Mounting evidence suggests that the Mahdi malware was built by Iranians, for the primary purpose of spying on people inside Iran.
Notably, while the four command-and-control (C&C) servers controlling Mahdi-infected PCs are based in Canada, the oldest sample of the Mahdi malware
discovered thus far--dating from December 2011--interfaced with a C&C server located in Tehran, Iran.
What accounts for the Iran-based C&C server? "I think it was a mistake," said Aviv Raff, CTO of Israel-based Seculert, in an interview at Black Hat 2012 in Las Vegas. That is, whoever developed Mahdi may have inadvertently released into the wild versions which still connected to a test server, rather than production servers that had been set up overseas and meant to disguise the malware's origins.
But the target of Mahdi could be changing. According to Kasperksy, whoever is behind the malware launched a new variant Wednesday, which appeared to have been compiled the same day. "Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong," said Nicolas Brulez, a security researcher at Kaspersky Lab, in a blog post
. (Kaspersky refers to the malware as "Madi.")