ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Madi

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Madi

NamesMadi (Kaspersky)
Mahdi (Kaspersky)
CountryIran Iran
MotivationInformation theft and espionage
First seen2011
Description(Kaspersky) Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.

Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
ObservedSectors: Education, Engineering, Financial, Government, Oil and gas, Think Tanks.
Countries: Australia, Ecuador, Greece, Iran, Iraq, Israel, Mozambique, New Zealand, Pakistan, Saudi Arabia, Switzerland, USA, Vietnam.
Tools usedMadi.
Operations performedJul 2012New and Improved Madi Spyware Campaign Continues
Madi, the religiously-titled spyware that was discovered last week and thought to be dead, appears to be making a comeback, complete with updates.
Counter operationsThe C&C servers have been sinkholed by Kaspersky and Seculert.

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]