What is the Madi Campaign?

The Madi campaign is a long-running cyber espionage operation targeting individuals and organizations primarily in the Middle East. It uses social engineering and spyware to infiltrate systems and monitor victims.

Who is behind the attack?

The exact attribution is unclear, but the operation appears to be conducted by a relatively low-resourced group skilled in deception rather than advanced malware development.

What were the attackers trying to achieve?

The goal was extensive surveillance. The malware gathered screenshots, keystrokes, recorded audio, and extracted files from targeted users, suggesting an intelligence-gathering motive.

Victims included people in Iran, Israel, Afghanistan, and nearby regions, especially those working in engineering, government, finance, and academia.

How did the attack happen?

Attackers tricked users into opening infected PowerPoint files or disguised executable files that looked like images or PDFs. Once opened, these files installed spyware that monitored the system.

Why were these targets chosen?

Middle Eastern critical infrastructure and political or academic sectors are often targets for espionage due to their strategic value.

What makes this attack different?

Rather than using complex, zero-day exploits, Madi relied on simple, deceptive techniques that were effective against users with low cybersecurity awareness.

What should organizations do to protect themselves?

They should train employees to spot suspicious attachments, block risky file types, monitor for indicators of compromise, and ensure up-to-date endpoint protection.

Is this a widespread issue?

The campaign is targeted but large in scope, with at least 800 known victims. Its ongoing nature and success suggest a broader threat to the region.

Threats Feed|Madi|Last Updated 30/12/2025|AuthorCertfa Radar|Publish Date17/07/2012

Madi Espionage Campaign Targets Middle Eastern Governments and Critical Sectors

Actor Motivations: Espionage
Attack Vectors: Backdoor,Downloader,Dropper,Keylogger,Spyware,Trojan,Phishing,Spear Phishing
Attack Complexity: Low
Threat Risk: Low Impact/High Probability

Threat Overview

The Madi campaign is a long-running cyber espionage operation that has been active for nearly a year, targeting individuals and organizations primarily across Iran, Israel, Afghanistan, and other countries worldwide. The attackers relied on basic but effective social engineering techniques, including spearphishing emails with malicious PowerPoint slide shows and executables disguised using Right-to-Left Override (RTLO) filenames. Once executed, the Delphi-based malware enabled extensive surveillance through keylogging, screenshot capture, audio recording, and large-scale data theft. Victims included government agencies, critical infrastructure engineering firms, financial institutions, academia, and selected individuals whose communications were monitored over extended periods.

Reference and Credit: Kaspersky - July 2012

The Madi Campaign – Part I

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Sector	Government Agencies and Services	Verified
Sector	Education	Verified
Region	Afghanistan	Verified
Region	Iran	Verified
Region	Israel	Verified
Region	Middle East Countries	Verified

FAQs

Understanding the Madi Campaign

: The Madi campaign is a long-running cyber espionage operation targeting individuals and organizations primarily in the Middle East. It uses social engineering and spyware to infiltrate systems and monitor victims.
: The exact attribution is unclear, but the operation appears to be conducted by a relatively low-resourced group skilled in deception rather than advanced malware development.
: The goal was extensive surveillance. The malware gathered screenshots, keystrokes, recorded audio, and extracted files from targeted users, suggesting an intelligence-gathering motive.
: Victims included people in Iran, Israel, Afghanistan, and nearby regions, especially those working in engineering, government, finance, and academia.
: Attackers tricked users into opening infected PowerPoint files or disguised executable files that looked like images or PDFs. Once opened, these files installed spyware that monitored the system.
: Middle Eastern critical infrastructure and political or academic sectors are often targets for espionage due to their strategic value.
: Rather than using complex, zero-day exploits, Madi relied on simple, deceptive techniques that were effective against users with low cybersecurity awareness.
: They should train employees to spot suspicious attachments, block risky file types, monitor for indicators of compromise, and ensure up-to-date endpoint protection.
: The campaign is targeted but large in scope, with at least 800 known victims. Its ongoing nature and success suggest a broader threat to the region.

About Affiliation

Madi

Associate threats