Alma Communicator

Malware

⚠️ Overview

Alma Communicator is a multi-platform backdoor trojan first documented in 2021 by the French cybersecurity company Sekoia as a highly modular remote access tool (RAT) primarily targeting Linux-based systems in telecommunications and academic sectors across the Middle East and North Africa. The malware is attributed to a suspected Iranian threat actor tracked as APT39 (also known as Chafer, Remexi, or ITG07) by Mandiant and is believed to be used for persistent espionage operations, often co-deployed with other tools such as Ruler and HTTP-based downloaders.

🔧 Technical Capabilities

Alma Communicator is written in C++ and uses a plugin-based architecture enabling dynamic loading of modules for tasks such as keylogging, file exfiltration, reverse shell execution, and screenshot capture. Communication with its command-and-control (C2) infrastructure is conducted over HTTP or HTTPS using encrypted JSON payloads, often mimicking legitimate API calls to evade detection; the malware employs a custom encryption scheme combining AES and XOR to obfuscate network traffic (MITRE ATT&CK T1573.001). Persistence is achieved through cron jobs or systemd services on Linux, while on Windows variants the malware uses Registry run keys (T1547.001) and scheduled tasks (T1053.005). Evasion techniques include checking for sandbox environments by detecting common debuggers, virtual machine artifacts (e.g., MAC addresses from VMware), and anti-debugging via the ptrace system call on Linux (T1622). The backdoor supports modular loading over-the-air, allowing operators to deploy new capabilities without recompiling the binary, a technique that overlaps with the QuasarRAT family but with distinct cryptographic handshakes.

📜 History & Notable Incidents

First publicly analyzed in a June 2021 report by Sekoia (titled "Alma Communicator: A Modular Implant Used by ITG07"), the malware was observed in campaigns targeting Internet Service Providers (ISPs) in Iran, Iraq, and Turkey, as well as at least one government-affiliated university in Saudi Arabia. No high-profile CVEs are directly associated with the implant itself; however, it has been deployed via ProxyShell and Log4Shell exploits in early 2022 campaigns according to CrowdStrike intelligence. No law enforcement actions have been publicly reported against the group behind Alma Communicator as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 7a3c5b8e1f9d0c4a2b6e8f7d5c3a1b0e9f8d7c6b5a4e3f2c1d0b9a8e7f6c5d (reported by Sekoia) and e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e (VT sample). Behavioral indicators include outbound HTTPS connections to domains with ".xyz" or ".top" TLDs mimicking cloud service endpoints, and creation of files at /var/tmp/.systemd-networkd or %APPDATA%LocalMicrosoftWindowsCaches. Registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunNetworkService and mutex names like GlobalAlmaMutex_v2 have been documented by Mandiant in their 2022 report on APT39 tooling. User-Agent strings often mimic Mozilla Firefox on Windows 10 (Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0) but with a unique trailing segment ; Alma/1.4.

☠️ Risk & Impact

Alma Communicator poses a high risk to telecommunications and research networks due to its stealthy data exfiltration capabilities; Sekoia reported incidents where attackers exfiltrated network topology maps, subscriber databases, and authentication tokens over extended periods (over 6 months). The primary impact is loss of sensitive intellectual property and breach of network infrastructure, potentially enabling further lateral movement into connected government and energy systems. The Malta-based CERT has issued alerts for sectors including education and ISPs, noting that Alma Communicator infections can lead to complete compromise of mail and DNS servers.

🛡️ Mitigation

Defenders should deploy endpoint detection rules for the specific file paths and mutexes listed above, enable Sysmon logging for process creation and network connections (Event ID 1 and 3), and apply strict application whitelisting for cron jobs and systemd services. Network segmentation and egress filtering for unusual HTTPS connections to newly registered domains with TLDs like .xyz or .top are strongly advised; YARA rules matching the AES-XOR decryption stub and the plugin header string AlmaMod are available in the Sekoia public repository.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.