Home/Threat Actor/Madi / Mahdi
Threat Actor

Madi / Mahdi

madi_mahdi · iran · active since 2011-12

Madi / Mahdi (canonical Seculert + Kaspersky GReAT joint naming per July 17, 2012 disclosure.

naming derives from "mahdi.txt" file dropped on infected computers referencing Mahdi, the Shiite Islamic messianic figure) is a historical Iran-aligned cyber-espionage cluster active publicly since December 2011 with primary operational mission objectives of intelligence collection from Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and government agencies communicating in the Middle East.

the cluster operationally pre-dates the modern Iran-aligned cluster naming era and operates as historical precursor to subsequent more- sophisticated Iran-aligned clusters (apt33_elfin, apt34_oilrig, apt35_charmingkitten, apt39_chafer, muddywater, cyberav3ngers, hexane_lyceum, all curated separately in this corpus, all emerged AFTER Madi/Mahdi canonical disclosure period)

Iran- aligned attribution operationally supported by Persian/Farsi language strings throughout malware and C2 tools, Persian calendar dates in C2 server code, initial C2 server in Tehran before migration to 3-Canada-plus-1-Tehran C2 infrastructure pattern, Mahdi Shiite religious naming and themed lures, target selection consistent with Iranian state strategic interests.

signature operationally- amateurish but sustained operational tempo per Kaspersky senior malware researcher Nicolas Brulez ("Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection") and Costin Raiu ("the Mahdi attackers relied solely on social engineering" vs Tibetan/Uighur APT campaigns of the era using software exploits)

signature operational tradecraft includes religious-themed PowerPoint slideshow lures (calm religious wilderness/tropical images), fake document lures (Israel- vs-Iran political content, missile testing, nuclear explosions, Jesus photos), mahdi.txt file dropping.

800+ confirmed victims via Seculert + Kaspersky joint sinkhole analysis with 387 victims in Iran + 54 in Israel + additional in Afghanistan.

comprehensive surveillance plugins (keylogging + screen capture at specified intervals + audio recording + document/image/archive theft + email and instant message monitoring)

operational lineage investigation between Madi and Flame (Kaspersky 2012) failed to establish solid connection though both campaigns targeted critical infrastructure.

fills historical Iran- aligned precursor cluster cell in the curated corpus.

iran confidence: high 10 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Madi / Mahdi (canonical Seculert + Kaspersky GReAT joint naming per July 17, 2012 disclosure.

naming derives from "mahdi.txt" file dropped on infected computers referencing Mahdi, the Shiite Islamic messianic figure who according to Islamic beliefs will rule before the Day of Judgment) is a historical Iran-aligned cyber-espionage cluster active publicly since December 2011, with primary operational mission objectives of intelligence collection from Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and government agencies communicating in the Middle East. The cluster operationally pre-dates the modern Iran-aligned cluster naming era and operates as the historical precursor to subsequent more-sophisticated Iran-aligned clusters (apt33_elfin, apt34_oilrig, apt35_charmingkitten, apt39_chafer, muddywater, cyberav3ngers, hexane_lyceum, etc., all curated separately in this corpus, all emerged AFTER Madi / Mahdi canonical disclosure period). Madi / Mahdi operationally demonstrates that Iran-aligned cyber operations were active at modest sophistication tier from at least late 2011, providing historical context for subsequent Iran-aligned cluster ecosystem development. Iran-aligned attribution is operationally supported but not formally established: (a) Persian/Farsi language strings throughout malware and C2 tools.

(b) Persian calendar dates in C2 server code.

(c) initial C2 server in Tehran before migration to 3-Canada-plus-1-Tehran infrastructure pattern.

(d) Mahdi Shiite religious naming and themed lures.

(e) target selection consistent with Iranian state strategic interests. Per Seculert at canonical disclosure: "It is still unclear whether this is a state-sponsored attack or not." Operational phases: (1) OPERATIONAL EMERGENCE (December 2011). Earliest documented operations established operational pattern: spear-phishing with fake Israel-Iran-themed Word documents, religious-themed PowerPoint slideshow lures, mahdi.txt file dropping (cluster naming origin), Mahdi spyware Trojan deployment. (2) SECULERT INITIAL DETECTION (February 2012). Detected via investigation of suspicious spear-phishing email containing fake "Mahdi.txt" document. Initial detection vector was the lure document containing copy of 2011 Daily Beast article on Israel-using-cybercrime-to-attack-Iran narrative. (3) SECULERT-KASPERSKY JOINT INVESTIGATION (May-July 2012). Following Kaspersky's Flame discovery (US/Israel joint operation against Iran nuclear program), Seculert contacted Kaspersky to investigate possible Madi-Flame connections. Joint investigation operationally documented Madi as separate cluster from Flame with significantly lower sophistication tier. Joint sinkhole analysis enabled comprehensive cluster profiling. (4) CANONICAL DISCLOSURE (July 17, 2012). Simultaneous Seculert + Kaspersky GReAT joint canonical disclosure documented 800+ confirmed victims via sinkhole: 387 Iran, 54 Israel, additional in Afghanistan and other Middle Eastern countries. (5) CONTINUED OPERATIONS POST-2012 (Limited Public Visibility). Cluster operations continued at reduced operational tempo with limited public visibility.

