Shamoon
Shamoon, also known as Disttrack, is a destructive Windows wiper malware family associated in reporting with Iran-linked activity and widely known for the 2012 Saudi Aramco incident. It targets organizations in the oil and energy sectors and has also been discussed in relation to attacks on RasGas. Reporting in the provided content states that Shamoon wiped data from about 30,000 Saudi Aramco computers in August 2012, replacing files with a burning American flag image, and that later variants displayed the message "From Iran with love – Shamoon" after overwriting the master boot record (MBR), preventing the operating system from loading.
The malware is described as a multi-component framework, including dropper, wiper, and reporter functionality. It copies an executable payload to the target system, schedules execution via an unnamed task, and creates Windows services for payload execution and persistence, including "ntssrv" and, in newer versions, "MaintenaceSrv" and "hdv_725x". Shamoon queries Registry keys to identify hard disk partitions to overwrite and can alter file modified timestamps to hinder forensic analysis.
Its core behavior is destructive: it overwrites files, recursively destroys file contents and metadata, and rewrites the MBR on connected drives to render systems unusable. Multiple sources in the content state that Shamoon uses self-propagation via shared network disks or network shares, allowing it to spread internally, including to systems not directly connected to the internet. Some reporting describes a two-stage attack in which Shamoon first scrapes or steals selected data from other systems and forwards it to another infected internal machine, then wipes the victim systems. The malware also reports infection or destruction status, including overwritten filenames, file-destruction counts, infected host IP address, and a random number, to another internal host; one analyzed case referenced local IP address 10.1.252.19.
The content states that Shamoon used the Eldos RawDisk driver to obtain direct userland access to the filesystem without relying on normal Windows APIs, and other reporting says it used a legitimately signed driver to gain low-level disk access. Development artifacts cited in the content include the path "C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb".
Threat actor associations in the provided material are not fully settled, but the malware is repeatedly described as Iran-linked. The content notes that U.S. intelligence concluded the Iranian government was behind the 2012 Saudi Aramco attack, and some observers have linked APT33/Elfin to Shamoon activity, although one cited report explicitly says it found no further evidence that Elfin was responsible for a later Shamoon wave. The content also notes that the hacktivist group Twelve deployed publicly available-source-code Shamoon-like wipers in 2024, spreading them through netlogon shares, PowerShell, Group Policy, and scheduled tasks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The wiper rewrites the master boot record (MBR) on connected drives so when the victim next turns on the device, the “From Iran with love – Shamoon” message appears on the screen, and the operating system will not load.
Iranian attack groups mostly operate below the radar of major news coverage (with the exception of the Shamoon attacks).
Iranian attack groups mostly operate below the radar of major news coverage (with the exception of the Shamoon attacks).
The virus, named Shamoon after a word in its code, was designed to overwrite critical files with an image of a burning American flag.
"CHRYSENE developed from an espionage campaign that first gained attention after the destructive Shamoon cyberattack in 2012 that impacted Saudi Aramco."
The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive... The driver, according to Kaspersky, was digitally signed using the private cryptographic key belonging to a company called EldoS Corporation.
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.
Deletes an existing driver from the following location and overwrites it with another legitimate driver: %System%\drivers\drdisk.sys
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices... The developers are using a tried and tested technique of wiper malware, abusing a benign partition management driver... HermeticWiper uses a similar technique by abusing a different driver, empntdrv.sys.
Defense Impairment
1 technique
Defense Impairment
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Once a system on a network is infected, the code scrapes data from other systems via network shares, including those not connected to the internet.
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Lateral Movement
4 techniques
Lateral Movement
Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.
Collection
1 technique
Collection
Command and Control
3 techniques
Command and Control
The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number.
Impact
4 techniques
Impact
IT Windows based Saudi Aramco PCs >35K begin shutting down & being wiped • 15 August 2012
Unlike many other contemporary viruses Shamoon/Disstrack does not attempt to steal data but instead tries to delete it irrecoverably.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
88 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A destructive wiper virus known for crippling Saudi Aramco in 2012, cited as evidence of Iran’s longstanding offensive cyber capability.
Семейство вредоносного ПО, упомянутое как использующее стеганографию для сокрытия данных или коммуникаций.
Destructive wiper used after encryption to overwrite the MBR, corrupt files and metadata, rename and delete files, self-delete, and shut down the system. Another observed variant was identical to Shamoon except for renamed functions.
A data-wiping malware referenced as having locked 30,000 systems at Saudi Aramco in 2012.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.