Two highly destructive malware campaigns—Shamoon 2.0 and StoneDrill—targeted organizations primarily in Saudi Arabia starting in late 2016. These attacks wiped data from infected machines, rendering them unusable.

Who was behind the attacks?

The actors are not definitively attributed, but Shamoon has previously been linked to a group called the Cutting Sword of Justice. StoneDrill shows links to another group known as NewsBeef or Charming Kitten.

What was the goal of the attack?

The aim was destruction. Shamoon 2.0 and StoneDrill were designed to wipe or encrypt systems within targeted organizations, effectively disabling operations and causing widespread damage.

How widespread was the attack?

The main targets were in Saudi Arabia, especially in critical and economic sectors. However, StoneDrill also reached at least one organization in Europe, suggesting expanding geographic interest.

Were specific organizations or industries targeted?

Yes. Critical infrastructure and economic sectors in Saudi Arabia were specifically targeted, likely due to their strategic importance.

How was the attack carried out?

Attackers used stolen administrator credentials to move through networks and deploy wiper payloads. The malware activated automatically at preset times, wiping or encrypting data and rebooting systems.

Why are these organizations attractive to attackers?

Critical infrastructure and economic institutions represent strategic national assets. Disrupting them can serve political, economic, or ideological purposes.

What can organizations do to protect themselves?

Organizations should enforce strict credential management, segment networks, monitor endpoints for suspicious behavior, and be prepared with tested incident response plans.

Is this a targeted threat or a general risk?

These were targeted attacks, but they highlight techniques that could be reused elsewhere. Organizations with similar profiles should consider themselves at risk.

Threats Feed|NewsBeef|Last Updated 23/05/2025|AuthorCertfa Radar|Publish Date06/03/2017

Shamoon 2.0 and StoneDrill Revive Wiper Threats Across Saudi and European Targets

Actor Motivations: Sabotage
Attack Vectors: Compromised Credentials,Backdoor,Ransomware,Wiper
Attack Complexity: High
Threat Risk: High Impact/High Probability

Threat Overview

Beginning in late 2016, Shamoon 2.0 and the newly discovered StoneDrill malware launched destructive wiper attacks against critical and economic sectors in Saudi Arabia, with evidence of StoneDrill reaching European targets. Shamoon 2.0, a successor to the 2012 Saudi Aramco attack tool, incorporated stolen administrator credentials, automated worm-like spreading, disk wiping, and even inactive ransomware capabilities. StoneDrill introduced advanced sandbox evasion, injected its payload into browsers, and targeted accessible files or full disks. Both malware families used obfuscation, anti-analysis tricks, and in Shamoon’s case, signed drivers for low-level destruction. StoneDrill shared code similarities with the NewsBeef (aka Charming Kitten) APT, suggesting broader regional targeting and actor overlap.

Reference and Credit: Kaspersky - March 2017

From Shamoon to StoneDrill

Detected Targets

Type	Description	Confidence
Sector	Energy	High
Region	Saudi Arabia	Verified
Region	European Countries	Verified

Extracted IOCs

service1.chrome-up[.]date
service.chrome-up[.]date
webmaster.serveirc[.]com
www.actdire[.]com
www.chrome-up[.]date
www.chromup[.]com
www.eservic[.]com
www.securityupdated[.]com
00c417425a73db5a315d23fac8cb353f
0ccc9ec82f1d44c243329014b82d3125
1493d342e7a36553c56b2adea150949e
271554cff73c3843b9282951f2ea7509
2cd0a5f1e9bcce6807e57ec8477d222a
33a63f09e0962313285c0f0fb654ae11
38f3bed2635857dc385c5d569bbc88ac
41f8cd9ac3fb6b1771177e5770537518
42f883d029b47f9d490a427091da3f5d
5446f46d89124462ae7aca4fce420423
548f6b23799f9265c01feefc6d86a5d3
5bac4381c00044d7f4e4cbfd368ba03b
63443027d7b30ef0582778f1c11f36f3
697c515a46484be4f9597cb4f39b2959
6a7bff614a1c2fd2901a5bd1d878be59
6bebb161bc45080200a204f0a1d6fc08
7772ce23c23f28596145656855fd02fc
7946788b175e299415ad9059da03b1b2
7edd88dd4511a7d5bcb91f2ff177d29d
7f399a3362c4a33b5a58e94b8631a3d5
8405aa3d86a22301ae62057d818b6b68
8712cea8b5e3ce0073330fd425d34416
8e67f4c98754a2373a49eaf53425d79a
8fbe990c2d493f58a2afa2b746e49c86
940cee0d5985960b4ed265a859a7c169
9d40d04d64f26a30da893b7a30da04eb
aae531a922d9cca9ddca3d98be09f9df
ac3c25534c076623192b9381f926ba0d
ac4d91e919a3ef210a59acab0dbb9ab5
ac8636b6ad8f946e1d756cd4b1ed866d
af053352fe1a02ba8010ec7524670ed9
b4ddab362a20578dc6ca0bc8cc8ab986
baa9862b027abd61b3e19941e40b1b2d
c843046e54b755ec63ccb09d0a689674
d30cfa003ebfcd4d7c659a73a8dce11e
da3d900f8b090c705e8256e1193a18ec
dc79867623b7929fd055d94456be8ba0
e3a82d1db3ae8b189d2e1e0a22d6c82f
ec010868e3e4c47239bf720738e058e3
efab909e4d089b8f5a73e0b363f471c1
fb21f3cea1aa051ba2a45e75d46b98b8
105ee777ad31a58301310719b49c7b6a7e957823e4dabbfeaa6a14e313008c1b
128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd
394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b
4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6
47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34
61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842
62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260
69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db
772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5
bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc
c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a
eaee62a8238189e8607b24c463a84c83c2331a43b034484972e4b302bd3634d9

download

Tip: 61 related IOCs (0 IP, 8 domain, 0 URL, 0 email, 53 file hash) to this threat have been found.

FAQs

Understanding the Shamoon 2.0 and StoneDrill Wiper Attacks

: Two highly destructive malware campaigns—Shamoon 2.0 and StoneDrill—targeted organizations primarily in Saudi Arabia starting in late 2016. These attacks wiped data from infected machines, rendering them unusable.
: The actors are not definitively attributed, but Shamoon has previously been linked to a group called the Cutting Sword of Justice. StoneDrill shows links to another group known as NewsBeef or Charming Kitten.
: The aim was destruction. Shamoon 2.0 and StoneDrill were designed to wipe or encrypt systems within targeted organizations, effectively disabling operations and causing widespread damage.
: The main targets were in Saudi Arabia, especially in critical and economic sectors. However, StoneDrill also reached at least one organization in Europe, suggesting expanding geographic interest.
: Yes. Critical infrastructure and economic sectors in Saudi Arabia were specifically targeted, likely due to their strategic importance.
: Attackers used stolen administrator credentials to move through networks and deploy wiper payloads. The malware activated automatically at preset times, wiping or encrypting data and rebooting systems.
: Critical infrastructure and economic institutions represent strategic national assets. Disrupting them can serve political, economic, or ideological purposes.
: Organizations should enforce strict credential management, segment networks, monitor endpoints for suspicious behavior, and be prepared with tested incident response plans.
: These were targeted attacks, but they highlight techniques that could be reused elsewhere. Organizations with similar profiles should consider themselves at risk.

About Affiliation

NewsBeef

Associate threats

NewsBeef APT Revives BeEF for Global Watering Hole Campaigns