Signature operational tradecraft
  • Spear-phishing without software exploits: signature operationally-amateurish but successful tradecraft pattern. Per Kaspersky senior malware researcher Nicolas Brulez: "the Mahdi attackers relied solely on social engineering" vs Tibetan/Uighur APT campaigns of the era that used software exploits to install cyberespionage malware.
  • Religious-themed PowerPoint slideshow lures: operationally distinctive social engineering tradecraft. Lures include "calm, religious themed, serene wilderness, and tropical images" used "to confuse users and trick them into running a payload.".
  • Fake document lures (Israel-vs-Iran political content): signature initial-access tradecraft. Lures included Word documents about missile testing, videos of nuclear explosions, photos of Jesus, and news articles about Israel versus Iran, operationally consistent with religious propaganda framing.
  • mahdi.txt religious file naming: signature operational pattern, Shiite Mahdi messianic figure reference.
  • 3-Canada-plus-1-Tehran C2 infrastructure pattern: signature C2 architecture providing operational obfuscation via Canadian-majority infrastructure while retaining Tehran-based C2 component.
  • Persian/Farsi language strings throughout malware: operationally distinctive, most clusters obscure operational-region linguistic signatures.
  • Persian calendar dates in C2 infrastructure: operationally distinctive attribution signal.
  • Comprehensive surveillance plugins: keystroke logging, screen capture (specified intervals), audio recording, document/image/archive theft, email and instant message monitoring.
  • 800+ victims with 387 Iran / 54 Israel split per Seculert sinkhole: signature victim-distribution pattern.
  • Operationally-amateurish but sustained operational tempo: per Nicolas Brulez: "Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection." The cluster fills the historical Iran-aligned precursor cluster cell in this curated corpus, operationally distinct from the modern Iran-aligned cluster ecosystem through (a) earlier active period (December 2011.
  • July 2012 primary tracked period); (b) operationally-amateurish tradecraft contrasted with modern Iran-aligned cluster sophistication; (c) signature religious-themed social engineering; (d) historical precursor positioning.

Aliases

10
madimahdimahdi malwaremadi malwaremadi_mahdimahdi_madimadi_aptmahdi_aptmadi iranmahdi iran

Notable Campaigns

9
2012-PresentContinued Operations Post-2012 (Limited Public Visibility)
2012-PresentHistorical Precursor to Modern Iran-Aligned Cluster Ecosystem
2012Seculert Initial Detection (February 2012)
2012Seculert + Kaspersky Joint Investigation Post-Flame (May-July 2012)
2012Seculert + Kaspersky Joint Canonical Disclosure (July 17, 2012)
2011-2012Canada-Plus-Tehran C2 Infrastructure Pattern (Signature)
2011-2012Amateurish But Successful Operational Tradecraft Assessment (Operationally Distinctive)
2011-2012Religious-Themed PowerPoint Slideshow Lure Tradecraft (Signature)
2011Madi / Mahdi Operational Emergence (December 2011)

Attribution & Reporting

Attributed by
Kaspersky GReATSeculert (Israeli security firm, now acquired by Radware)Symantec / Broadcom Threat Hunter TeamTrend MicroMicrosoft Threat Intelligence CenterESETSOPHOS X-OpsCrowdStrikeMandiantCostin Raiu (Kaspersky GReAT Director)Nicolas Brulez (Kaspersky senior malware researcher)Aviv Raff (Seculert CTO)
Key reporting
reportKaspersky GReAT: The Madi Campaign, Part I (Securelist, July 17, 2012), canonical Kaspersky-side Mahdi / Madi disclosure
reportKaspersky GReAT: The Madi Campaign, Part II (Securelist, July 17, 2012), canonical comprehensive technical follow-up
reportSeculert: Mahdi, The Cyberwar Savior? (Seculert blog, July 17, 2012), canonical Seculert-side disclosure with sinkhole analysis
reportSymantec: Madi Trojan Uncovered, Targets Attacked in Middle East (July 2012)
reportESET / WeLiveSecurity: The Mahdi Trojan and International Cyber-Espionage (July 18, 2012)
reportTrend Micro: Madi / Mahdi Continued Tracking Analysis
reportMicrosoft Threat Intelligence: Iran-Aligned Historical Cluster Tracking
reportCrowdStrike Global Threat Report: Iran-Aligned Historical Cluster Tracking
reportMandiant: Madi / Mahdi Operational Context Analysis
reportSOPHOS X-Ops: Iran-Aligned Cluster Tracking (Historical Era)
reportCostin Raiu (Kaspersky GReAT Director): Madi vs Tibetan/Uighur APT Comparison Analysis
reportNicolas Brulez (Kaspersky senior malware researcher): Madi Operational Assessment
reportAviv Raff (Seculert CTO): Mahdi Persian Language + C2 Analysis
reportMITRE ATT&CK Group G0011, APT-C-23 / Mahdi (note: MITRE tracks adjacent activity under different naming)
reportMalpedia Actor Profile: Madi / Mahdi

