A week after command and control servers were shut down, a new version of the Madi malware has returned with improved features which let it monitor even more of your digital life.

Madi Mahdi Malware Returns

Madi, the cyber espionage campaign targeting specific victims in the Middle East, has reappeared - a week after the shutdown of the Madi command and control domains.

"Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong," Nicolas Brulez, from Kaspersky Lab said in a blog post on the discovery.

The Madi malware, targets very specific victims including employees of critical infrastructure companies, financial services and government embassies, which are mainly located in Middle Eastern countries - mainly Iran, Israel and Afghanistan.

The malware is known as Madi or Mahdi, as the creators used the latter term in the code. Mahdi. In Islam, the Mahdi is approximately the Messiah, depending on which branch of Sunni or Shia you're talking to.

The updated version of the malware which was received by Kaspersky Labs was comiled on 25 July and according to Brulez, contains many "interesting and new features." Among the new features is the ability to monitor social networks such as Jabber and Russian-based VKontakte.

The new version of Madi is also looking for people who visit webpages containing "USA" and "gov" in their titles. In such cases, the malware makes screenshots and uploads them to the remote servers. "The additional checks for "USA" and "gov" might indicate a shift of focus from targets in Israel to the USA," Brulez surmises.


It is still unclear whether or not this is a state-sponsored campaign like Stuxnet and Flame but the security company which first identified it, Seculert, has said the operation could require "a large investment and financial backing." However the Madi info-stealing malware is also technically rudimentary in comparison to Stuxnet and Flame.

One of the main changes in the new version of Madi, is that the infostealer module of the code no longer waits for a remote command, simply uploading all stolen data to the server right away.

The server in contorl of this version of Madi, identified by Kaspersky, is located in Montreal, Canada, where previously-identified Madi servers were located, along with some in Tehran.

The malware is embedded within documents, many of which had a religious theme, such as text files and PowerPoint presentations, sent to specific victims.

The updated version of the malware has a longer kist of keywords which it monitors infected PCs for, including: gmail, hotmail, google+, facebook, talk, outlook, contact, chat, gov, blogger, messenger and profile.