{ "id": "2bd6f0e8-4e09-4984-9bc8-3a58d86614ab", "created_at": "2026-04-06T00:16:10.814184Z", "updated_at": "2026-04-10T13:12:13.133465Z", "deleted_at": null, "sha1_hash": "f84f8cb135a78dd009009e176401045f8fb13e3c", "title": "Microsoft investigates Iranian attacks against the Albanian government | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2913150, "plain_text": "Microsoft investigates Iranian attacks against the Albanian government |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-09-08 · Archived: 2026-04-05 16:14:05 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. EUROPIUM is now tracked as Hazel Sandstorm, and the DEV-#### designations are now tracked\r\nunder the name Storm-#### using the same four-digit identifier.  \r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nThe Microsoft Detection and Response Team (DART) has been renamed to Microsoft Incident Response (Microsoft IR). For\r\nmore information on IR services, go to Microsoft Incident Response\r\nShortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and\r\nResponse Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of\r\nthe attacks and our engagement by the Albanian government, Microsoft publicly stated that “Microsoft is committed to\r\nhelping our customers be secure while achieving more. During this event, we quickly mobilized our Detection and Response\r\nTeam (DART) to help the Albanian government rapidly recover from this cyber-attack. Microsoft will continue to partner\r\nwith Albania to manage cybersecurity risks while continuing to enhance protections from malicious attackers.” This blog\r\nshowcases the investigation, Microsoft’s process in attributing the related actors and the observed tactics and techniques\r\nobserved by DART and the Microsoft Threat Intelligence Center (MSTIC) to help customers and the security ecosystem\r\ndefend from similar attacks in the future.\r\nMicrosoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a\r\ndestructive cyberattack against the Albanian government, disrupting government websites and public services. At the same\r\ntime, and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked\r\nsensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak\r\nthis information.\r\nThere were multiple stages identified in this campaign:\r\nInitial intrusion\r\nData exfiltration\r\nData encryption and destruction\r\nInformation operations\r\nMicrosoft assessed with high confidence that multiple Iranian actors participated in this attack—with different actors\r\nresponsible for distinct phases:\r\nDEV-0842 deployed the ransomware and wiper malware\r\nDEV-0861 gained initial access and exfiltrated data\r\nDEV-0166 exfiltrated data\r\nDEV-0133 probed victim infrastructure\r\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of\r\nthreat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or\r\nidentity of the actor behind the activity. Once it meets the criteria, the DEV reference is converted to a named actor:\r\nMicrosoft assessed with moderate confidence that the actors involved in gaining initial access and exfiltrating data in the\r\nattack are linked to EUROPIUM, which has been publicly linked to Iran’s Ministry of Intelligence and Security (MOIS) and\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 1 of 17\n\nwas detected using three unique clusters of activity. We track them separately based on unique sets of tools and/or TTPs;\r\nhowever, some of them may work for the same unit.\r\nInformation specific to Albania is shared with permission from the Albanian government.\r\nFigure 1. Threat actors behind the attack against the Albanian government\r\nForensic analysis\r\nEvidence gathered during the forensic response indicated that Iran-affiliated actors conducted the attack. This evidence\r\nincludes, but is not limited to:\r\nThe attackers were observed operating out of Iran\r\nThe attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian\r\nattackers\r\nThe attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are\r\nconsistent with Iranian interests\r\nThe wiper code was previously used by a known Iranian actor\r\nThe ransomware was signed by the same digital certificate used to sign other tools used by Iranian actors\r\nIntrusion and exfiltration\r\nA group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an\r\nAlbanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint\r\nServer, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was\r\na member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from\r\nthe victim’s network between October 2021 and January 2022.