Operational

State sponsor

Iran-aligned cluster, Iran attribution is operationally supported but not formally established at high confidence. Per Seculert and Kaspersky GReAT canonical July 17, 2012 joint disclosure, the cluster operates at "amateurish and rudimentary" tradecraft levels but with sustained operational tempo against high-profile Iranian and Israeli targets. Iran-aligned attribution operationally supported by multiple evidence streams: (a) Persian/Farsi language strings throughout malware: Per Seculert CTO Aviv Raff at time of canonical disclosure: "Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the C&C tools, which is unusual to see in malicious code.

The attackers were no doubt fluent in this language." The Persian language pattern within malicious code is operationally distinctive, most cluster operators take steps to obscure operational-region linguistic signatures. (b) Persian calendar dates in C2 infrastructure: Per Seculert and Kaspersky joint disclosure: "It communicates with command and control servers, which also contain code in Farsi and dates from the Persian calendar." The Persian-calendar date pattern operationally supports Iranian-operator hypothesis. (c) Initial C2 server in Tehran, Iran: Per Seculert analysis: "an earlier version of the malware once sent data plundered from victims' computers back to a server in Tehran." Initial C2 infrastructure included a server physically located in Tehran, Iran, before the cluster operationally migrated C2 infrastructure to Canada-based servers (3 Canadian C2s + 1 Tehran C2 documented at time of disclosure).

(d) Mahdi religious naming and themed lures: The malware name derives from a Microsoft Word file named "mahdi.txt" dropped on infected computers. Mahdi is a Shiite Islamic messianic figure who, according to Islamic beliefs, will rule before the Day of Judgment and cleanse the world of injustice and wrongdoing, operationally distinctive Shiite religious reference operationally consistent with Iranian state-aligned operational identity. Spear-phishing lures included religious-themed PowerPoint slideshows with "calm, religious themed, serene wilderness, and tropical images" used to confuse users and trick them into running payloads.

(e) Target selection consistent with Iranian state strategic interests: Primary targets included business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, government agencies communicating in the Middle East. The Iranian-targeting component (387 victims in Iran per Seculert sinkhole analysis) operationally complicates straightforward Iranian state-aligned attribution, but multiple analysts assess that Iran-aligned operations historically include domestic surveillance of Iranian critical infrastructure workers operating in proximity to dissident or foreign-influenced activities. However, at the time of canonical disclosure, neither Seculert nor Kaspersky GReAT formally attributed the cluster to a specific state actor.

Per Seculert: "It is still unclear whether this is a state-sponsored attack or not." The attribution-confidence assessment has remained operationally consistent through 2026, Iran-aligned is the dominant analyst hypothesis but formal attribution has never been issued by major cybersecurity industry analysts. Operational significance: Madi / Mahdi is operationally one of the earliest publicly-tracked Iran-aligned clusters, operationally pre-dating the modern Iran-aligned cluster naming era (APT33 / APT34 / APT35 / APT39 emerged 2014-2017 in industry tracking). The cluster operates as a historical precursor to the modern Iranian state-aligned cyber operations ecosystem, and operationally demonstrates that Iran-aligned operations were active at modest sophistication tier from at least late 2011.

Motivations
iran_aligned_intelligence_collection, iranian_critical_infrastructure_worker_surveillance, israeli_critical_infrastructure_intelligence_collection, israeli_financial_institution_intelligence_collection, middle_east_engineering_student_targeting, middle_east_government_communications_intelligence, iran_israel_conflict_intelligence_collection
Sectors
critical_infrastructure_companiescritical_infrastructure_iran_israel_projectsfinancial_institutions_israeligovernment_administrationgovernment_embassiesengineering_studentsuniversities_middle_eastoil_and_gas_industryenergy_sector
Regions
iranisraelafghanistanmiddle_east_broadlysaudi_arabiaunited_arab_emiratesunited_statesglobal_iranian_diaspora_business_people

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1027.001T1027.002T1033T1036T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1070T1070.004T1071T1071.001T1074T1074.001T1082T1083T1087T1090T1090.001T1095T1106T1113T1114T1114.001T1119T1123T1129T1140T1204T1204.001T1204.002T1213T1218T1547T1547.001T1555T1555.003T1566T1566.001T1566.002T1567T1568T1568.002T1573T1573.001T1574

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)59/60 · 98%
Analytics (MITRE CAR)23/60 · 38%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)16/60 · 26%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MADI AUDIO RECORDER MODULEMADI EMAIL MONITOR MODULEMADI FILE STEALER MODULEMADI INSTANT MESSAGE MONITOR MODULEMADI KEYLOGGER MODULEMADI SCREENSHOTTER MODULEMAHDI MALWARE DROPPERMAHDI.TXTMAHDI.TXT RELIGIOUS LURE DOCUMENTMAHDI SPYWARE TROJAN
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin