{
	"id": "98c13951-ddbe-4fcb-8b91-1589e798f841",
	"created_at": "2026-04-06T00:09:57.54223Z",
	"updated_at": "2026-04-10T03:22:13.525632Z",
	"deleted_at": null,
	"sha1_hash": "b3cbdaf74c71e3e2c91e68a8e1d6bda5db92acd0",
	"title": "Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2821453,
	"plain_text": "Earth Bogle: Campaigns Target the Middle East with Geopolitical\r\nLures\r\nBy Peter Girnus, Aliakbar Zahravi ( words)\r\nPublished: 2023-01-17 · Archived: 2026-04-05 20:49:24 UTC\r\nMalware\r\nWe discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North\r\nAfrica.\r\nBy: Peter Girnus, Aliakbar Zahravi Jan 17, 2023 Read time: 5 min (1249 words)\r\nSave to Folio\r\nWhile threat hunting, we found an active campaign using Middle Eastern geopolitical themes as a lure to target\r\npotential victims in the Middle East and Africa. In this campaign we have labeled Earth Bogle, the threat actor\r\nuses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers\r\ndistribute NjRATnews- cybercrime-and-digital-threats.\r\nNjRAT (also known as Bladabindi) is a remote access trojan (RAT) malware first discovered in 2013. It is\r\nprimarily used to gain unauthorized access and control over infected computers and has been used in various\r\ncyberattacks to target individuals and organizations in the Middle East. Users and security teams are\r\nrecommended to keep their systems’ security solutions updated and their respective cloud infrastructures properly\r\nsecured to defend against this threat.\r\nRoutine\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 1 of 12\n\nFigure 1. Attack kill chain\r\nThe malicious file is hidden inside a Microsoft Cabinet (CAB) archive file masquerading as a “sensitive” audio\r\nfile, named using a geopolitical theme as a lure to entice victims to open it. The distribution mechanism could be\r\nvia social media (Facebook and Discord appear to be favored among these campaigns), file sharing (OneDrive), or\r\na phishing email. The malicious CAB file contains an obfuscated VBS (Virtual Basic Script) dropper responsible\r\nfor delivering the next stage of the attack.\r\nOnce the malicious CAB file is downloaded, the obfuscated VBS script runs to fetch the malware from a\r\ncompromised or spoofed host. It then retrieves a PowerShell script responsible for injecting NjRat into the\r\ncompromised victim’s machine.\r\nUse of Middle Eastern Geopolitical Themes as Lures\r\nThe initial CAB files have exceptionally low detection rates on Virus Total (SHA256:\r\na7e2b399b9f0be7e61977b51f6d285f8d53bd4b92d6e11f74660791960b813da and\r\n4985b6e286020de70f0b74d457c7e387463ea711ec21634e35bc46707dfe4c9b), which allows the attackers to\r\nremain undetected and spread their attack across the region. The group behind the campaign uses public cloud\r\nhosting services to host malicious CAB files and uses themed lures to entice Arabic speakers into opening the\r\ninfected file.\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 2 of 12\n\nFigure 2. Malicious CAB file hosted on cloud sharing services\r\nOne of the malicious CAB files’ filename translates to “A voice call between Omar, the reviewer of the command\r\nof Tariq bin Ziyad’s force, with an Emirati officer.cab”. The attacker uses the lure of a supposedly sensitive voice\r\ncall between an Emirati military officer and a member of the Tariq bin Ziyad (TBZ) Militia, a powerful Libyan\r\nfaction. The file lures victims in the region into opening the file by insinuating a false link between the UAE and a\r\ngroup associated with war crimes, appealing to political interests and emotional appeals. These lures are consistent\r\nwith a campaign disclosed in December 2022 that used Facebook advertisements on spoofed Middle Eastern news\r\noutlets’ pages, which were shared and pushed to other users by unsuspecting mules.\r\nThis malicious CAB file contains an obfuscated VBS script that functions as the agent responsible for delivering\r\nthe next payload. When a victim opens the malicious CAB file and runs the VBS file, the second stage payload is\r\nretrieved.\r\nDelivering the PowerShell Payload\r\nThe second stage payload is an obfuscated VBS script file masquerading as an image file (SHA256:\r\n6560ef1253f239a398cc5ab237271bddd35b4aa18078ad253fd7964e154a2580). When this malicious file is run, a\r\nmalicious PowerShell script is retrieved.\r\nFigure 3. Malicious VBS file fetches malicious PowerShell script\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 3 of 12\n\nFigure 4. Deobfuscated VBS script\r\nThe domain delivering the malicious PowerShell script is an infected or spoofed host with documented affiliations\r\nwith the Libyan Army, and a quick check on the domain gpla[.]gov[.]ly shows it was registered in 2019.\r\nFigure 5. Whois information of gpla[.]gov[.]ly\r\nSimilar campaigns have suggested the creation, use, and abuse of fake social media accounts claiming to belong to\r\nreputable organizations to serve advertisements with links to public cloud sharing platforms which contain\r\nmalicious payloads to unsuspecting victims. This allows the threat actors to:\r\n1. Infect users directly through clicks on these malicious links.\r\n2. Use geopolitical-themed lures and abuse social sharing features to deliver malicious payloads and spread to\r\na wider audience.\r\nWe also noted that the domain gpla[.]gov[.]ly has a history of compromise going back to at least 2021.