{
	"id": "1874a9c2-0214-408b-9597-b6658ddca2da",
	"created_at": "2026-04-06T00:13:51.791716Z",
	"updated_at": "2026-04-10T03:23:51.827893Z",
	"deleted_at": null,
	"sha1_hash": "eb1204a1b35a01b11127302f53ec47977424fb52",
	"title": "Book of Eli: African targeted attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118254,
	"plain_text": "Book of Eli: African targeted attacks\r\nBy Anton Cherepanov\r\nArchived: 2026-04-05 16:06:30 UTC\r\nESET Research\r\nESET's latest research analyzes a piece of malware active since 2012, but which has targeted one specific country\r\n– Libya.\r\n22 Sep 2016  •  , 5 min. read\r\nThis blog post describes details that we discovered during our analysis of malware that focuses on a specific\r\ncountry — Libya. The malware has existed since at least 2012, with threat actors using it for mass-spreading\r\nmalware campaigns and for ongoing targeted attacks.\r\nDespite the lack of sophistication of the technical details of the malware and its mechanisms for spreading, the\r\nthreat actors have demonstrated ability to compromise governmental websites successfully. This, combined with\r\nits focus on a specific region, makes this threat interesting from the malware researchers' perspective.\r\nSpreading mechanism\r\nDuring our research we observed that for mass-spreading malware campaigns, these attackers tend to compromise\r\nprofiles in social networks such as Facebook or Twitter and post links there that lead to malware downloads.\r\nFigure 1 demonstrates an example of a Facebook post from 2013. The post is written in Libyan Arabic and says\r\nthat the Prime Minister has been captured twice, this time in a library. This short text message is followed by a\r\nlink to a compromised governmental website that served malware at that time.\r\nFigure 1. Facebook post with malware download link\r\nFigure 2 illustrates an example of a post with a malicious link by a Twitter user's profile, which impersonates Saif\r\nGaddafi's account.\r\nhttps://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nPage 1 of 5\n\nFigure 2. Twitter post with malware download link\r\nIn addition to mass-spreading campaigns, attackers are conducting targeted attacks by sending spear phishing\r\nemails with malicious attachments. In order to convince the intended victim to execute a malicious binary,\r\nstandard social engineering tricks are implemented, such as MS Word and PDF icons of executables and double\r\nfile extensions such as .pdf.exe in the filename. In some cases the malware may display a decoy document.\r\nTo help attackers to identify specific infections or attempts at infection, the malware contains a special text string\r\nthat we name Campaign ID. Here is list of Campaign IDs that we identified during our research:\r\nاخرتاق كلمات سر موزيال - eli of book\r\nOP_SYSTEM_\r\nOP_NEW_WORLD\r\nOP_TRAV_L\r\nahmed\r\nop_travel\r\nop_ ahha\r\nop_russia\r\nop_russia_new\r\nop_russia_old\r\nkarama\r\nTechnical details\r\nThe malware is written using the .NET Framework; the source code is not obfuscated. Some samples of the\r\nmalware contain PDB-paths that reveal the original name of the malware used by its authors and possible targets.\r\nhttps://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nPage 2 of 5\n\nFigure 3. The PDB-path discovered inside the malware\r\nThe malware is a classic information stealer Trojan that attempts to collect various information. It can be deployed\r\nin various configurations. The full-featured version of the malware can log keystrokes, collect profile files of\r\nMozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots,\r\ncapture photo from the webcam, and collect information about the version of the operation system and installed\r\nanti-virus software. In some cases the malware can download and execute third-party password recovery tools in\r\norder to try to collect saved passwords from installed applications.