Latest Update30/06/2025

Threats Feed

  1. Public

    Shamoon 2.0 and StoneDrill Revive Wiper Threats Across Saudi and European Targets

    Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.

    read more about Shamoon 2.0 and StoneDrill Revive Wiper Threats Across Saudi and European Targets
  2. Public

    Disttrack Malware Decimates Saudi Critical Infrastructure

    The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

    read more about Disttrack Malware Decimates Saudi Critical Infrastructure
  3. Public

    Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics

    In mid-November 2016, Mandiant responded to the Shamoon 2.0 malware attack targeting organizations in the Gulf states, marking the return of the suspected Iranian hacker group "Cutting Sword of Justice." This updated version of the 2012 Shamoon malware features embedded credentials, suggesting previous targeted intrusions for credential harvesting. Shamoon 2.0 performs subnet scanning, uses domain-specific credentials for unauthorized access, modifies system registries, and schedules tasks for execution. Its payload involves overwriting system files and wiping boot records, notably shifting imagery from a burning U.S. flag to a photograph of Alan Kurdi, symbolizing a devastating critique through cyber vandalism.

    read more about Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics