CadelSpy (Malware Family)

CadelSpy

aka: Cadelle

VTCollection

CadelSpy is a spyware supposedly used by Iranian threat actors. It has several functions such as logging keystrokes, record audio, capture screenshots and webcam photos, and steal any documents that are sent to a printer.

References

2015-12-07 ⋅ Symantec ⋅ Symantec
Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi

2015-12-07 ⋅ Symantec ⋅ Security Response
Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle

Yara Rules

[TLP:WHITE] win_cadelspy_auto (20260504 \| Detects win.cadelspy.) rule win_cadelspy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cadelspy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 03c7 66890c43 47 eb08 85ff 7e02 } // n = 6, score = 100 // 03c7 \| add eax, edi // 66890c43 \| mov word ptr [ebx + eax2], cx // 47 \| inc edi // eb08 \| jmp 0xa // 85ff \| test edi, edi // 7e02 \| jle 4 $sequence_1 = { ff750c be04010000 8bce e8???????? 8b550c 59 } // n = 6, score = 100 // ff750c \| push dword ptr [ebp + 0xc] // be04010000 \| mov esi, 0x104 // 8bce \| mov ecx, esi // e8???????? \| // 8b550c \| mov edx, dword ptr [ebp + 0xc] // 59 \| pop ecx $sequence_2 = { 2b34bd004c0110 c1fe06 8bc7 c1e005 03f0 8975e4 837de4ff } // n = 7, score = 100 // 2b34bd004c0110 \| sub esi, dword ptr [edi*4 + 0x10014c00] // c1fe06 \| sar esi, 6 // 8bc7 \| mov eax, edi // c1e005 \| shl eax, 5 // 03f0 \| add esi, eax // 8975e4 \| mov dword ptr [ebp - 0x1c], esi // 837de4ff \| cmp dword ptr [ebp - 0x1c], -1 $sequence_3 = { 8d9c2464020000 e8???????? 68???????? 8d9c2464020000 e8???????? } // n = 5, score = 100 // 8d9c2464020000 \| lea ebx, [esp + 0x264] // e8???????? \| // 68???????? \| // 8d9c2464020000 \| lea ebx, [esp + 0x264] // e8???????? \| $sequence_4 = { ff15???????? 50 ff15???????? c9 c3 a1???????? } // n = 6, score = 100 // ff15???????? \| // 50 \| push eax // ff15???????? \| // c9 \| leave // c3 \| ret // a1???????? \| $sequence_5 = { 83658000 8d4584 53 50 e8???????? 0fbe4584 } // n = 6, score = 100 // 83658000 \| and dword ptr [ebp - 0x80], 0 // 8d4584 \| lea eax, [ebp - 0x7c] // 53 \| push ebx // 50 \| push eax // e8???????? \| // 0fbe4584 \| movsx eax, byte ptr [ebp - 0x7c] $sequence_6 = { 68???????? eb44 837d8c06 7543 68???????? eb37 8d856c030000 } // n = 7, score = 100 // 68???????? \| // eb44 \| jmp 0x46 // 837d8c06 \| cmp dword ptr [ebp - 0x74], 6 // 7543 \| jne 0x45 // 68???????? \| // eb37 \| jmp 0x39 // 8d856c030000 \| lea eax, [ebp + 0x36c] $sequence_7 = { 8bcf 8d950cf9ffff e8???????? 33c0 } // n = 4, score = 100 // 8bcf \| mov ecx, edi // 8d950cf9ffff \| lea edx, [ebp - 0x6f4] // e8???????? \| // 33c0 \| xor eax, eax $sequence_8 = { bf04010000 57 8d8504f7ffff 50 53 } // n = 5, score = 100 // bf04010000 \| mov edi, 0x104 // 57 \| push edi // 8d8504f7ffff \| lea eax, [ebp - 0x8fc] // 50 \| push eax // 53 \| push ebx $sequence_9 = { 8d7902 668b31 41 41 6685f6 } // n = 5, score = 100 // 8d7902 \| lea edi, [ecx + 2] // 668b31 \| mov si, word ptr [ecx] // 41 \| inc ecx // 41 \| inc ecx // 6685f6 \| test si, si condition: 7 of them and filesize < 204800 }
[TLP:WHITE] win_cadelspy_w0 (20170410 \| No description) rule win_cadelspy_w0 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = { 56 57 8B F8 8B F1 33 C0 3B F0 74 22 39 44 24 0C 74 18 0F B7 0F 66 3B C8 74 10 66 89 0A 42 42 47 47 4E FF 4C 24 0C 3B F0 75 E2 3B F0 75 07 4A 4A B8 7A 00 07 80 33 C9 5F 66 89 0A 5E C2 04 00 } $s2 = "ntsvc32" $s3 = "ntbind32" condition: $s1 and ($s2 or $s3) }
[TLP:WHITE] win_cadelspy_w1 (20170410 \| No description) rule win_cadelspy_w1 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "[EXECUTE]" wide ascii $s2 = "WebCamCapture" wide ascii $s3 = "</DAY>" wide ascii $s4 = "</DOCUMENT>" wide ascii $s5 = "<DOCUMENT>" wide ascii $s6 = "<DATETIME>" wide ascii $s7 = "Can't open file for reading :" wide ascii $s8 = "</DATETIME>" wide ascii $s9 = "</USERNAME>" wide ascii $s10 = "JpegFile :" wide ascii $s12 = "[SCROLL]" wide ascii $s13 = "<YEAR>" wide ascii $s14 = "CURRENT DATE" wide ascii $s15 = "</YEAR>" wide ascii $s16 = "</MONTH>" wide ascii $s17 = "<PRINTERNAME>" wide ascii $s18 = "</DRIVE>" wide ascii $s19 = "<DATATYPE>" wide ascii $s20 = "<MACADDRESS>" wide ascii $s21 = "FlashMemory" wide ascii condition: 12 of them }
[TLP:WHITE] win_cadelspy_w2 (20170410 \| No description) rule win_cadelspy_w2 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "SOFTWARE\\ntsvc32\\HDD" wide ascii $s2 = "SOFTWARE\\ntsvc32\\ROU" wide ascii $s3 = "SOFTWARE\\ntsvc32\\HST" wide ascii $s4 = "SOFTWARE\\ntsvc32\\FLS" wide ascii $s5 = "ntsvc32" wide ascii $s6 = ".Win$py." wide ascii $s7 = "C:\\users\\" wide ascii $s8 = "%system32%" wide ascii $s9 = "\\Local Settings\\Temp" wide ascii $s10 = "SVWATAUAVAW" wide ascii $s11 = "\\AppData\\Local" wide ascii $s12 = "\\AppData" wide ascii condition: 6 of them }
[TLP:WHITE] win_cadelspy_w3 (20170410 \| No description) rule win_cadelspy_w3 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "AppInit_DLLs" wide ascii $s2 = { 5C 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 } $s3 = { 5C 00 75 00 70 00 64 00 61 00 74 00 65 00 00 } $s4 = "\\cmd.exe" wide ascii condition: all of them }

