{
	"id": "9a6705c4-0556-4d85-a3e0-8ec882c9c363",
	"created_at": "2026-04-07T14:43:36.877246Z",
	"updated_at": "2026-04-10T03:35:19.869293Z",
	"deleted_at": null,
	"sha1_hash": "d87a7ae6dd43bd74ef22894aac7bed0cff34291e",
	"title": "EvilPlayout: Attack Against Iran’s State Broadcaster",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 182298,
	"plain_text": "EvilPlayout: Attack Against Iran’s State Broadcaster\r\nBy itayc\r\nPublished: 2022-02-18 · Archived: 2026-04-07 14:20:08 UTC\r\nIn the past few months, a new wave of cyberattacks has been flooding Iran. These attacks are far from minor website\r\ndefacements – the recent wave is hitting national infrastructure and causing major disruptions to public services.\r\nThis article provides an in-depth technical analysis of one of the attacks against the Iranian national media corporation,\r\nIslamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.\r\nKey findings\r\nOn January 27, Iranian state broadcaster IRIB became the subject of a targeted cyberattack that resulted in several\r\nstate-run TV channels broadcasting footage of opposition leaders and calling for the assassination of the supreme\r\nleader. Check Point Research team investigated this attack and was able to retrieve the files and forensics evidence\r\nrelated to the incident from publicly available resources.\r\nWe found malicious executables whose purpose was to air the protest message, in addition, we discovered evidence\r\nthat a wiper malware was used. This indicates that the attackers’ aim was also to disrupt the state’s broadcasting\r\nnetworks, with the damage to the TV and radio networks possibly more serious than officially reported.\r\nAmong the tools used in the attack, we identified malware that takes screenshots of the victims’ screens, several\r\ncustom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious\r\nexecutables. We could not find any evidence that these tools were used previously, or attribute them to a specific\r\nthreat actor.\r\nIn this article, we provide a technical analysis of the tools related to the attack, as well as the attackers’ tactics.\r\nBackground\r\nCyberattacks Hit Iran\r\nIn July 2021, an attack hit the Iranian national railway and cargo services, and caused “unprecedented disruptions” to the\r\ncountry’s trains. Just a day later, media outlets reported that the website of Iran’s Ministry of Roads and Urban\r\nDevelopment, in charge of transportation, was taken down in a ‘cyber disruption’, preventing access to their official portal\r\nand sub-services. As if forcing railway employees to update the train schedule manually – across all train stations – wasn’t\r\nenough, the message displayed on the train schedule boards referred perplexed passengers to the Supreme Leader’s office\r\nphone number. The previously unknown group called ‘Predatory Sparrow’ quickly claimed responsibility for the attacks.\r\nBesides that, Check Point Research investigated these attacks and the tools they deployed, and found similar tactics and\r\ntechniques were used in previous operations against private companies in Syria, linking all of those attacks to anti-regime\r\ngroup called Indra.\r\nSince then, cyber-attacks continue to hit national Iranian entities. Inspecting the targets, it appears that each one was\r\ncarefully selected to send a tailored message. In August 2021, the hacktivist group Tapandegan, previously known for\r\nhacking and displaying protest messages on the electronic flight arrival and departure boards in the Mashad and Tabriz\r\ninternational airports in 2018, released security camera footage from the Evin prison, a Tehran facility in which many\r\npolitical prisoners are held. The videos, which show prisoner abuse, were acquired by a group called Edalat-e Ali (‘Ali’s\r\njustice’) in protest against human rights violations. In October 2021, every gas station in Iran was paralyzed by an attack that\r\ndisrupted the electronic payment process. The incident led to extremely long queues at gas stations for two days and\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 1 of 16\n\nprevented customers from paying with the government-issued electronic cards used to purchase subsidized fuel. When the\r\ncard was swiped for payment, the Supreme Leader office phone number appeared on the screen, taunting the highest ranking\r\noffice in the regime yet again. Iranian officials claimed that foreign actors, such as Israel and the US, were behind the attack.\r\nHowever, Predatory Sparrow claimed responsibility for this attack as well.\r\nIn November 2021, Iranian airline Mahan Air announced that it foiled an attempted attack against its internal systems, with\r\nno harm done. Curiously, this time a group called ‘Hooshyaran-e Vatan’ (Vigilant of the Nation) claimed responsibility, and\r\nover the next two months published documents allegedly stolen in the hack that link the airline to the IRGC (Islamic\r\nRevolutionary Guard Corps).\r\nRecently, on February 7, 2022, the Edalat-e Ali group released footage from closed-circuit cameras in another Iranian prison,\r\nGhezel Hesar.