\r\nDEV-0861 was observed operating from the following IPs to exfiltrate mail:\r\n144[.]76[.]6[.]34\r\n176[.]9[.]18[.]143\r\n148[.]251[.]232[.]252\r\nAnalysis of the signals from these IPs, and other sources, indicated that DEV-0861 has been actively exfiltrating mail from\r\ndifferent organizations in the following countries since April 2020:\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 2 of 17\n\nFigure 2. Timeline of data exfiltration activities by DEV-0861\r\nThe geographic profile of these victims—Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE—aligns with Iranian\r\ninterests and have historically been targeted by Iranian state actors, particularly MOIS-linked actors.\r\nDEV-0166 was observed exfiltrating mail from the victim between November 2021 and May 2022. DEV-0166 likely used\r\nthe tool Jason.exe to access compromised mailboxes. A public analysis of Jason.exe can be found here. Note that this tool\r\nwas reportedly used by actors affiliated with MOIS.\r\nFigure 3. Screenshot of the Jason.exe tool\r\nRansomware and wiper\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 3 of 17\n\nThe cyberattack on the Albanian government used a common tactic of Iranian state sponsored actors by deploying\r\nransomware first, followed by deployment of the wiper malware. The wiper and ransomware both had forensic links to\r\nIranian state and Iran-affiliated groups. The wiper that DEV-0842 deployed in this attack used the same license key and\r\nEldoS RawDisk driver as ZeroCleare, a wiper that Iranian state actors used in an attack on a Middle East energy company in\r\nmid-2019. In that case, IBM X-Force assessed that actors affiliated with EUROPIUM gained initial access nearly a year\r\nahead of the wiper attack. The wiper attack was subsequently performed by a separate and unknown Iranian actor. This is\r\nsimilar to the chain of events Microsoft detected against the Albanian government.\r\nThe code used in this attack had the following properties:\r\nFilename SHA-256\r\ncl.exe e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0\r\nrwdsk.sys 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6\r\nEmbedded in the cl.exe wiper was the hex-string\r\n‘B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D,’ which was the same\r\nlicense key used for the EldoS RawDisk driver of the ZeroCleare wiper documented by IBM X-Force in 2019. The Eldos\r\ndriver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on\r\nthe target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated\r\nactors including actors in Iran with links to MOIS.\r\nThe ransomware payload used in this attack by the DEV-0842 operator had the following properties:\r\nFilename SHA-256\r\nGoXml.exe f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\r\nThis tool was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC. This certificate\r\nhad a SHA-1 thumbprint of 55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f.\r\nMicrosoft telemetry indicates this certificate was only used to sign 15 other files—a very small footprint, suggesting the\r\ncertificate was not widely shared amongst unrelated actor groups. Multiple other binaries with this same digital certificate\r\nwere previously seen on files with links to Iran, including a known DEV-0861 victim in Saudi Arabia in June 2021:\r\nFilename SHA-256\r\nRead.exe ea7316bbb65d3ba4efc7f6b488e35db26d3107c917b665dc7a81e327470cb0c1\r\nIt’s not clear if Read.exe was dropped by DEV-0861 on this Saudi victim or if DEV-0861 also handed off access to the Saudi\r\nvictim to DEV-0842.\r\nThe messaging, timing, and target selection of the cyberattacks bolstered our confidence that the attackers were acting on\r\nbehalf of the Iranian government. The messaging and target selection indicate Tehran likely used the attacks as retaliation for\r\ncyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK), an Iranian dissident group largely\r\nbased in Albania that seeks to overthrow the Islamic Republic of Iran.