{ "id": "20fc1c30-1e60-48c3-badd-63dd20413f74", "created_at": "2026-04-06T00:19:35.991016Z", "updated_at": "2026-04-10T03:33:49.445546Z", "deleted_at": null, "sha1_hash": "da360eebeeca7d0b5e10bee2a2bb59eebd05f195", "title": "The Madi Attacks: Series of Social Engineering Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 559225, "plain_text": "The Madi Attacks: Series of Social Engineering Campaigns\r\nArchived: 2026-04-05 16:52:05 UTC\r\nSymantec Security Response is aware of recent reports of Madi, a Trojan used in targeted campaigns and observed\r\nin the wild since December 2011.\r\nThe following is an email example, discovered in the Madi campaign, which included a malicious PowerPoint\r\nattachment:\r\n \r\nFigure 1. Targeted email containing malicious PowerPoint\r\n \r\nIn one example, opening the PowerPoint attachment displays a series of video stills showing a missile destroying\r\na jet plane. During the final PowerPoint slide, a dialog window is displayed to the user requesting permission to\r\nrun an executable file:\r\n \r\nhttps://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns\r\nPage 1 of 3\n\nFigure 2. Final PowerPoint slide prompts user to run a .scr file\r\n \r\nSymantec detects this malicious executable as Trojan.Madi using the latest LiveUpdate definitions. It is capable of\r\nstealing information—including keylogging functionality. The Trojan can also update itself. We have observed\r\nTrojan.Madi communicating with command-and-control servers hosted in Iran and, more recently, Azerbaijan.\r\nTargets of the Madi campaign appear to be all over the spectrum but include oil companies, US-based think tanks,\r\na foreign consulate, as well as various governmental agencies, including some in the energy sector.\r\n \r\nFigure 3. Heat map distribution of global Madi infections\r\n \r\nAlthough Madi has been seen targeting various Middle Eastern countries, it has also been found across the globe\r\nfrom the United States to New Zealand.\r\n \r\nhttps://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns\r\nPage 2 of 3\n\nFigure 4. Infection percentages of Madi from December 2011 to July 2012\r\n \r\nWhere high profile attacks such as Flamer, Duqu, and Stuxnet utilize different techniques to exploit systems—\r\nincluding leveraging zero-day attacks—the Madi attack relies on social engineering techniques to get onto\r\ntargeted computers.\r\nTargets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has\r\nnot found evidence that this is the case. Instead, the current research indicates these attacks are being conducted by\r\nan unknown Farsi-speaking hacker with a broad agenda.\r\nSource: https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campa\r\nigns\r\nhttps://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns" ], "report_names": [ "madi-attacks-series-social-engineering-campaigns" ], "threat_actors": [ { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775792029, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da360eebeeca7d0b5e10bee2a2bb59eebd05f195.pdf", "text": "https://archive.orkl.eu/da360eebeeca7d0b5e10bee2a2bb59eebd05f195.txt", "img": "https://archive.orkl.eu/da360eebeeca7d0b5e10bee2a2bb59eebd05f195.jpg" } }