Shamoon

Also known asShamoon

Shamoon is a malware family referenced in the provided content as one of the malware families observed using steganography to hide communications or payloads inside image files. The content specifically lists Shamoon alongside Microcin, NetTraveler, Zberp, KinS, ZeusVM, and Triton as examples cited by Securelist. The material does not provide detailed TTPs for Shamoon itself beyond this steganography association. Shamoon is also mentioned in connection with a December 2018 wave of attacks: Symantec reported that the Iranian-aligned espionage group Elfin (APT33) came under scrutiny after being linked to that Shamoon wave, but Symantec stated it found no further evidence that Elfin was responsible. One Saudi victim of the Shamoon activity had also recently been attacked by Elfin and infected with Stonedrill. Based on the provided content, the high-confidence description is limited to Shamoon’s mention as malware associated with steganographic techniques and its appearance in reporting around the December 2018 attacks in Saudi Arabia.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0005

Stealth

2 techniques

T1027

Obfuscated Files or Information

T1027.003

Steganography

T1218

System Binary Proxy Execution

TA0007

Discovery

1 technique

T1083

File and Directory Discovery

TA0009

Collection

1 technique

T1005

Data from Local System

TA0040

Impact

1 technique

T1561

Disk Wipe

T1561.001

Disk Content Wipe

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

codebyNews

Jun 5, 2026

Стеганография в вредоносном ПО: APT-техники и детект

Named malware/activity cluster explicitly listed as using steganography in attacks.

symantec enterprise blogsNews

Mar 27, 2019

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. | SECURITY.COM

Referenced as a distinct group associated with a wave of attacks in Saudi Arabia; the content notes speculation about links to Elfin but says no further evidence supports Elfin being responsible.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.