Mahdi Malware: Another Middle East Cyber-Weapon Threat?

By | Jul 23, 2012

Another piece of Trojan malware has infected computers across the Middle East, especially in Iran and Israel. Called Mahdi, it is replete with Islamic theological references along with uses of the Farsi langauge, which is spoken in Iran. More substantively, the Mahdi malware also records keystrokes and steals files and images.

So far, Madhi has only infected some 800 computers, most of them in the Middle East. But for IT managers and the IT community at midsize firms, it is another reminder that Middle East conflicts are now being fought on the Internet. Which means an ongoing risk even for firms that have no apparent connection to the Middle East. And the risk is likely to grow


Mahdi is an Islamic theological term for the Messiah. And as Elinor Mills reports at CNET, the malware code includes other Islamic references. It also has terms in Farsi ("Persian"), and dates in the Persian calendar format.

All of this does not necessarily mean that the malware originated in Iran. Other countries in and beyond the Middle East, including Israel, might well have used Iran-related expressions in order to obscure the actual origin of the malware.

Security researchers at Symantec report that the Mahdi malware has infected computers in Iran, Israel, and other Middle Eastern countries, and also in the US and New Zealand. While the number of computers infected is modest, they include machines at embassies, "critical infrastructure" firms, and financial firms.

The researchers note that in spite of the targets, it is still unclear whether Mahdi is a state-sponsored cyberweapon or was created by some private group.

A Battlefield Without Borders

A stark fact of the contemporary world is that conflicts originating in the Middle East do not stay confined to the Middle East. The 9/11 attack was only the most dramatic example of that fact. Which is why malware such as Mahdi is not only of general interest to the IT community, but also a matter of practical concern for IT managers at midsize firms.

Notably, the Mahdi attacks seem to have begun with "social engineering" in the form of email attachments. One such attachment was a Word document of a news item entitled " Israel's Secret Iran Attack Plan: Electronic Warfare."

It only takes one employee with an interest in Middle East issues to click on such an infected email and expose a midsize firm's IT network to this or a similar malware threat. And, of course, attackers could use an email on any topic - perhaps having nothing to do with the Middle East - as a delivery vehicle for malware.

Training, awareness, and policy are IT's primary defenses against social-engineering attacks. In a world where conflicts can readily spread into cyberspace, IT managers need to ensure that these defenses are in good working order.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...