A new malware called "Saitama," linked to the APT34 group, was delivered through a phishing email containing a malicious Excel attachment. When the file is opened and macros are enabled, the malware installs a stealthy backdoor.

Who is behind the attack?

The attack is attributed to APT34, a known Iranian cyber espionage group that targets government, energy, and critical infrastructure organizations in the Middle East and beyond.

What was the goal of the attack?

The malware aims to silently take control of infected systems, gather internal information, execute commands, and exfiltrate data without detection using DNS tunneling techniques.

Who or what was targeted?

The attack appeared to impersonate a Jordanian government ministry, suggesting regional government organizations or contractors may have been targeted.

How was the attack carried out?

The malware was embedded in an Excel document. When the user enabled macros, it dropped a malicious program that communicates with external servers using hidden DNS queries and responds based on pre-defined program states.

Why would these targets be attractive to attackers?

Government and infrastructure organizations often store sensitive information and control critical systems, making them high-value targets for espionage.

What should organizations do to protect themselves?

Organizations should disable macros by default, monitor DNS traffic for suspicious patterns, and implement strict access controls and endpoint detection solutions.

Is this a widespread issue or a targeted attack?

This appears to be a targeted attack with specific goals, likely focused on espionage. However, the underlying techniques could be reused in broader campaigns.

Threats Feed|APT34|Last Updated 30/04/2025|AuthorCertfa Radar|Publish Date24/06/2022

APT34’s Saitama Agent: Phishing and DNS Tunneling in Jordan

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Malicious Macro,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

APT34's Saitama Agent employs a spear phishing email with a malicious Excel attachment to deliver malware using unique DNS tunneling and stateful programming techniques. The Excel document contains a VBA macro that hides its activities and communicates with the C2 server using DNS requests. The macro checks for mouse connections, drops multiple files, and uses a scheduled task for persistence. The campaign appears to be targeting Jordan, leveraging a Jordanian government ministry's logo to deceive victims.

Reference and Credit: XJunior - June 2022

APT34 - Saitama Agent

Detected Targets

Type	Description	Confidence
Region	Jordan	High

Extracted IOCs

asiaworldremit[.]com
joexpediagroup[.]com
uber-asia[.]com
79c7219ba38c5a1971a32b50e14d4a13
afdc68f0b6ce87ebef0fec5565c80fd3
c4f81486d10818e0bd4b9701dcafc8a2
f9a1b01e2d5c4cb2d632a74fcb7ec2dd
15a1b1ebf04870aad7ea4bd7d0264f17057e9002
2641a3cc98aa84979be68b675e26e5f94f059b57
5a9b17a0510301725dceafff026eca872fb05579
b39b3a778f0c257e58c0e7f851d10c707fbe2666
09c19455f249514020a4075667b087b16eaad440938f2d139399d21117879e60
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b
7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

download

Tip: 15 related IOCs (0 IP, 3 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

Understanding the APT34 Saitama Malware Attack

: A new malware called "Saitama," linked to the APT34 group, was delivered through a phishing email containing a malicious Excel attachment. When the file is opened and macros are enabled, the malware installs a stealthy backdoor.
: The attack is attributed to APT34, a known Iranian cyber espionage group that targets government, energy, and critical infrastructure organizations in the Middle East and beyond.
: The malware aims to silently take control of infected systems, gather internal information, execute commands, and exfiltrate data without detection using DNS tunneling techniques.
: The attack appeared to impersonate a Jordanian government ministry, suggesting regional government organizations or contractors may have been targeted.
: The malware was embedded in an Excel document. When the user enabled macros, it dropped a malicious program that communicates with external servers using hidden DNS queries and responds based on pre-defined program states.
: Government and infrastructure organizations often store sensitive information and control critical systems, making them high-value targets for espionage.
: Organizations should disable macros by default, monitor DNS traffic for suspicious patterns, and implement strict access controls and endpoint detection solutions.
: This appears to be a targeted attack with specific goals, likely focused on espionage. However, the underlying techniques could be reused in broader campaigns.

About Affiliation

APT34

Associate threats