Cybersecurity researchers discovered a new data-wiping malware used during a recent cyberattack. This malware was designed to permanently destroy files on infected computers and was deployed alongside the notorious Shamoon 3 (Disttrack) malware.

Who was behind the attack?

The report does not explicitly name a specific threat group, but the attack is directly tied to the actors behind the Shamoon 3 campaigns, who are known for destructive cyber warfare. Interestingly, the malware's developer hid a religious message (a verse from the Quran) deep within the code, though it was designed never to be seen by the victims.

What is the nature and goal of the attack?

The primary goal of this attack is severe sabotage and data destruction. The malware is specifically engineered to overwrite user files with random data multiple times before deleting them, ensuring that the data cannot be recovered.

Were specific industries or people targeted?

Yes. The report indicates that these attacks were specifically targeted at an organization operating within the oil and gas industry.

How was the attack carried out from a high-level perspective?

The attackers used a highly privileged account on a single compromised computer to act as a launchpad. They used a "Loader" program to read a list of target computers, and a "Spreader" program to silently copy and execute the data-wiping tool across the network to those specific machines.

Why might the targeted entities be attractive to attackers?

Organizations in the oil and gas sector manage critical infrastructure and are highly sensitive to operational downtime. Disrupting their networks can cause massive economic and logistical impact, making them prime targets for sabotage campaigns.

What actions should organizations take to protect themselves?

Organizations should strictly control and monitor administrative accounts to prevent attackers from moving freely across the network. Additionally, maintaining secure, offline backups is critical, as data destroyed by this specific wiper cannot be recovered through standard forensic methods.

Is this a widespread issue or a targeted one?

This is a highly targeted attack. The malware did not spread randomly; it relied on custom text files containing specific internal computer names that the attackers had gathered during prior surveillance of the victim's network.

Threats Feed|Unknown|Last Updated 20/02/2026|AuthorCertfa Radar|Publish Date19/12/2018

Beyond Disttrack: Unraveling Shamoon 3's Complex Wiper Malware Campaign

Actor Motivations: Sabotage
Attack Vectors: Trojan,Wiper
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

Unit 42's continued investigation into the Shamoon 3 attacks on an oil and gas organization revealed a new wiper Trojan related to the Disttrack malware, utilizing the SuperDelete tool's modified source code. Unlike previous variants, this wiper doesn't spread across networks but overwrites files with random data, complicating recovery. Notably, it carries a religious message, discovered only upon in-depth analysis. Further analysis identified Loader and Spreader Trojans, indicating a sophisticated approach to distribute the wiper across compromised networks, echoing tactics from Shamoon 2.

Reference and Credit: Palo Alto Networks - December 2018

Shamoon 3: Modified Open-Source Wiper Contains Verse from the Quran

Detected Targets

Type	Description	Confidence
Sector	Oil and Gas	Verified

Extracted IOCs

0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d
0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe
35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c
5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a
5257f623270b4c5cc471ff35b1bfeec80ab37c7e012da76b50ebd2c4911a43d0
c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f
d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a
e5bf756d5530ec38ff649b901b3c7506f8556821d979bdcb392237f2ff40daf8

download

Tip: 9 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.

Overlaps

UnknownShamoon Malware Returns with Enhanced Destructiveness in Middle East's Oil Sector

Source: Symantec - December 2018

Detection (six cases): 0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d, 0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe, 35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b, 5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a, c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f, d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a

UnknownNew Disttrack Variant in Shamoon 3 Attack Cripples Saipem's Systems

Source: Palo Alto Networks - December 2018

Detection (three cases): 0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe, 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c, c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

SuperDelete Wiper & Shamoon 3 Attacks

: Cybersecurity researchers discovered a new data-wiping malware used during a recent cyberattack. This malware was designed to permanently destroy files on infected computers and was deployed alongside the notorious Shamoon 3 (Disttrack) malware.
: The report does not explicitly name a specific threat group, but the attack is directly tied to the actors behind the Shamoon 3 campaigns, who are known for destructive cyber warfare. Interestingly, the malware's developer hid a religious message (a verse from the Quran) deep within the code, though it was designed never to be seen by the victims.
: The primary goal of this attack is severe sabotage and data destruction. The malware is specifically engineered to overwrite user files with random data multiple times before deleting them, ensuring that the data cannot be recovered.
: Yes. The report indicates that these attacks were specifically targeted at an organization operating within the oil and gas industry.
: The attackers used a highly privileged account on a single compromised computer to act as a launchpad. They used a "Loader" program to read a list of target computers, and a "Spreader" program to silently copy and execute the data-wiping tool across the network to those specific machines.
: Organizations in the oil and gas sector manage critical infrastructure and are highly sensitive to operational downtime. Disrupting their networks can cause massive economic and logistical impact, making them prime targets for sabotage campaigns.
: Organizations should strictly control and monitor administrative accounts to prevent attackers from moving freely across the network. Additionally, maintaining secure, offline backups is critical, as data destroyed by this specific wiper cannot be recovered through standard forensic methods.
: This is a highly targeted attack. The malware did not spread randomly; it relied on custom text files containing specific internal computer names that the attackers had gathered during prior surveillance of the victim's network.

About Affiliation

Unknown

Associate threats