Madi Trojan Campaign Uses Social Engineering to Target Energy and Government Sectors
- Actor Motivations: Espionage
- Attack Vectors: Keylogger,Spyware,Trojan,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/Low Probability
Threat Overview
Symantec Security Response has identified Madi, a Trojan used in targeted social engineering campaigns observed since December 2011. The attacks relied on phishing emails carrying malicious PowerPoint attachments that prompted victims to manually execute an embedded file. Once installed, Trojan.Madi enabled information theft, including keylogging, and supported self-updating capabilities. The malware communicated with command-and-control servers hosted primarily in Iran and later Azerbaijan. Targets spanned multiple sectors, including oil and energy companies, government agencies, a foreign consulate, and US-based think tanks. While victims were concentrated in Middle Eastern countries such as Iran, Israel, and Saudi Arabia, infections were also observed globally, from the United States to New Zealand. The campaign relied entirely on social engineering rather than exploits or zero-day vulnerabilities.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Energy | Verified |
| Sector | Researchers | Verified |
| Region | Australia | Verified |
| Region | Ecuador | Verified |
| Region | Greece | Verified |
| Region | Iraq | Verified |
| Region | Israel | Verified |
| Region | Mozambique | Verified |
| Region | New Zealand | Verified |
| Region | Saudi Arabia | Verified |
| Region | Switzerland | Verified |
| Region | United States | Verified |
| Region | Vietnam | Verified |
FAQs
Understanding the Madi Attacks
A cyber espionage campaign used malicious PowerPoint attachments in emails to trick users into installing data-stealing malware.
While some suspected a nation-state due to the targets, evidence suggests an unknown Farsi-speaking hacker group is responsible.
The malware aimed to collect sensitive information through keylogging and system monitoring, likely for espionage or broad intelligence gathering.
Organizations across oil, government, and research sectors were targeted—particularly in the Middle East, but also as far as the US and New Zealand.
Attackers used socially engineered PowerPoint files with dramatic imagery and prompts to get users to execute malware on their machines.
They are likely considered valuable sources of geopolitical, energy, or strategic information.
Avoid opening unexpected email attachments, enable macro restrictions, monitor system behaviors for suspicious activity, and train staff to recognize social engineering tactics.
It was a targeted campaign, but the techniques used—especially social engineering—are common and still pose a broad risk.