\r\nMessaging\r\nThe attacker’s logo is an eagle preying on the symbol of the hacking group ‘Predatory Sparrow’ inside the Star of David\r\n(Figure 4). This signals the attack on Albania was retaliation for Predatory Sparrow’s operations against Iran, which Tehran\r\nperceives involved Israel. Predatory Sparrow has claimed responsibility for several high-profile and highly sophisticated\r\ncyberattacks against Iran state-linked entities since July 2021. This included a cyberattack that disrupted television\r\nprogramming of the Islamic Republic of Iran Broadcasting (IRIB) with images saluting MEK leaders in late January.\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 4 of 17\n\nPredatory Sparrow forewarned about the attack hours ahead of time and claimed they supported and paid for it, indicating\r\nothers were involved. Iranian officials blamed this cyberattack on the MEK and additionally blamed the MEK and Israel for\r\na cyberattack that used the same images and messaging against the Tehran municipality in June.\r\nThe message in the ransom image indicates that the MEK, a long-standing adversary of the Iranian regime, was the primary\r\ntarget behind their attack on the Albanian government. The ransom image, like several posts by Homeland Justice, the group\r\novertly pushing messages and leaking data linked to the attack, asked “why should our taxes be spent on terrorists of\r\nDurres.” This is a reference to the MEK, who Tehran considers terrorists, who have a large refugee camp in Durrës County\r\nin Albania.\r\nFigure 4. Ransomware image and Homeland Justice banner\r\nThe messaging linked to the attack closely mirrored the messaging used in cyberattacks against Iran, a common tactic of\r\nIranian foreign policy suggesting an intent to signal the attack as a form of retaliation. The level of detail mirrored in the\r\nmessaging also reduces the likelihood that the attack was a false flag operation by a country other than Iran.  \r\nThe contact numbers listed in the ransom image (Figure 4), for example, were linked to multiple senior Albanian\r\nleaders, mirroring the cyberattacks on Iran’s railways and fueling pumps, which included a contact phone number\r\nbelonging to the Iranian Supreme Leader’s Office.\r\nThe messages in the information operations also emphasized targeting of corrupt government politicians and their\r\nsupport for terrorists and an interest in not harming the Albanian people (Figure 5). Similarly, the attack on Iranian\r\nsteel companies claimed to target the steel factories for their connections to the Islamic Revolutionary Guard Corps\r\n(IRGC) while avoiding harm to Iranians. Another cyberattack on an Iranian airline in late 2021, which was claimed\r\nby Hooshyaran-e Vatan (meaning “Observants of the Fatherland” in Farsi), emphasized Tehran’s corruption and\r\nmisappropriation of money on IRGC activities abroad. \r\nFigure 5. Message from Homeland Justice days after the cyberattack.\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 5 of 17\n\nTiming\r\nThe cyberattack on July 15 occurred weeks after a string of cyberattacks on Iran, one week ahead of the MEK-sponsored\r\nFree Iran World Summit and aligned with other Iranian policy moves against the MEK, further bolstering the likelihood of\r\nIranian involvement. On July 16, the day after the cyberattack, Iran’s Ministry of Foreign Affairs issued a statement\r\ndesignating current and former American politicians for supporting the MEK. The Free Iran World Summit, which the\r\nIranian regime actively opposes, was canceled this year following warnings of possible terrorist threats to the Summit on\r\nJuly 21. A few days after the planned Free Iran World Summit, Iranian official press issued an editorial calling for military\r\naction against the MEK in Albania. This string of events suggests there may have been a whole-of-government Iranian effort\r\nto counter the MEK from Iran’s Ministry of Foreign Affairs, to intelligence agencies, to official press outlets.\r\nTarget selection\r\nSome of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government\r\nagencies in Iran that experienced prior cyberattacks with MEK-related messaging. This suggests the Iranian government\r\nchose those targets to signal the cyberattacks as a form of direct and proportional retaliation, a common tactic of the regime.\r\nParallel information operations and amplification\r\nBefore and after the Homeland Justice messaging campaign was launched, social media persona accounts and a group of\r\nreal-life Iranian and Albanian nationals known for their pro-Iran, anti-MEK views, promoted the campaign’s general talking\r\npoints and amplified the leaks published by the Homeland Justice accounts online. The parallel promotion of the Homeland\r\nJustice campaign and its central themes by these entities in the online space—before and after the cyberattack—suggests a\r\nbroad-based information operation aimed at amplifying the impact of the attack.