Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Mahdi Malware Finds 150 New Targets Including U.S. and Germany, Gets More Evasive

Mahdi Malware

In mid July, Seculert discovered a new cyber-espionage weapon that was targeting organizations in the Middle East. 

Mahdi Malware

In mid July, Seculert discovered a new cyber-espionage weapon that was targeting organizations in the Middle East. 

Known as ‘Mahdi‘ or ‘Madi’, the malware is capable of stealing data from infected Windows computers, and also capable of monitoring email and instant messages, recording audio, capturing keystrokes and taking screenshots of victims’ computers.

Overall, Mahdi is a complex cyber-espionage weapon that unlike Flame, Stuxnet and Gauss, is still alive and well, and continues to get updated and find new targets.

According to new research from Seculert, the group behind Mahdi continues to test and improve new versions of the malware in order to find ways to evade security measures.

Israel-based Seculert says that in the past few weeks, they have monitored dozens of new variants of Mahdi, many of which are not currently being detected by most AV vendors.

Additionally, Seculert says that since the initial discovery of the malware back in July, 150 new Mahdi victims have been identified, with the total number of infections identified approaching 1,000 globally.

Some of these targets appear to be located in the United States and in Germany, Seculert said, though most targets still appear to be from Iran.

Advertisement. Scroll to continue reading.

“This correlates back to the fact that the latest version of Mahdi, added new triggers to the malware – ‘USA’ and ‘GOV’,” the company explained in a blog post.

For those organizations being targeted in the US, the victims have connections to Middle Eastern companies, either working at such companies, or visit them frequently, a Seculert spokesperson told SecurityWeek

Seculert also explained that after investigating a fifth command and control (C&C) server since the initial discovery of Mahdi, they were able to identify different malware variants communicating with it dating back to June 2012. That firth server, located in Canada, seems to have replaced the original server that was identified in back in February.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...