Shamoon Malware Explained | What was Shamoon Attack?

You are currently viewing Shamoon Malware Explained | What was Shamoon Attack?

Welcome to Episode 4 of Terminal Stack’s series, 5 Biggest Hacks Ever! In this post of Terminal Stack, we will talk about the Shamoon Virus attack, which was undoubtedly one of the biggest cyberattacks ever! So without further ado, let’s jump into it.


Shamoon, also called W32.Distrack, was a very brutal and dangerous computer virus that was discovered in the year of 2012. These viruses were allegedly created by a hacker group known as “Cutting Sword of Justice”, they targeted the oil and gas companies of middle-eastern countries like Saudi Arabia and Qatar. Kaspersky Lab, Symantec and Seculert announced discovery of this virus in August 2012.

Shamoon Malware affects 32-bit versions of Windows computers, once it has infected a computer, it deletes the files of that device and overwrites the master boot record which makes the system unusable.

Also Read: Story Of Melissa Virus – First Virus To Spread Through Emails


Shamoon Virus consists of three major parts.

  1. The Dropper

This component of the virus is tasked to infect the device. It creates a service called NtsSrv. It has two variants of 32-bit and 64-bit, it drops the payload depending on the device it has to infect. Once the computer is affected, it will spread to all the computers that share the same network.

  1. The Wiper:

This component is concerned with causing the damage to the victim device, this component is the main payload that erases the data and overwrites the hard disk’s master boot record, thus making the computer unusable. In the year 2012, it used an image of burning US flag which used to get displayed on affected computers. In 2017, they used the image of Alan Kurdi, a 3-years old boy who was a Syrian refugee and drowned in the Mediterranean sea with his family.

  1. The Reporter:

This was the final component that established the connection between the hacker and victim’s computer. It sent the verification to the attacker notifying that that attack was a success. Attacker also has some control over the affected computers.

The Attack:

The hacking group Cutting Sword of Justice announced it’s attack by posting a message on with an anonymous account. In this message, they tried to justify their attacks by pointing out how the oil and gas companies of Saudi Arabia and Qatar are financing the terror groups and voilences in neighboring countries like Syria, Iraq, etc.

Below is an email of that post on pastebin: 

The attack began when an employee of Saudi Aramco opened a phishing email on a local computer. On the day of 15th August 2012, more than 30 thousand computers of Aramco were affected, they had burning US flags displayed on their screens and their data was being continuously wiped out in the background. Saudi Aramco claimed that their services were unhampered as the valuable datas were stored in isolated computers that were not breached, but images surfaced on the internet that showed long lines of petrol trucks waiting in line as the local systems were inoperable.

Few days after this attack, the hacker group released another post in which they proved that they still had access to the company’s computers and also posted the password of CEO Khalid Al-Falih.


Shamoon Virus keeps frequently resurfacing from 2016 to 2018, each time their targets are oil and gas companies of middle-eastern countries that they consider responsible for violence in the countries like Syria, Iraq and Lebanon. 

Shamoon has evolved over years and each time it comes out with a deadlier variant. The newer variants are designed to completely destroy the files before overwriting master boot records. This makes it almost impossible to recover the files back from affected computers.


Arpit Pandey

Hey there! I am Arpit Pandey, a full stack web developer, SEO specialist, C++ programmer and Co-Founder of this blog. I love to code and write articles!

Leave a Reply