Threats Feed

Seculert researchers uncovered a sustained spear-phishing campaign dubbed Mahdi, which relied on malicious Word document attachments delivering a simple malware dropper alongside decoy content related to Iran–Israel electronic warfare. The malware communicated with command-and-control servers using disguised, Google-like web pages, with payload modules Base64-encoded inside HTML. Analysis revealed Farsi language artifacts and Persian calendar dates, suggesting an Iranian nexus. Variants were active from at least December 2011, initially hosted in Iran and later in Canada. The campaign targeted critical infrastructure companies, financial services, and government embassies across Iran, Israel, and other Middle Eastern countries, compromising more than 800 victims over eight months.

The Madi campaign is a long-running cyber espionage operation that has been active for nearly a year, targeting individuals and organizations primarily across Iran, Israel, Afghanistan, and other countries worldwide. The attackers relied on basic but effective social engineering techniques, including spearphishing emails with malicious PowerPoint slide shows and executables disguised using Right-to-Left Override (RTLO) filenames. Once executed, the Delphi-based malware enabled extensive surveillance through keylogging, screenshot capture, audio recording, and large-scale data theft. Victims included government agencies, critical infrastructure engineering firms, financial institutions, academia, and selected individuals whose communications were monitored over extended periods.