\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 4 of 12\n\nFigure 6. Previously defaced page of gpla[.]gov[.]ly (Screenshot taken from Zone-h)\r\nSecond stage Dropper Overview\r\nThe second stage dropper (SHA256:\r\n78ac9da347d13a9cf07d661cdcd10cb2ca1b11198e4618eb263aec84be32e9c8) is an obfuscated PowerShell script\r\nthat drops five files in total: two binaries, a VBS script, a PowerShell script, and a Windows batch script.\r\nEach module has the following functionality:\r\nPayload_1: Process injector\r\nPayload_2: NjRAT\r\ngJhkEJvwBCHe.vbs: Executes rYFFCeKHlIT.bat\r\nrYFFCeKHlIT.bat: Executes KxFXQGVBtb.ps1\r\nKxFXQGVBtb.ps1: Load Payload_1 and Payload_2 into the memory and inject NjRAT into the\r\naspnet_compiler.exe via payload_1\r\nUpon execution, the second stage dropper kills the following .NET-related processes on the infected system. After\r\nwhich, “KxFXQGVBtB.ps1” executes the “aspnet_compler.exe” in conjunction with the process injector to inject\r\nNjRAT.       \r\n[Reflection.Assembly]::Load($MyS).GetType('NewPE2.PE').'GetMethod'('Execute').Invoke($null,\r\n{[OBJECT[]]}, ($JKGHJKHGJKJK,$serv));      \r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 5 of 12\n\nFigure 7. Terminate various legit .NET-related processes\r\nThe dropper further drops \"rYFFCeKHlIT.bat\" in C:\\Users\\Public and creates a directory called \"WindowsHost\"\r\nin C:\\ProgramData\\ to store the VBScript file \"gJhkEJvwBCHe.vbs\". On deobfuscation, gJhkEJvwBCHe.vbs runs\r\nthe rYFFCeKHlIT.bat file, responsible for executing another PowerShell script called \"KxFXQGVBtb.ps1\" that\r\ncontains a bypass PowerShell execution policy flag.\r\nFigure 8. Further dropping rYFFCeKHlIT.bat and executing a PowerShell script that contains a\r\nbypass\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 6 of 12\n\nFigure 9. Deobfuscated gJhkEJvwBCHe.vbs\r\n\"KxFXQGVBtB.ps1\" is the final PowerShell dropper responsible for loading the NjRAT binary into memory and\r\ninjecting it into the legitimate .NET binary file called \"aspnet_compiler.exe\" via the process injector. The\r\nPowerShell script uses the “[Reflection.Assembly]::Load\" method to load the process injector “($Mys)” into the\r\nmemory. It then invokes a method called 'Execute' with two parameters. The first parameter is a full path to the\r\nPEfile to inject (\"C:\\Windows\\Microsoft.NET\\Framework\\\u003cVERSION\u003e\\aspnet_compiler.exe\"), and the second\r\nparameter is the primary payload NjRAT ($serv).\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 7 of 12\n\nFigure 10. NjRAT loader/injector\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 8 of 12\n\nFigure 11. The deobfuscated KxFXQGVBtB.ps1 shows NjRAT ($serv) being injected into the\r\naspnet_compiler.exe process via the NewPE32.PE ($Mys) process injector.\r\nThe following snippet demonstrates the process injector functions. The file has been obfuscated via\r\nSmartAssembly:\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 9 of 12\n\nFigure 12. PE injector overview\r\nThe final payload of this campaign is NjRAT, allowing attackers to conduct a myriad of intrusive activities on\r\ninfected systems such as stealing sensitive information, taking screenshots, getting a reverse shell, process,\r\nregistry and file manipulation, uploading/downloading files, and performing other operations.\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 10 of 12\n\nFigure 13. NjRAT configuration\r\nThe dropper achieves persistence on an infected system by adding the directory C:\\ProgramData\\WindowsHost to\r\nthe \"User Shell” folders and \"Shell” folders to the startup keys accordingly.\r\nFigure 14. Malware persistence techniques\r\nConclusion\r\nThis case demonstrates that threat actors will leverage public cloud storage as malware file servers, combined with\r\nsocial engineering techniques appealing to people’s sentiments such as regional geopolitical themes as lures, to\r\ninfect targeted populations. Furthermore, governments weakened by regional conflict are at a higher risk for\r\ncompromise, wherein threat actors and advanced persistent threat (APT) groups could compromise and use\r\ngovernment infrastructure in targeted campaigns. This is compounded by the ability to share cloud storage content\r\nvia advertising and social media, presenting an opportunity for threat actors and APT groups to reach a wider\r\ninfection radius.\r\nOrganizations can protect themselves by remaining vigilant against phishing attacks and skeptical regarding\r\nsensational topics and themes abused online as lures. Users should be wary of opening suspicious archive files\r\nsuch as CAB files, especially from public sources where the risks of compromise are high. Security teams should\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 11 of 12\n\nbe aware of the dynamic nature of conflict zones when considering a security posture. Organizations can also\r\nconsider a cutting edge multilayered defensive strategyproducts that can detect, scan, and block malicious URLs.\r\nIndicators of Compromise (IOCs)\r\nDownload the full list of IOCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nhttps://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html"
	],
	"report_names": [
		"earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3cbdaf74c71e3e2c91e68a8e1d6bda5db92acd0.pdf",
		"text": "https://archive.orkl.eu/b3cbdaf74c71e3e2c91e68a8e1d6bda5db92acd0.txt",
		"img": "https://archive.orkl.eu/b3cbdaf74c71e3e2c91e68a8e1d6bda5db92acd0.jpg"
	}
}