Researchers have observed a malicious email targeting a government official at Jordan’s foreign ministry. Further, the attack seems to have originated from a prolific threat group believed to be from Iran.

What has happened?

Researchers from Malwarebytes spotted the suspicious email message containing a malicious Excel document. 
  • The email has been attributed to a threat group known as APT34, which experts believe is based in Iran. 
  • The group majorly targets government and businesses in the telecommunications, energy, chemical, and financial sectors.
  • The malicious documents used in the attack resembled previous campaigns of APT34 identified last year by Check Point.  
  • Furthermore, the recent attack has the same anti-sandboxing technique, along with indicators, indicating a strong connection to APT34 attacks.

Attack details

The malicious email was sent to the victim using a Microsoft Outlook account with the subject “Confirmation Receive Document” and an Excel file named “Confirmation Receive Document[.]xls”.
  • The sender pretends to be a person from the government of Jordan and the victims were fooled into enabling a macro while malicious code runs silently. 
  • Further, the Excel document shows a decoy sheet enclosing the Government of Jordan's coat of arms.
  • The doc delivered a new hacking tool—Saitama—used to create backdoor access to the infected machines.

Saitama backdoor

Saitama backdoor abuses DNS protocol for its C2 communications, which makes it stealthier than other backdoors.
The malware author appears to have some previous knowledge about the internal infrastructure of a victim, as some of the commands included internal IPs and domain names.


APT34 seems to be active at present and targets the Middle East with offensive cyber operations. Further, the group creates new and updated tools for evading detection by security vendors. Thus, organizations are always suggested to install reliable and up-to-date anti-malware software.
Cyware Publisher