\r\nAhead of the cyberattack, on June 6, Ebrahim Khodabandeh, a disaffected former MEK member posted an open letter\r\naddressed to Albanian Prime Minister Edi Rama warning of the consequences of escalating tensions with Iran. Invoking\r\n“[h]acking of Tehran municipal systems” and “gas stations,” Khodabandeh claimed that the MEK was the source of\r\n“sabotaging acts against the interests of the Iranian people [sic]” and argued that these constituted “the hostile work of your\r\ngovernment” and has caused “obvious enmity with the Iranian nation [sic].”\r\nFour days later, on June 10, Khodabandeh and the Nejat Society, an anti-MEK NGO that he heads, hosted a group of\r\nAlbanian nationals in Iran. The group included members of another anti-MEK organization called the Association for the\r\nSupport of Iranians Living in Albania (ASILA)—Gjergji Thanasi, Dashamir Mersuli, and Vladimir Veis. Given the highly\r\npolitical nature of ASILA’s work on issues related to a group that Tehran considers a terrorist organization (the MEK), it is\r\nhighly possible that this visit was conducted with sanction from the state. Upon their return from Iran, on July 12, Nejat\r\nSociety said Albanian police raided their offices and detained some ASILA members. While Nejat Society said this raid was\r\na result of “false and baseless accusations,” according to local media the raid stemmed from possible connections to Iranian\r\nintelligence services.\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 6 of 17\n\nFigure 6. ASILA members in Iran in June 2022. Pictured, from left, are Gjergji Thanasi, Ebrahim\r\nKhodabandeh, Dashamir Mersuli, and Vladimir Veis.\r\nIn the wake of the cyberattack, on July 23, Thanasi and Olsi Jazexhi, another Albanian national who frequently appears on\r\nIran’s state-sponsored media outlet PressTV espousing anti-MEK positions, penned a second open letter addressed to then-Albanian President Ilir Meta, also published on Nejat Society’s website. This letter echoed Homeland Justice’s central claim\r\n—namely that Albania’s continuing to host the MEK constituted a danger to the Albanian people. Jazexhi and Thanasi called\r\non Meta to convene Albania’s National Security Council to “consider whether Albania has entered into a cyber and military\r\nconflict with the Islamic Republic of Iran.”\r\nIn May 2021, at around the same time that Iranian actors began their intrusion into Albanian government victim systems,\r\naccounts for two anti-MEK social media personas, which do not appear to correspond to real people, were created on both\r\nFacebook and Twitter. The accounts largely post anti-MEK content and engage with the social media accounts of some of\r\nthe individuals detailed above. These two accounts along with a third, older account, were among the first to promote posts\r\nfrom Homeland Justice accounts on Twitter, and all three dramatically increased the rate of anti-MEK posts after the mid-July 2022 cyberattack became public.\r\nThere exists some additional evidence that the role of these personas extended beyond mere social media amplification and\r\ninto content production. One of the personas which repeatedly posted Homeland Justice content had previously written for\r\nthe now-defunct IRGC-linked American Herald Tribune and other fringe news sites, often in negative terms about the MEK.\r\nA second persona account, meanwhile, may have attempted to contact at least one Albanian newspaper ahead of the hack-and-leak, requesting “cooperation”, and the ability to publish with the outlet.\r\nThe parallel promotion of the Homeland Justice campaign and its central themes by these individuals and personas online\r\nboth before and after the cyberattack adds a compelling human dimension to the broader Homeland Justice influence effort.\r\nWhile there were no observed direct relationships between the threat actors responsible for the destructive attack and these\r\nmessaging actors, their actions raise questions worthy of further examination.