Security Experts:

Connect with us

Hi, what are you looking for?



Mahdi Malware Finds 150 New Targets Including U.S. and Germany, Gets More Evasive

Mahdi Malware

In mid July, Seculert discovered a new cyber-espionage weapon that was targeting organizations in the Middle East. 

Mahdi Malware

In mid July, Seculert discovered a new cyber-espionage weapon that was targeting organizations in the Middle East. 

Known as ‘Mahdi‘ or ‘Madi’, the malware is capable of stealing data from infected Windows computers, and also capable of monitoring email and instant messages, recording audio, capturing keystrokes and taking screenshots of victims’ computers.

Overall, Mahdi is a complex cyber-espionage weapon that unlike Flame, Stuxnet and Gauss, is still alive and well, and continues to get updated and find new targets.

According to new research from Seculert, the group behind Mahdi continues to test and improve new versions of the malware in order to find ways to evade security measures.

Israel-based Seculert says that in the past few weeks, they have monitored dozens of new variants of Mahdi, many of which are not currently being detected by most AV vendors.

Additionally, Seculert says that since the initial discovery of the malware back in July, 150 new Mahdi victims have been identified, with the total number of infections identified approaching 1,000 globally.

Some of these targets appear to be located in the United States and in Germany, Seculert said, though most targets still appear to be from Iran.

“This correlates back to the fact that the latest version of Mahdi, added new triggers to the malware – ‘USA’ and ‘GOV’,” the company explained in a blog post.

For those organizations being targeted in the US, the victims have connections to Middle Eastern companies, either working at such companies, or visit them frequently, a Seculert spokesperson told SecurityWeek

Seculert also explained that after investigating a fifth command and control (C&C) server since the initial discovery of Mahdi, they were able to identify different malware variants communicating with it dating back to June 2012. That firth server, located in Canada, seems to have replaced the original server that was identified in back in February.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.