c9d1725485f1a3\r\ncc6926cde42c6e29e96474f740d12a78\r\n6e959ccb692668e70780ff92757d2335\r\n3664d7150ac98571e7b5652fd7e44085\r\nd87d26309ef01b162882ee5069dc0bde\r\n5a97d62dc84ede64846ea4f3ad4d2f93\r\n5a68f149c193715d13a361732f5adaa1\r\ndabc47df7ae7d921f18faf685c367889\r\naaee8ba81bee3deb1c95bd3aaa6b13d7\r\n460e18f5ae3e3eb38f8cae911d447590\r\nc3cf7b29426b9749ece1465a4ab4259e\r\nList of malware related domains\r\nIndyproject[.]org\r\nStudiousb[.]com\r\ncopylines[.]biz\r\nGlazeautocaree[.]com\r\nBrokelimiteds[.]in\r\nmeedlifespeed[.]com\r\n468213579[.]com\r\n468213579[.]com\r\n357912468[.]com\r\naboranian[.]com\r\napple-recovery[.]us\r\nsecurity-block[.]com\r\ncom-wn[.]in\r\nf444c4f547116bfd052461b0b3ab1bc2b445a[.]com\r\ndeluxepharmacy[.]net\r\nkatynew[.]pw\r\nMercadojs[.]com\r\nObserved phishing URLs\r\nhxxp://free.meedlifespeed[.]com/ComCast/\r\nhxxp://emailreferentie.appleid.apple.nl.468213579[.]com/\r\nhxxp://468213579[.]com/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.php\r\nhxxp://verificatie.appleid.apple.nl.referentie.357912468[.]com/emailverificatie-40985443/home/lo…\r\nhxxp://192.169.82.86/~gurgenle/verify/webmail/\r\nhxxp://customer.comcast.com.aboranian[.]com/login\r\nhxxp://apple-recovery[.]us/\r\nhxxp://apple.security-block[.]com/Apple%20-%20My%20Apple%20ID.html\r\nhxxp://cgi.ebay.com-wn[.]in/itm/2000-Jeep-Wrangler-Sport-4×4-/?ViewItem\u0026item=17475607809\r\nhxxp://https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp://2b68.f444c4f547116bfd052461b0b3ab1b\r\nhxxp://www.deluxepharmacy[.]net\r\nOther malware links\r\nMalware links observed on 192.169.82.86 dating back to March and April 2016:\r\nhxxp://glazeautocaree[.]com/proforma-invoice.exe\r\nhxxp://brokelimiteds[.]in/cdn/images/bro.exe\r\nhxxp://brokelimiteds[.]in/cdn/images/onowu.exe\r\nhxxp://brokelimiteds[.]in/cdn/images/obe.exe\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 6 of 7\n\nhxxp://brokelimiteds[.]in/wp-admin/css/upload/order.exe\r\nhxxp://brokelimiteds[.]in/wp-admin/css/upload/orders.exe\r\nhxxp://papercuts[.]info/SocialMedia/java.exe\r\nhxxp://studiousb[.]com/mercadolivrestudio/f.zip\r\nhxxp://copylines[.]biz/lasagna/gate.php?request=true\r\nFor more information on how you can protect your business from similar attacks, please visit this post from Kaspersky\r\nBusiness.\r\nSource: https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nhttps://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/" ], "report_names": [ "75718" ], "threat_actors": [ { "id": "373f10d9-9fdb-4451-b158-da634c6bfb22", "created_at": "2024-02-06T02:00:04.148051Z", "updated_at": "2026-04-10T02:00:03.579412Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "MISPGALAXY:Operation Ghoul", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5919968-4173-411e-801d-9a1a3bd6a10c", "created_at": "2022-10-25T16:07:23.959228Z", "updated_at": "2026-04-10T02:00:04.808278Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "ETDA:Operation Ghoul", "tools": [ "OpGhoul" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434286, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9fe27fefac95ea4f1c6381b378eb71fdd3a59024.pdf", "text": "https://archive.orkl.eu/9fe27fefac95ea4f1c6381b378eb71fdd3a59024.txt", "img": "https://archive.orkl.eu/9fe27fefac95ea4f1c6381b378eb71fdd3a59024.jpg" } }