\r\nFigure 1 – Timeline of latest cyberattacks in Iran.\r\nThe Voice and Vision of the Islamic Republic of Iran\r\nOn January 27, only two weeks before the anniversary of the 1979 Islamic Revolution, reports were published that the IRIB,\r\nIran’s national broadcaster, was hacked. The Islamic Republic of Iran Broadcasting, also called ‘The Voice and Vision of the\r\nIslamic Republic of Iran’, is a state-operated monopoly in charge of all radio and television services in Iran. The cyberattack\r\nresulted in state-run TV channels broadcasting what was described by IRIB officials as “the faces and voices of hypocrites.”\r\n‘Hypocrites’ is a term used by the Iranian regime to refer to the Mujahedin-e-Khalq (MEK, also called the People’s\r\nMujahedin of Iran), an exiled militant organization and the biggest political opposition group, which advocates overthrowing\r\nthe current regime and installing its own government, relying on an alternative interpretation of Islam. In the hijacked video,\r\nthe faces of MEK leaders Maryam and Masoud Rajavi appeared, followed by the image of Ayatollah Khamenei crossed out\r\nwith red lines and  the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.” The deputy head of technical\r\naffairs for IRIB, Reza Alidadi, stated that “only the owners of the technology in use by the corporation would have been able\r\nto carry out an attack relying on the system features installed on the systems and the exploited backdoor.” He further stated\r\nthat similar attacks have hit other state-operated radio channels.\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 2 of 16\n\nFigure 2 – Frame from the video with the opposition leaders’ faces broadcast by state-run Iranian TV channels as a\r\nresult of the cyber attack.\r\nAlthough not the part of this investigation, it is worth mentioning that several days later, on February 1, the web-based\r\nstreaming platform of IRIB, Telewebion, was hijacked yet again to broadcast protest messages urging citizens to rise up\r\nagainst the Supreme Leader and stating that “the regime’s foundations are rattling”. Cleverly, the incident took place in the\r\nmiddle of a live broadcast of the Iran-UAE soccer match. This time, politically motivated group Edalat-e Ali, responsible for\r\nthe attacks targeting prison facilities’ security cameras, claimed responsibility. This claim is plausible, as the video broadcast\r\nduring the hack features the group’s logo on the top left corner.\r\nIRIB attack artifacts\r\nAccording to Iranian state-run news network Akharin Khabar (Latest News), “the technical and broadcasting systems are\r\ncompletely isolated, they are equipped with acceptable security protocols and are not accessible via the Internet.” In the\r\nsame post, it was reported that security forces associated with the regime’s state broadcasting network considered sabotage\r\nas the most likely scenario, with the Iranian officials calling the attack “extremely complex.”\r\nIt is still not clear how the attackers gained initial access to these networks. We were able to retrieve only the files related to\r\nthe later stages of these attacks, responsible for:\r\nEstablishing backdoors and their persistence.\r\nLaunching the “malicious” video or audio track.\r\nInstalling the wiper malware in an attempt to disrupt operations in the hacked networks.\r\nAll of these samples were uploaded to VirusTotal (VT) from multiple sources, mostly with Iranian IPs, and included short\r\nbatch scripts that install or launch payloads, several forensics artifacts like Windows Event Log files or memory dumps, and\r\nthe payloads themselves. The latter are mostly .NET executables, with no obfuscation but a timestomped compilation date in\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 3 of 16\n\nthe future. In addition to having the same language and the same VT submitters, these files also share other similarities, such\r\nas PDB paths, common commands, names, code reuse, and general coding style.\r\nHijacking broadcast signals\r\nFrom the MP4 video file that was used to interrupt the TV stream, and was uploaded to VT as TSE_90E11.mp4 , we were\r\nable to pivot to other artifacts related to the broadcast hijacking, supposedly run on servers that broadcast TV programs\r\n(playouts). To play the video file, the attackers used a program called SimplePlayout.exe , a .NET-based executable\r\ncompiled in debug mode with the PDB path c:\\work\\SimplePlayout\\obj\\Debug\\SimplePlayout.pdb . This executable has a\r\nsingle functionality: to play a video file in a loop using the .NET MPlatform SDK by Medialooks.\r\nFigure 3 – Part of the SimplePlayout code using MPlatform SDK to play the video file.\r\nFirst, the SimplePlayout program looks for a configuration file called SimplePlayout.ini which contains two lines: the\r\nvideo file path, and a number representing the video format. The respective SimplePlayout.ini file uploaded together with\r\nSimplePlayout specifies the values that correspond to the MP4 file located at c:\\windows\\temp\\TSE_90E11.mp4 and a video\r\nformat of HD 1080i with a refresh rate of 50 Hz.