threatintel
actor tracker
IOC pivot
ioc · sha-256

68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7

'Meteor' wiper sample documented in Check Point Research's August 2021 analysis of the 9-10 July 2021 cyberattack on Iranian Railways and the Ministry of Roads and Urban Development. The payload 'msapp.exe' writes 'Meteor has started.' to its encrypted log file, locks the host and wipes contents. Check Point ties the campaign to a self-identified 'Indra' persona that the wider community tracks as Predatory Sparrow / Gonjeshke Darande.

family
Meteor
first seen
Jul 8, 2021
publisher
Check Point Research
source citation