\r\nObserved actor activity\r\nDART and MSTIC supported the post ransom and wiper attack analysis leveraging Microsoft 365 Defender and collection\r\nof additional forensic artifacts. Analysis identified the use of vulnerabilities to implant web shells for persistence,\r\nreconnaissance actions, common credential harvesting techniques, defense evasion methods to disable security products, and\r\na final attempt of actions on objective deploying encryption and wiping binaries. The Iranian sponsored attempt at\r\ndestruction had less than a 10% total impact on the customer environment.\r\nAccess and implant\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 7 of 17\n\nBased on investigative analysis, starting in May 2021, actors exploited vulnerabilities of a public-facing endpoint to execute\r\narbitrary code that implanted web shells on the unpatched SharePoint server (Collab-Web2.*.*), as stated previously. These\r\ngeneric web shells provided the ability to upload files, download files, delete files, rename, execute commands with an\r\noption to run as specific user.\r\nFigure 7. The web shell console from the attacker’s point of view\r\nWeb shells were placed in the following directories:\r\nC:\\Program Files\\Common Files\\microsoft shared\\Web Server\r\nExtensions\\16\\TEMPLATE\\LAYOUTS\\evaluatesiteupgrade.cs.aspx\r\nC:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\Pickers.aspx\r\nC:\\ProgramData\\COM1\\frontend\\Error4.aspx\r\nLateral movement and execution\r\nFollowing initial access and implant, the threat actor was observed using Mimikatz for credential harvesting and a\r\ncombination of Impacket and Remote Desktop Clients for lateral movement efforts using the built-in administrator account.\r\nUnrecoverable tooling was identified, which highly suggests that reconnaissance efforts were present in the form of file\r\nnames of executables, resident mailbox data, database, and user details. Similar actions by the threat actors observed by\r\nMSTIC and DART detail both custom and open-source tooling utilized for these efforts. Artifacts of tooling identified:\r\nIPGeter.exe\r\nFindUser.exe\r\nrecdisc.exe\r\nNetE.exe\r\nadvanced_port_scanner.exe\r\nmimikatz.exe\r\nshared.exe\r\nStored CSV and TXT files\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 8 of 17\n\nData collection\r\nDuring the period of October 2021 – January 2022, the threat actors used a unique email exfiltration tool which interacted\r\nwith the Exchange web services APIs to collect email in a manner that masked the actions. The threat actors accomplished\r\nthese actions by creating an identity named “HealthMailbox55x2yq” to mimic a Microsoft Exchange Health Manager\r\nService account using Exchange PowerShell commands on the Exchange Servers. The threat actors then added the account\r\nto the highly privileged exchange built-in role group “Organization Management” to later add the role of “Application\r\nImpersonation”. The ApplicationImpersonation management role enables applications to impersonate users in an\r\norganization to perform tasks on behalf of the user, providing the ability for the application to act as the owner of a mailbox.\r\nDefense evasion\r\nPrior to launching the final stage of the attack, the threat actors gained administrative access to a deployed endpoint\r\ndetection and response (EDR) solution to make modifications, removing libraries that affected the agents across the\r\nenterprise. In addition, a binary to disable components of Microsoft Defender Antivirus was propagated using custom\r\ntooling. The distributed binary named disable-defender.exe queries for TokenElevation using the GetTokenInformation API\r\nand checks if the process is running with elevated privileges. If the token is not running with elevated privilege, the binary\r\nprints “Must run as admin!\\n”. If the token is elevated, it queries TokenUser and checks if the SID is “S-1-5-18”. If the\r\ncurrent process doesn’t run under system context, it prints “Restarting with privileges\\n” and attempts to elevate the\r\nprivilege.\r\nTo elevate the privilege, the binary checks if the TrustedInstaller service is enabled. To do this, it starts the service\r\n“SeDebugPrivilege” and “SeImpersonatePrivilege” to assign privileges to itself. It then looks for winlogon.exe process,\r\nacquires its token, and impersonates calling thread using ImpersonateLoggedOnUser/SetThreadToken. After impersonating\r\nas winlogon.exe, it opens TrustedInstaller process, acquires its token for impersonation and creates a new process with\r\nelevated privileges using CreateProcessWithTokenW.