\r\nTo kill the video stream already playing, the attackers used a batch script called playjfalcfgcdq.bat . It kills the running\r\nprocess and deletes the executable of TFI Arista Playout Server, a software which the IRIB is known to use for\r\nbroadcasting, and subsequently uninstalls the Matrox DSX driver, a part of the software for media processing in\r\nvirtualized broadcast infrastructures,\r\nTo combine all the malicious components, another script layoutabcpxtveni.bat does several things:\r\nRenames the MP4 video file located at c:\\windows\\temp\\TSE_90E11.003 to TSE_90E11.mp4 . This file was probably\r\ndropped there by one of the backdoors, which we discuss later.\r\nKills the running process of QTV.CG.Server.exe , possibly a part of Autocue QTV broadcasting software, and\r\noverwrites the original server located at D:\\CG 1400\\QTV.CG.Server.exe with SimplePlayout, the tool used by the\r\nattackers to play their video.\r\nCopies c:\\windows\\SimplePlayout.exe to SimplePlayout.ini in the same directory where QTV.CG.Server.exe\r\nresides. At least this sample of the batch script contains a typo, as the actors probably meant to copy\r\nSimplePlayout.ini next to the malicious executable.\r\nRuns SimplePlayout.exe from both the initial and replaced locations.\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 4 of 16\n\nIn another set of related artifacts that we discovered, the attackers utilize the WAV file containing the 25 seconds audio track\r\ntitled TSE_90E11.001 , similar to the file name of the MP4 file used in the hijacked TV stream. An executable called\r\nAvar.exe is based on NAudio, an open-source .NET audio library, and  is responsible for playing the WAV file. Unlike the\r\nSimplePlayout.exe , Avar.exe does not rely on the configuration file. Instead, it contains the path to the WAV file\r\nhardcoded as C:\\windows\\temp\\TSE_90E11.001 . After it executes, Avar.exe attempts to enumerate through all active\r\naudio devices and play the WAV file on each one.\r\nFinally, a batch script named avapweiguyyyw.bat puts the pieces together. It kills a process called ava.exe and replaces\r\nthe executable at C:\\Program Files\\MIT\\AVA\\ava.exe with Avar.exe . The use of the name Ava in the files and folders\r\nmight suggest that these files were intended for IRIB’s AVA radio, although the fact it was also impacted by this attack has\r\nnot been confirmed officially.\r\nThe Wiper\r\nWe found two identical .NET samples named msdskint.exe whose main purpose is to wipe the computer’s files, drives,\r\nand MBR. This can also be deduced from the PDB path: C:\\work\\wiper\\Wiper\\obj\\Release\\Wiper.pdb . In addition, the\r\nmalware has the capability to clear Windows Event Logs, delete backups, kill processes, change users’ passwords, and more.\r\nBoth samples were uploaded to VT by the same submitters and in the same timeframe as the previously discussed artifacts.\r\nFigure 4 – Overview of the wiper capabilities.\r\nThe wiper has three modes to corrupt the files, and fills the bytes with random values:\r\ndefault – Overwrite the first 200 bytes of each chunk of 1024 bytes in the file.\r\nlight-wipe – Overwrite a number of chunks specified in the configuration.\r\nfull_purge – Overwrite the entire file content.\r\nThe wiper gets its configuration for the wiping process in one of these ways: in command-line arguments, or from the\r\nhardcoded default configuration and exclude list in the file meciwipe.ini . The default configuration contains a pre-defined\r\nlist of exclusions related to Windows OS and Kaspersky and Symantec security products, which are widely used in Iran:\r\nPlain text\r\nCopy to clipboard\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 5 of 16\n\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\"-light-wipe\", \"3\",\r\n\"-stop-iis\",\r\n\"-logs\",\r\n\"-shadows\",\r\n\"-processes\",\r\n\"*sql\",\r\n\"-mbr\",\r\n\"-fork-bomb\",\r\n\"-wipe-all\",\r\n\"-wipe-stage-2\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Windows\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\$Recycle.Bin\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\$WinREAgent\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Config.Msi\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Recovery\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\IBM\\\\\\\\*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\System Volume Information\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Symantec*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Symantec*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Kaspersky*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Microsoft*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Windows*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Windows*\"\r\n\"-light-wipe\", \"3\", \"-stop-iis\", \"-logs\", \"-shadows\", \"-processes\", \"*sql\", \"-mbr\", \"-fork-bomb\", \"-wipe-all\", \"-wipe-stage-2\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Windows\", \"-wipe-exclude\", \"C:\\\\\\\\$Recycle.Bin\", \"-wipe-exclude\", \"C:\\\\\\\\$WinREAgent\", \"-wipe-exclude\", \"C:\\\\\\\\Config.Msi\", \"-wipe-exclude\", \"C:\\\\\\\\Recovery\", \"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\IBM\\\\\\\\*\", \"-wipe-exclude\", \"C:\\\\\\\\System