Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Espionage Campaign Targeting Israel Expands to Other Countries

The Xtreme RAT malware, which has been at the center of several reports of cyber attacks on Israel has expanded, researchers have discovered. This news follows a recent report from Norman ASA, who reported that the attack campaign has been going on now for more than a year.

The Xtreme RAT malware, which has been at the center of several reports of cyber attacks on Israel has expanded, researchers have discovered. This news follows a recent report from Norman ASA, who reported that the attack campaign has been going on now for more than a year.

In October, Trend Micro reported on collected samples of malware linked to several system infections on computers used by the Israeli police. The malware was determined to include a backdoor using the Xtreme Remote Access Trojan (RAT) or Xtreme RAT. Roni Bachar, from Israeli security firm Avnet, told the Times of Israel the pattern of the attack and the type of virus used were very similar to other cases of attacks, which were found to have been sponsored by governments.

“At this point, I think we can be fairly certain that it was sponsored by a nation-state, most likely Iran,” he added. In Addition, security firm F-Secure reported around the same time that the same malware was being used to target Syrian protesters.

Earlier this week, Norman ASA explained that the older files uncovered by the company used bait documents and videos written in Arabic that were aimed primarily at a Palestinian audience, while the newer files were targeted more towards Israelis. The older files date back to October 2011, offering a solid link to recent events and demonstrating that the attackers have tossed a wide, yet demographically focused net, when it comes to their victims.

“The bait files seem to focus on a number of areas (military, political and religious) which hints at a broad targeting, not only a specific sector,” Snorre Fagerland, principal security researcher at Norman told SecurityWeek.

“The malware is off-the-shelf, cheap stuff. No zero-days were seen, though there are a few tricks used; such as using special Unicode characters to reverse text direction, and thus hide the executable file extension,” he said.

On Thursday, Trend Micro reported that they’ve discovered additional targets, and that not only has the attack lasted for more than a year – the potential victim list is much larger than previously thought.

Advertisement. Scroll to continue reading.

“While the vast majority of the emails were sent to the Government of Israel…a significant amount were also sent to the U.S. Government,” wrote Nart Villeneuve, a Senior Threat Researcher at Trend.

Included in the U.S. target list were email accounts at “,” “,” and “,” and “”

The target list also included the governments of the UK, Turkey, Slovenia, Macedonia, New Zealand, and Latvia. In addition, the BBC ( and the Office of the Quartet Representative ( were also targeted, he added.

“It is important to note that while we discovered that these targets were sent this email, we have no information about how many received or potentially opened the malicious attachment. Based on our investigation, the malware was signed with an invalid certificate. When executed, it opens a decoy document and installs Xtreme RAT on the targets’ systems,” Villeneuve wrote.

“This campaign it seems is far from over and whatever specific motivations the attackers may have, considering the various targets seen scattered in various states, is still a mystery.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...