\r\nFigure 8. How the attacker is able to evade defense components\r\nOnce it successfully creates its own process with TrustedInstaller privilege, it proceeds to disable Defender components.\r\nTerminates smartscreen.exe\r\nModifies WinDefend service to DemandLoad.\r\nModifies “TamperProtection” value to 0\r\nQueries WMI “Root\\Microsoft\\Windows\\Defender” Namespace “MSFT_MpPreference” class for\r\n“DisableRealtimeMonitoring”\r\nSets “DisableAntiSpyware” value to 1\r\nSets “SecurityHealth” value to 3\r\nSets “DisableAntiSpyware” value to 0\r\nSets “SYSTEM\\CurrentControlSet\\Services\\WinDefend” service “Start” value to 3\r\nSets “DisableRealtimeMonitoring” value to 1\r\nModifies further settings using WMI “Root\\Microsoft\\Windows\\Defender” Namespace “MSFT_MpPreference” class\r\nvalues,\r\n“EnableControlledFolderAccess”\r\n“PUAProtection”\r\n“DisableRealtimeMonitoring”\r\n“DisableBehaviorMonitoring”\r\n“DisableBlockAtFirstSeen”\r\n“DisablePrivacyMode”\r\n“SignatureDisableUpdateOnStartupWithoutEngine”\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 9 of 17\n\n“DisableArchiveScanning”\r\n“DisableIntrusionPreventionSystem”\r\n“DisableScriptScanning”\r\n“DisableAntiSpyware”\r\n“DisableAntiVirus”\r\n“SubmitSamplesConsent”\r\n“MAPSReporting”\r\n“HighThreatDefaultAction”\r\n“ModerateThreatDefaultAction”\r\n“LowThreatDefaultAction”\r\n“SevereThreatDefaultAction”\r\n“ScanScheduleDay”\r\nAdditional evasion techniques included the deletion of tooling, Windows events, and application logs.\r\nActions on objective\r\nDistribution of the encryption and wiping binaries was accomplished with two methods via a custom SMB remote file copy\r\ntool Mellona.exe, originally named MassExecuter.exe. The first method remote file copied the ransom binary GoXml.exe and\r\na bat file that triggers the execution of the ransom or wiper on a user login. The second method was by remotely invoking\r\nthe ransom binary with the Mellona.exe tool, post SMB remote file copy.\r\nFigure 9. Process Command lines for Mellona.exe used to distribute malware\r\n win.bat – Batch file for ransom execution – Trojan:Win32/BatRunGoXml\r\nExecutes the ransom binary from the All Users starts up folder and will be executed on the trigger of a user login.\r\nFigure 10. Win.bat contents\r\nGoXml.exe – ransomware binary – Ransom:Win32/Eagle!MSR\r\nTakes \u003e= 5 arguments, and the arguments can be anything, as it looks for argument count only. If the number of the\r\ncommand line arguments is less than 5, it will error and create an Open dialog box via GetOpenFileNameA that lets\r\nthe user open a *.xml file\r\nIf 5 or more command line arguments were provided, it will firstly check the running instances by opening the Mutex\r\nbelow via OpenMutexA:\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 10 of 17\n\n“Global\\\\abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890”\r\nIf there are no other running instances, it will create the Mutex above via CreateMutexA.\r\nAttempts to mount all the volumes:\r\nFinds available volumes via FindFirstVolumeW and FindNextVolumeW.\r\nRetrieves the mounted folders of the volume via GetVolumePathNamesForVolumeNameW.\r\nIf there is no mounted point for the volume, creates a new directory named c:\\\\HD%c (%c is A, B, C, …) via\r\nCreateDirectoryW.\r\nMounts the volume to the newly create directory via SetVolumeMountPointW.\r\n Launches cmd.exe and runs the following batch script through anonymous pipe:\r\nFigure 11. Batch script content of the ransomware\r\nStrings are encrypted with RC4 Algorithm with key “8ce4b16b22b58894aa86c421e8759df3”.\r\nGenerates Key using rand() function and uses that to derive RC4 key to encrypt files. The derived key is then\r\nencrypted with Public key hardcoded in the file.\r\nThis encrypted key is then encoded with customized Base64 characters and appended to the ransom note.\r\nRenames the file as [original file name].lck, and then encrypts the renamed file.\r\nDrops a ransom notes file named How_To_Unlock_MyFiles.txt in each folder before encrypting the files, the ransom\r\nnotes are written in Albanian.\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 11 of 17\n\nFigure 12. Ransom note written in Albanian\r\nPerforms a self-delete by launching cmd.exe and executes a batch script though anonymous pipe to perform deletion.