Volume Information\", \"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Symantec*\", \"-wipe-exclude\",\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 6 of 16\n\n\"C:\\\\\\\\Program Files (x86)\\\\\\\\Symantec*\", \"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Kaspersky*\", \"-wipe-exclude\",\r\n\"C:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky*\", \"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Microsoft*\", \"-wipe-exclude\",\r\n\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft*\", \"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Windows*\", \"-wipe-exclude\",\r\n\"C:\\\\\\\\Program Files (x86)\\\\\\\\Windows*\"\r\n\"-light-wipe\", \"3\",\r\n\"-stop-iis\",\r\n\"-logs\",\r\n\"-shadows\",\r\n\"-processes\",\r\n\"*sql\",\r\n\"-mbr\",\r\n\"-fork-bomb\",\r\n\"-wipe-all\",\r\n\"-wipe-stage-2\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Windows\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\$Recycle.Bin\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\$WinREAgent\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Config.Msi\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Recovery\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\IBM\\\\\\\\*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\System Volume Information\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Symantec*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Symantec*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Kaspersky*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Microsoft*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files\\\\\\\\Windows*\",\r\n\"-wipe-exclude\", \"C:\\\\\\\\Program Files (x86)\\\\\\\\Windows*\"\r\nIf the malware has no arguments, it runs as a service named “ Service1 ”.\r\nThe main wiper function computes the FNV1A32 hash of every argument and uses that to determine the action:\r\nArguments Options Action\r\n“-mbr” – Enable DestroyMBR flag\r\n“-fork-bomb”\r\nStart two more instances of the wiper, with the “-fork-bomb” argument\r\nas well\r\n“-sessions” –\r\nKill other users sessions with the cmd commands: logoff {0} and\r\nrwinsta {0}\r\n“-delete-users”file_path or list of users\r\n(* = all users)\r\nDelete the specified users using the cmd command: net user {0}\r\n/delete\r\n“-break-users”file_path or list of users\r\n(* = all users)\r\nBreak the specified users by changing their password to an 8-bytes\r\nrandom string appended with “ aA1! ”\r\n“-logs” – Delete events from Windows Event Log using the cmd command: for\r\n/F \\\"tokens=*\\\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 7 of 16\n\nArguments Options Action\r\n\\\"%1\\\"\r\n“-passwords” – None\r\n“-shadows” –\r\nDestroy shadow copies using the cmd command: echo delete shadows\r\nall \u003e 1.s \u0026\u0026 diskshadow /s 1.s \u0026\u0026 del 1.s\r\n“-start-iis” – Start Internet Information Services (IIS) with iisreset /start\r\n“-stop-iis” – Stop Internet Information Services (IIS) with iisreset /stop\r\n“-config” file_path Read the arguments from the specified config file\r\n“-light-wipe” size Corrupt only specified size of 1024-byte chunks in a file\r\n“-wipe-exclude”\r\nlist of directories Add the directories that the wiper won’t wipe\r\n“-delete” –\r\nEnable delete_files flag which means deleting the files after their\r\ncorruption\r\n“-processes”\r\nfile_path or list of\r\nprocesses (* = all\r\nprocesses)\r\nKill the specified processes using the cmd command: taskkill /PID\r\n{0} /f\r\n“-wipe-stage-2”\r\n–\r\nEnable wipe_stage_2 flag which means wiping the files by default\r\nmethod and then delete them\r\n“-purge” –\r\nEnable full_purge flag which means corrupting the whole file and not\r\nonly chunks\r\n“-wipe-only” file_path or list of files Add a list of files to wipe\r\n“-wipe-all” – Wipe all the files with supported extensions\r\nDestroyMBR flag enables the malware to wipe the MBR by writing a hardcoded base64-encoded binary to the file\r\nprecg.exe and then running it. precg.exe is an MBRKiller based on the Gh0stRAT MBR wiper.\r\nThe main wiping procedure starts by searching for the last file that was wiped. The malware writes its path to the file named\r\nlastfile (or lastfile2 in the case of wipe_stage_2). Then, every file is checked to see if it is excluded or its extension\r\nis not in the predefined list:\r\n\".accdb\", \".cdx\", \".dmp\", \".h\", \".js\", \".pnf\", \".rom\", \".tif\", \".wmdb\", \".acl\", \".cfg\", \".doc\", \".hlp\",\r\n\".json\", \".png\", \".rpt\", \".tiff\", \".wmv\", \".acm\", \".chk\", \".docx\", \".hpi\", \".lnk\", \".pps\", \".rsp\", \".tlb\",\r\n\".xdr\", \".amr\", \".com\", \".dot\", \".htm\", \".log\", \".ppt\", \".sam\", \".tmp\", \".xls\", \".apln\", \".cpl\", \".drv\",\r\n\".html\", \".lst\", \".pptx\", \".scp\", \".tsp\", \".xlsx\", \".asp\", \".cpx\", \".dwg\", \".hxx\", \".m4a\", \".pro\", \".scr\",\r\n\".txt\", \".xml\", \".avi\", \".dat\", \".eml\", \".ico\", \".mid\", \".psd\", \".sdb\", \".vbs\", \".xsd\", \".ax\", \".db\", \".exe\",\r\n\".inc\", \".nls\", \".rar\", \".sig\", \".wab\", \".zip\", \".bak\", \".dbf\", \".ext\", \".ini\", \".one\", \".rar\", \".sql\",\r\n\".wab~\", \".bin\", \".dbx\", \".fdb\", \".jar\", \".pdf\", \".rdf\", \".sqlite\", \".wav\", \".bmp\", \".dll\", \".gif\", \".jpg\",\r\n\".pip\", \".resources\", \".theme\", \".wma\", \".config\", \".mxf\", \".mp3\", \".mp4\", \".cs\", \".vb\", \".tib\", \".aspx\",\r\n\".pem\", \".crt\", \".msg\", \".mail\", \".enc\", \".msi\", \".cab\", \".plb\", \".plt\"\r\nThe full_purge mode that overrides all the bytes of the file is always enabled for the files from the purge_extensions\r\nlist:\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 8 of 16\n\n\".json\", \".htm\", \".log\", \".html\", \".lst\", \".txt\", \".xml\", \".vbs\", \".inc\", \".ini\", \".sql\"\r\nIf the delete_files flag is enabled, the wiper also deletes the files after overwriting them.\r\nWe found additional forensics artifacts, submitted together with the wiper samples, that prove that the wiper was indeed\r\nexecuted in a TV environment:\r\nThe lastfile2 containing the path to the last wiped file: C:\\users\\tpa\\videos\\captures\\desktop.ini . This file\r\nis created only if the wiper was run in wipe_stage_2 mode, which deletes the files after the wiping procedures.\r\nThe breakusufjkjdil.bat file, which shows that at least one instance of the wiper was supposed to run with the\r\nintent to kill existing user sessions and change passwords for all the users: \"c:\\windows\\temp\\msdskint.exe\" -\r\nbreak-users * -sessions\r\nThe Event Viewer Application log file shows events related to the wiper service Service1 . The logs contain a\r\ntimestamp which is a few hours after the attack:\r\nFigure 5 – Windows Event Viewer log shows the wiper execution in the Iranian TV environment.\r\nBackdoors\r\nWinScreeny\r\nThe name of this tool comes from the PDB path: C:\\work\\winscreeny\\winscreeny\\obj\\Debug\\winscreeny.pdb . The main\r\npurpose of the backdoor is to make screenshots of the victim’s computer. We found two samples of this backdoor: the first\r\none is the release version uploaded to VT with the name mslicval.exe , and the second one is the debug version named\r\nprecg2.exe . Needless to say, these files were submitted to VT together with the other artifacts that we discovered.\r\nThe backdoor can be run in different ways, based on the command-line argument:\r\nNone – Runs a SimpleTCPServer that listens on port 18000.\r\nservice – Runs as a service named Service1 . At start, the service creates a scheduled task with the command:\r\nschtasks /create /TN \\\"Microsoft\\\\Windows\\\\.NET Framework\\\\.NETASM\\\"/TR \\” \u003cfile_path\u003e \\\" /ST\r\n\u003ccurrent_time + 1:10\u003e /SC ONCE /F .\r\nsetup – Tries to gain privileges using the LsaAddAccountRights API function and then run itself as a service.\r\nThe malware listens for packets on port 18000, and for each packet, it checks if the message contains the scr= command\r\nsent with the POST method. If these conditions are met, the malware saves a screenshot to a file named screeny-\r\n\u003ctimestamp\u003e.png and a “done” message is returned to the attacker if it succeeded.\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 9 of 16\n\nFigure 6 – Winscreeny screenshot capture code.\r\nInterestingly, the release version of this malware is also capable of command execution: it supports the s= command which\r\ngets a base64-encoded string XORed with 1-byte key 0x24. The decoded string is run by cmd and the execution result is\r\nreturned to the server. The code that handles this feature is also reused in the HttpService backdoor that we discuss later.\r\nHttpCallbackService\r\nHttpCallbackService is a Remote Administration Tool (RAT) with a familiar PDB path:\r\nC:\\work\\simpleserver\\HttpCallbackService\\obj\\Release\\HttpCallbackService.pdb . Its C\u0026C URL can be specified in\r\ntwo different ways: a command-line argument or the configuration file callservice.ini . Next, the received value is\r\nappended with a short string: ?m= if the URL ends with “.aspx” or “.php”; m= , if the URL ends with “/”, or /m= in any\r\nother case.\r\nUnfortunately, we didn’t find any configuration or other artifacts related to HttpCallbackService, so the C\u0026C server in this\r\nattack remains unknown.\r\nEvery 5 seconds, HttpCallbackService sends a request to the C\u0026C URL using the webClient.DownloadString method to\r\nreceive the list of commands split by ‘ \\r\\n ’. If the malware doesn’t receive any commands in the last 5 minutes and the\r\nisStayAliveMode flag is disabled, this time frame is increased to 1 minute.