\r\nMost of the analyzed samples of the malware use the SMTP protocol to exfiltrate data to specific email addresses.\r\nFigure 4 shows the decompiled function make_email_mozela, which is used by the malware to collect and send\r\nMozilla Firefox profile files.\r\nFigure 4. Decompiled malware code that contains SMTP credentials\r\nSince the code in the majority of the samples contains the same destination address, this suggests that the malware\r\nis used exclusively by one individual or group of people.\r\nAlternatively, the malware can upload stolen information directly to its C\u0026C server using HTTP communication.\r\nFigure 5. Decompiled malware code that is used to upload stolen data\r\nAs is evident in Figure 5, the malware connects to the worldconnection[.]ly server and uploads data using a PHP\r\nscript. The domain name was registered in June 2016; the server used by the malware is located in Libya.\r\nhttps://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nPage 3 of 5\n\nConclusion\r\nWe analyzed a piece of malware that was active since at least 2012 in a specific region. The cyberthreat actors\r\nbehind the malware used it for mass-spreading in the past and it should be noted that it is still being used in\r\nspearphishing attacks.\r\nIndicators of Compromise (IoC)\r\nESET detection names:\r\nMSIL/Spy.Agent.GZ trojan\r\nMSIL/Spy.Agent.HF trojan\r\nMSIL/PSW.Agent.OMN trojan\r\nMSIL/PSW.Agent.PRH trojan\r\nMSIL/Spy.Agent.APJ trojan\r\nSHA-1 hashes:\r\n3888DCE3D1CA295B76248DBA3609955D7375D749\r\nD62BF2D5E6683046396E94479B0321E319577F69\r\n2F1618B710856AF3D0AC6C899393ACEED8B9942D\r\n7AF0EC7B2F0B6F298CDA5BD22DEAB704D1DB2009\r\n685E7408BEA30F73840542474F96F48AD0DD1EFC\r\n1595C89C561F90ADFF6ED2E6F0402D14A31F2DFA\r\n6357DA647E21478AF836E9051F5E54E0357A9A87\r\nE1D1B3AD6A2987AFFCA57FDC170BF9DDB54A1D2F\r\n5AF6CF0D8BBEC98818E12880CE9B98F184ED7C66\r\nAEF20AB97D1B4B3C12B4B1F866916722C68ED138\r\n3E512302FF688FB89D4973D60BEB93FF642CD83C\r\n924A1E1B355BEA6575231B22BBFF2D5F749BD7D3\r\n6BA47F0D09BB202B4CC3FB5FEC54022C3F2319B4\r\n9B235EF9F2722EE26892E4287AF28FD98F4A6E4C\r\n970EA2AF3F6CB49B5D964107887EE48A24FC7912\r\n437A5ED4F2C2E55F4CFA2C55C32ADF084FF634B4\r\n554958EECDFF4E9AC2325169EF8E3F23D4AD851F\r\n9016597DE1917D78441A3FF72DB5A3848FA7A771\r\n59092A314A87370BAF0A06F679771E7D8477104A\r\nE4E86A2F3542591CFBF1FD340B78710370085163\r\n9846604F0DD2DD97646B348F2F0A2DD0D40E4B8A\r\n51C784B037DC69A4465A26573D23AEBC274969BC\r\n309A9FB5FBDD30142F42994F95E7453F8834BDC1\r\n87B458153445BD93482F15C28CA2ED2194FB92BF\r\n39AC510C9E2BB8F0AE4C9F2F653E66B58C975868\r\n95D38E48C5427E10707747585A3B852F1F7DE08D\r\nhttps://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nPage 4 of 5\n\n19F34B7A444998836A1C99CDA3C9853502CF5212\r\n666766B1745232FE9B76AAB3F7ABFA222DD2AA0F\r\nE93F6BB3A56A5384F79BEBA1F4642E1B1C1C21A2\r\n1F8105D947203D405A7DD76BA32B20FCD8E20BF4\r\nDDB9D2219876D59DFD3A207E54DB8956D6864A52\r\n447AD86417769AA19C8B07AFB2B113039316814F\r\n11507252AC4BF28B57A538BFA85F9F7574256E6C\r\nEFD07AF61B16C6FD55F64FCB785522C049A935CD\r\nE855F9428813E59D52BFB79E6F779452A77CBCBE\r\n999D51F3455B86E673586F77A19E5871BBAA1236\r\n4A0DC693E87613D869332EB890E0F533AF404D25\r\n9CB3DC18E0033A381691FDBE798516FB2B857B01\r\n9E595794C8C413C83EF075B7895D0F0EFB72A39F\r\nC2 servers:\r\nhxxp://mndooma.com/book_of_eli.php\r\nhxxp://worldconnection.ly/book_of_eli.php\r\nSMTP servers:\r\nmail.sooq-libya.com\r\nmail.worldconnection.ly\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nhttps://www.welivesecurity.com/2016/09/22/libya-malware-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2016/09/22/libya-malware-analysis/"
	],
	"report_names": [
		"libya-malware-analysis"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb1204a1b35a01b11127302f53ec47977424fb52.pdf",
		"text": "https://archive.orkl.eu/eb1204a1b35a01b11127302f53ec47977424fb52.txt",
		"img": "https://archive.orkl.eu/eb1204a1b35a01b11127302f53ec47977424fb52.jpg"
	}
}