\r\nFigure 13. Batch script for deletion\r\ncl.exe – wiper – Dos:Win64/WprJooblash\r\ncl.exe takes the following parameters\r\ncl.exe in – Installs the driver rwdsk.sys and its service\r\ncl.exe un – Uninstalls the driver rwdsk.sys and its service\r\ncl.exe wp \u003cPATH\u003e – Wipes the give path leveraging rwdsk.sys driver\r\nFigure 14. The malware using rwdsk.sys\r\nService created: HKLM\\SYSTEM\\CurrentControlSet\\Services\\RawDisk3\r\nInstalled driver should be located in C:\\Windows\\System32\\drivers\\rwdsk.sys or the same directory cl.exe is\r\nstaged.\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 12 of 17\n\nFigure 15. Directory where the driver is installed\r\nBy providing path (Example: \\??\\PHYSICALDRIVE0) with the ‘wp’ parameter, passes it to the below function\r\nincluding GENERIC_READ | GENERIC_WRITE access value and a hexadecimal value\r\n“B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D”. Based on the\r\nreference below, the same hex value is used in ZeroCleare Wiper in 2020. IBM confirms this value is the license key\r\nfor RawDisk\r\nFigure 16. Hex value used in ZeroCleare Wiper\r\nRecommended customer actions\r\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the\r\nsecurity considerations provided below:\r\nUse the included indicators of compromise to investigate whether they exist in your environment and assess for\r\npotential intrusion\r\nBlock inbound traffic from IPs specified in the Indicators of compromise table\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts configured\r\nwith single factor authentication, to confirm authenticity and investigate any anomalous activity\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is\r\nenforced for all remote connectivity\r\nNOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft\r\nAuthenticator to secure your accounts\r\nEnable Microsoft Defender Antivirus tamper protection to prevent unwanted malicious apps disabling components of\r\nMicrosoft Defender Antivirus\r\nUnderstand and assess your cyber exposure with advanced vulnerability and configuration assessment tools\r\nIndicators of compromise (IOCs)\r\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators\r\nin their environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nIndicator Type Description\r\nGoXml.exe\r\nSHA-256\r\nf116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 13 of 17\n\n“w.zip”,\r\n“cl.exe”\r\n“cls5.exe”\r\nSHA-256\r\ne1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0\r\nWin.bat\r\nSHA-256\r\nbad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6\r\nADExplorer.exe\r\nSHA-256\r\nbb45d8ffe245c361c04cca44d0df6e6bd7596cabd70070ffe0d9f519e3b620ea\r\nLdd.2.exe\r\nSHA-256\r\ne67c7dbd51ba94ac4549cc9bcaabb97276e55aa20be9fae909f947b5b7691e6b\r\nMellona.exe\r\nSHA-256\r\nac4809764857a44b269b549f82d8d04c1294c420baa6b53e2f6b6cb4a3f7e9bd\r\nSl.exe\r\nSHA-256\r\nd1bec48c2a6a014d3708d210d48b68c545ac086f103016a20e862ac4a189279e\r\nHxD.exe (Hex Editor)\r\nSHA-256\r\nd145058398705d8e20468332162964dce5d9e2ad419f03b61adf64c7e6d26de5\r\nLsdsk.exe\r\nSHA-256\r\n1c926d4bf1a99b59391649f56abf9cd59548f5fcf6a0d923188e7e3cab1c95d0\r\nNTDSAudit.exe\r\nSHA-256\r\nfb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b\r\nDisable-defender.exe\r\nSHA-256\r\n45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace\r\nRognar.exe\r\nSHA-256\r\ndfd631e4d1f94f7573861cf438f5a33fe8633238d8d51759d88658e4fbac160a\r\nIpgeter.exe\r\nSHA-256\r\n734b4c06a283982c6c3d2952df53e0b21e55f3805e55a6ace8379119d7ec1b1d  \r\nevaluatesiteupgrade.aspx\r\nSHA-256\r\nf8db380cc495e98c38a9fb505acba6574cbb18cfe5d7a2bb6807ad1633bf2df8  \r\nPickers.aspx\r\nSHA-256\r\n0b647d07bba697644e8a00cdcc8668bb83da656f3dee10c852eb11effe414a7e  \r\nClientBin.aspx\r\nSHA-2567AD64B64E0A4E510BE42BA631868BBDA8779139DC0DAAD9395AB048306CC\r\n \r\nApp_Web_bckwssht.dll\r\nSHA-256\r\nCAD2BC224108142B5AA19D787C19DF236B0D12C779273D05F9B0298A63DC1\r\nC:\\Users\\\u003cUser\r\nname\u003e\\Desktop\\\r\nStaging\r\ndirectory\r\n \r\nC:\\ProgramData\\\r\nStaging\r\ndirectory\r\n \r\nC:\\Users\\\u003cUser\r\nname\u003e\\Desktop\\a\r\nStaging\r\ndirectory\r\n \r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 14 of 17\n\nC:\\ProgramData\\1\\\r\nStaging\r\ndirectory\r\n \r\nC:\\ProgramData\\2\\\r\nStaging\r\ndirectory\r\n \r\n144[.]76[.]6[.]34\r\nIP\r\naddress\r\nAccessed web shell\r\n148[.]251[.]232[.]252\r\nIP\r\naddress\r\nAccessed web shell\r\n148[.]251[.]233[.]231\r\nIP\r\naddress\r\nAccessed web shell\r\n176[.]9[.]18[.]143\r\nIP\r\naddress\r\nAccessed web shell\r\n185[.]82[.]72[.]111\r\nIP\r\naddress\r\nAccessed web shell\r\n216[.]24[.]219[.]65\r\nIP\r\naddress\r\nAccessed web shell\r\n216[.]24[.]219[.]64\r\nIP\r\naddress\r\nAccessed web shell\r\n46[.]30[.]189[.]66\r\nIP\r\naddress\r\nAccessed web shell\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nMicrosoft Defender Threat Intelligence Community members and customers can find summary information and all IOCs\r\nfrom this blog post in the linked Microsoft Defender Threat Intelligence article.