\r\nThese are the commands supported by the RAT:\r\nCommand Arguments Action\r\n“upload”\r\nupload_path, base64-\r\nencoded content\r\nUpload a file to the victim’s computer. The server may send the file in\r\nchunks, each of them sequentially decoded from base64 and appended to the\r\nfile\r\n“download” file name\r\nDownload file from the victim’s computer to C\u0026C server, the file is base-64\r\nencoded and sent in chunks of 102400 bytes\r\n“stay-alive” – Enable isStayAliveMode flag and change the timer to 5 seconds\r\n“cool-down”\r\n– Disable the isStayAliveMode flag\r\nDefault command string Run the command in cmd and return the result to the C\u0026C server\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 10 of 16\n\nWhen the results of the commands are uploaded to the server, the data is sent to a slightly different URL: the C\u0026C URL\ndefined previously, now appended with “1”. The data is sent using the WebClient.UploadValues method in the following\nformat:\ndownload=\\r\\n--------------\\r\\n for the download command\n\\r\\n--------------\\r\\n for the cmd command.\nHttpService\nHttpService is another backdoor that listens on a specified port: it can be a command-line argument, the pre-defined port\ndepending on the sample, or the value from the configuration file: .ini . We found several samples with the\ndefault ports 19336, 19334, 19333, as well as two different configuration files uploaded to VT, with 19336 and 19335\nvalues.\nEach sample has a hardcoded version. The files that we discovered belong to three different versions: 0.0.5, 0.0.11v4H and\n0.0.15v4H. The version 0.0.5 listens to the specified port with a Simple TCP server, whereas 0.0.11v4H and 0.0.15v4H are\nbased on the Simple HTTP Server. All of them use the HTML Agility Pack for HTML parsing and IonicZip library for\ncompression actions.\nThe highest version (0.0.15v4H) of the backdoor has multiple capabilities, including command execution and manipulation\nwith the files.\nCommand execution: The command “ cmd ” makes the backdoor run the specified command with cmd.exe and return the\nresult in this format:\n\n. In addition, the backdoor can launch an\ninteractive cmd shell when it receives the “ i= ” command, whose arguments can be:\n“ 1 ” – Get the output from the shell and send it back to the C\u0026C.\n“ 2 ” – End the interactive shell and clean up.\ndefault – Decode and decrypt the XORed string and then run the command in the shell and save the output.\nSimilar to WinScreeny, the malware also has the “ s= ” command with the string XORed with 1-byte key 0x24 as an\nargument. The decoded string is run by cmd.exe and the result is returned to the server.\nProxy connections: After the “ p= ” or “ b= ” command is received, the backdoor uses the victim’s computer as a proxy to\nthe URL it gets as an argument. The backdoor communicates with this URL, redirects the request of the C\u0026C server, and\nwaits for a response to send it back to the C\u0026C.\nDownload and upload files: The “ f= ” or “ 1= ” command allows the backdoor to download a file from the path given as\nan argument or write a file given as an argument with the content of the message body. After it receives the “ m= ”\ncommand, the malware writes the body of the message to the path .out , reads data\nfrom .in , and sends it to the C\u0026C. If the file does not exist, the malware creates the\nfile and writes to it the current date and time.\nRun SQL commands: The “ con= ” / “ c= ” command receives the SQL DB connection string and SQL query, and returns\nthe result to the server.\nManipulate the local files: The “ ” command checks if the file/directory exists and then does one of these three\nthings, based on the query value:\n“ zip ” – Creates a zip file from the directory contents and returns it to the C\u0026C.\n“ unzip ” – Unzips the file using the path provided by the C\u0026C.\n“ del ” – Deletes the file.\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nPage 11 of 16\n\nInterestingly, in all three cases, the malware sends back the entire directory contents (including sub-directories) as an HTML\r\npage that contains the Zip , Unzip and Delete buttons, depending on the type of the file. This is how the interface looks\r\non the attackers’ side:\r\nFigure 7 – HTML page with the directory listing returned to the C\u0026C server.\r\nServerLaunch dropper\r\nThe sample of HttpServer version 0.0.5 was submitted together with its dropper, called dwDrvInst.exe , which mimics the\r\nremote access software executable by DameWare. The tool’s PDB path has the same pattern,\r\nC:\\work\\ServerLaunch\\Release\\ServerLaunch.pdb . However, the tool is written in C++, not .NET like all the others, and\r\nwas compiled on December 2, 2021, almost 2 months prior to the attack.\r\nServerLaunch contains three executables in resources, which it drops to ionic.zip.dll , httpservice2 and\r\nhttpservice4 , all in C:\\Users\\Public\\ . The malware then starts both httpservice2 and httpservice4 with no\r\narguments. Each of them has a different pre-defined port to listen on, which likely allows the attackers to ensure some sort\r\nof redundancy of the C\u0026C communication.\r\nConnecting the files to the attack\r\nWe’ve discussed several different tools and some of artifacts related to their execution. It is clear that all these tools were\r\ncreated by the same actor and are connected. For example, the screenshot tool Winscreeny doesn’t contain the functionality\r\nto upload the created screenshots back to the attackers, which likely means that it relies on other backdoors to perform this\r\noperation. The recurring Service1 name for all the tools indicates that different backdoors, if running on the same machine\r\nwere mostly executed with command-line arguments or provided configuration files.\r\nTaking into account that the samples are related to each other, we can substantiate the connection between these files and the\r\nIRIB cyberattack:\r\nThe whole cluster of activity is interconnected and was submitted to VT mostly from Iranian IPs all at the same\r\ntimeframe, likely by incident responders.\r\nThe audio and video files utilized by the tools are the same as those broadcast live on hacked Iranian TV. The Twitter\r\naccount @GhyamSarnegouni (“Uprising to overthrow”) featured in this video contains a few recordings of different\r\nTV channel streams that feature both the video and the audio tracks we’ve discussed.\r\nMultiple artifacts such as Matrox DSX, Autocue QTV, TFI Arista Playout Server, etc. that were referenced in the\r\nsamples indicate that these files were intended for a broadcast environment.\r\nAmong the forensics artifacts submitted together with video and executables, we discovered Windows Event Viewer\r\nfiles that contain evidence that the samples were attempted to be executed in the Iranian TV network environment, a\r\ndomain not resolved publicly. The timestamp of these specific logs is after the time of the actual incident.\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 12 of 16\n\nFigure 8 – Screenshot of the Application log that contains the wiper execution evidence.\r\nNumerous other forensics evidence from this VT file cluster contains other artifacts directly related to IRIB. For\r\nexample, an internal tool called MIT_FreeSizeService (md5:307e7440a15c8eed720566f067a2e96b) bears the IRIB\r\nlogo, and the memory dump of the MetaSAN software called executable.4504.exe\r\n(md5:1fc57ccec4668bbcbebaa9c734a437ba) features memory strings that indicate the software was run on the\r\nmachine from the MIT-TV domain.\r\nFigure 9 – VT submission of the unknown tool featuring the MIT (same as the domain name) string and containing\r\nthe IRIB logo\r\nAttribution\r\nIranian officials appear to be confident that MEK is behind this attack, with the deputy head of technical affairs for Islamic\r\nRepublic of Iran Broadcasting claiming the same. However, the opposition group itself denies any involvement, stating that\r\n“the group had become aware of the incident only when it happened but that the hacking might have been the work of\r\nsupporters in Iran.”\r\nThe hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services,\r\nthe transportation ministry, and the Iranian gas stations, affiliated itself with the IRIB attack via its Telegram channel. On the\r\nmorning before the attack, they wrote “Wait for the good news from our team. Do not switch the channel.” Later the same\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 13 of 16\n\nevening, they posted a video from one of the disrupted TV channels, introducing it as a “cyber-attack on the country’s radio\r\nand television organization by the Predatory Sparrow team.” Currently, no technical proof of the group’s attribution to the\r\nattack has been discovered. The video displayed on the channel is available online and refers to a different Telegram account\r\n@GhyamSarnegouni , so these claims – as well as the relation between the two entities – should be treated with caution.\r\nFigure 10 – Posts from ‘Predatory Sparrow’s Telegram channel, in which the group claims “responsibility” for the\r\nattack.\r\nConclusion\r\nIn this article, we analyzed a set of tools that likely was used in a cyberattack against the IRIB, which disrupted several\r\nstate-run TV and radio channels. The use of wiper malware in the attack against a state entity in Iran begs us to compare the\r\ntools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways\r\nand Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details\r\nsuch as execution based on batch files, or the password changing patterns ( [random sequence]aA1! for this attack and\r\nAa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by\r\nprevious attacks happened in Iran.\r\nAs in the case with Indra, it appears that the actor may have many capabilities that have yet to be explored. On the one hand,\r\nthe attackers managed to pull off a complicated operation to bypass security systems and network segmentation, penetrate\r\nthe broadcaster’s networks, produce and run the malicious tools that heavily rely on internal knowledge of the broadcasting\r\nsoftware used by victims, all while staying under the radar during the reconnaissance and initial intrusion stages.\r\nOn the other hand, the attackers’ tools are of relatively low quality and sophistication, and are launched by clumsy and\r\nsometimes buggy 3-line batch scripts. This might support the theory that the attackers might have had help from inside the\r\nIRIB, or indicate a yet unknown collaboration between different groups with different skills.\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 14 of 16\n\nMeanwhile, almost two weeks after the attack happened, MEK-affiliated news published a status report of the attack\r\nclaiming that the “regime’s radio and TV networks have not returned to a normal status” and provided an elaborate list of\r\naffected devices with the statement “more than 600 servers, advanced digital production, archiving, and broadcasting of\r\nradio and television equipment have been destroyed, and their software has been damaged.” There is no way for us to verify\r\nthese claims, but if at least some of them are true, the extent of destruction caused by the wiper and other malicious tools\r\nthat we’ve discovered (and those that are yet unknown), exceeded expectations.\r\nIOCs\r\nAttack files:\r\nhash name description\r\n1607f31ac66dfec739dc675ade921582acb8446c2ac7d6d1bc65a3e993fc5b54 msdskint.exe Wiper\r\n42ed646eed4f949c456c637a222e7d94dd8ac67ed5ebda5e63c7b7979076d9cf msdskint.exe Wiper\r\n8bdf6e262966a59a7242d279e511dd694467f07d1d76c456a0c26d0db2ec48a8 HttpService2.exe HttpService\r\n427c105859c3dc62ece790e41a42b0f6ae587496a07d3bd190143179cdf6c6bd HttpService4.exe HttpService\r\ne3d61cbbfbe41295dd52acff388d1d8b1d414a143d77def4221fd885aae6cd83 HttpService2.exe HttpService\r\n096bae94e09059e2e3106503353b1b4f7116fa667600ca2ab3fa7591708e645a HttpService4.exe HttpService\r\n13a016b8f502c81e172c09114f25e4d8a8632768aefd56c5f6d147e9b6466216 HttpService4.exe HttpService\r\nea740894227ae1df923997edb7bda3a00f523fbff7cc02d3b5e6b3de19d672fc HttpCallbackService.exe HttpCallbackServic\r\n62b692be251feb63af2723a68975976b749cab20014ffaa6488af80f4f03e0a1 dwDrvInst.exe ServerLaunch\r\n41e0c19cd6a66b4c48cc693fd4be96733bc8ccbe91f7d92031d08ed7ff69759a precg2.exe Winscreeny\r\ne9e4a8650094e4de6e5d748f7bc6f605c23090d076338f437a9a70ced4a9382d mslicval.exe Winscreeny\r\nd788ebc7ee98c222f46d7ca2347027643784a78b5954c9a31734ec1b197bc2aa Avar.exe Avar\r\n1155dd06e0b108bde3addcdbd5d1da4dc18ca245c39ce7d967f8971eb0f88dbb SimplePlayout.exe SimplePlayout\r\na25215c9adce51a3ecfe34c802d3e7d865cf410ddbe10101e3b41f6ba11347a4 TSE_90E11.mp4 MP4 video file\r\n4cc21810d786dca94e01d0714d37e3f097ff6e3813bf6e17a9bd86cd9a4ceb2b TSE_90E11.001 WAV file\r\n7ea7b20b87ded3c297ec0890ee8a396427d70caf983b42f479d8fad38629b684 playoutabcpxtveni.bat\r\nbc8de80a28c8ae55415ccdfece270f6548f067fc2a00e799baf0279d4d560807 breakusufjkjdil.bat\r\n197f13580ec249fa84b1e54f978c5cab60f22561a2fab2ff60bdb2d5bfa25512 avapweiguyyyw.bat\r\nefc8f12c53d1730fa8ac00cfa60e63ab43d90f42879ef69d7f6fb9978246f9cb playjfalcfgcdq.bat\r\na2d493c2cb25fc03f5d31cf3023b473d71d38b972eccdb7873f50d2344ea7753 simpleplayout.ini\r\nc305b3cb96a34258a3e702526de6548b2de99449c0839a9aea518accc7c861ab\r\n436748-\r\nHttpService4.exe.ini\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 15 of 16\n\nhash name description\r\n8b74c08c33cd8a0cc1eaf822caeaad6b54bc39e4839e575f3c0ece4bb8992408\r\n436751-\r\nHttpService4_2.exe.ini\r\nForensics artifacts:\r\nhash name description\r\n0daa0aefdc6d0641eb06e62bc8c92a0696aa8089258cb2d3552ac137d53237ec sec.evtx\r\nsecurity event log\r\nfrom one of the\r\nmachines\r\na3b9bd57e6b281610e570be87883d907992bdf7be3bcd37885ee2cf97d930cd3 application.evtx\r\napplications event\r\nlog from one of the\r\nmachines\r\n067ae6ecfd108a79a32eb1a76a262868d8f3a9a7924b26091f0e2229152bdd9d lastfile2\r\npath to the last file\r\nwiped and deleted\r\nby the wiper\r\nSource: https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/"
	],
	"report_names": [
		"evilplayout-attack-against-irans-state-broadcaster"
	],
	"threat_actors": [
		{
			"id": "ddb9c4ac-43a2-4100-86c8-1770ac2eeb05",
			"created_at": "2024-03-28T02:00:05.778006Z",
			"updated_at": "2026-04-10T02:00:03.607773Z",
			"deleted_at": null,
			"main_name": "Edalat-e Ali",
			"aliases": [],
			"source_name": "MISPGALAXY:Edalat-e Ali",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3",
			"created_at": "2022-10-25T16:07:23.729215Z",
			"updated_at": "2026-04-10T02:00:04.729076Z",
			"deleted_at": null,
			"main_name": "Indra",
			"aliases": [],
			"source_name": "ETDA:Indra",
			"tools": [
				"Stardust"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e",
			"created_at": "2026-03-16T02:02:50.582318Z",
			"updated_at": "2026-04-10T02:00:03.777263Z",
			"deleted_at": null,
			"main_name": "COASTLIGHT",
			"aliases": [
				"Gonjeshke Darande",
				"Indra",
				"Predatory Sparrow"
			],
			"source_name": "Secureworks:COASTLIGHT",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "219ddb41-2ea8-4121-8b63-8c762f7e15df",
			"created_at": "2023-01-06T13:46:39.384442Z",
			"updated_at": "2026-04-10T02:00:03.309654Z",
			"deleted_at": null,
			"main_name": "Predatory Sparrow",
			"aliases": [
				"Indra",
				"Gonjeshke Darande"
			],
			"source_name": "MISPGALAXY:Predatory Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775573016,
	"ts_updated_at": 1775792119,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d87a7ae6dd43bd74ef22894aac7bed0cff34291e.pdf",
		"text": "https://archive.orkl.eu/d87a7ae6dd43bd74ef22894aac7bed0cff34291e.txt",
		"img": "https://archive.orkl.eu/d87a7ae6dd43bd74ef22894aac7bed0cff34291e.jpg"
	}
}