\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft Defender Antivirus\r\nTrojanDropper:ASP/WebShell!MSR (web shell)\r\nTrojan:Win32/BatRunGoXml (malicious BAT file)\r\nDoS:Win64/WprJooblash (wiper)\r\nRansom:Win32/Eagle!MSR (ransomware)\r\nTrojan:Win32/Debitom.A (disable-defender.exe)\r\nMicrosoft Defender for Endpoint EDR\r\nMicrosoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign.\r\nNote however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.\r\nSuspicious behavior by Web server process\r\nMimikatz credential theft tool\r\nOngoing hands-on-keyboard attack via Impacket toolkit\r\nSuspicious RDP connection observed\r\nAddition to Exchange Organization Management role group\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 15 of 17\n\nTrustedInstaller hijack attempt\r\nMicrosoft Defender Antivirus tampering\r\nProcess removed a security product\r\nTamper protection bypass\r\nSuspicious file in startup folder\r\nRansomware behavior detected in the file system\r\nRansomware behavior by remote device\r\nEmerging threat activity group\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces impacted devices that may be affected by the Exchange\r\n(ProxyLogon) and SharePoint vulnerabilities used in the attack:\r\nCVE-2019-0604\r\nCVE-2021-26855\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nTo locate possible threat actor activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed\r\nbelow:\r\nIdentify threat actor IOCs\r\nThis query identifies a match based on IOCs related to EUROPIUM across various Microsoft Sentinel data feeds:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EUROPIUM\r\n_September2022.yaml\r\nIdentify Microsoft Defender Antivirus detection related to EUROPIUM\r\nThis query looks for Microsoft Defender AV detections related to EUROPIUM actor and joins the alert with other data\r\nsources to surface additional information such as device, IP, signed-in users, etc.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/EuropiumAVHits.yaml\r\nIdentify creation of unusual identity \r\nThe query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health\r\nManager Service account using Exchange PowerShell commands.\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml\r\nMicrosoft 365 Defender\r\nTo locate possible threat actor activity mentioned in this blog post, Microsoft 365 Defender customers can use the queries\r\ndetailed below:\r\nIdentify EUROPIUM IOCs\r\nThe following query can locate activity possibly associated with the EUROPIUM threat actor. Github link\r\nDeviceFileEvents | where SHA256 in (\"f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\",\"e1204e\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 16 of 17\n\nIdentify Microsoft Defender Antivirus detection related to EUROPIUM\r\nThis query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor. Github link\r\nlet europium_sigs = dynamic([\"BatRunGoXml\", \"WprJooblash\", \"Win32/Eagle!MSR\", \"Win32/Debitom.A\"]);\r\nAlertEvidence\r\n| where ThreatFamily in~ (europium_sigs)\r\n| join AlertInfo on AlertId\r\n| project ThreatFamily, AlertId\r\nIdentify unusual identity additions related to EUROPIUM\r\nThis query looks for identity additions through exchange PowerShell. Github link\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any (\"New-Mailbox\",\"Update-RoleGroupMember\") and ProcessCommandLine has \"Health\r\nSource: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nhttps://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" ], "report_names": [ "microsoft-investigates-iranian-attacks-against-the-albanian-government" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434570, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f84f8cb135a78dd009009e176401045f8fb13e3c.pdf", "text": "https://archive.orkl.eu/f84f8cb135a78dd009009e176401045f8fb13e3c.txt", "img": "https://archive.orkl.eu/f84f8cb135a78dd009009e176401045f8fb13e3c.jpg" } }