Download all Yara Rules

[TLP:WHITE] win_cadelspy_auto (20260504 \| Detects win.cadelspy.) rule win_cadelspy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cadelspy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 03c7 66890c43 47 eb08 85ff 7e02 } // n = 6, score = 100 // 03c7 \| add eax, edi // 66890c43 \| mov word ptr [ebx + eax2], cx // 47 \| inc edi // eb08 \| jmp 0xa // 85ff \| test edi, edi // 7e02 \| jle 4 $sequence_1 = { ff750c be04010000 8bce e8???????? 8b550c 59 } // n = 6, score = 100 // ff750c \| push dword ptr [ebp + 0xc] // be04010000 \| mov esi, 0x104 // 8bce \| mov ecx, esi // e8???????? \| // 8b550c \| mov edx, dword ptr [ebp + 0xc] // 59 \| pop ecx $sequence_2 = { 2b34bd004c0110 c1fe06 8bc7 c1e005 03f0 8975e4 837de4ff } // n = 7, score = 100 // 2b34bd004c0110 \| sub esi, dword ptr [edi*4 + 0x10014c00] // c1fe06 \| sar esi, 6 // 8bc7 \| mov eax, edi // c1e005 \| shl eax, 5 // 03f0 \| add esi, eax // 8975e4 \| mov dword ptr [ebp - 0x1c], esi // 837de4ff \| cmp dword ptr [ebp - 0x1c], -1 $sequence_3 = { 8d9c2464020000 e8???????? 68???????? 8d9c2464020000 e8???????? } // n = 5, score = 100 // 8d9c2464020000 \| lea ebx, [esp + 0x264] // e8???????? \| // 68???????? \| // 8d9c2464020000 \| lea ebx, [esp + 0x264] // e8???????? \| $sequence_4 = { ff15???????? 50 ff15???????? c9 c3 a1???????? } // n = 6, score = 100 // ff15???????? \| // 50 \| push eax // ff15???????? \| // c9 \| leave // c3 \| ret // a1???????? \| $sequence_5 = { 83658000 8d4584 53 50 e8???????? 0fbe4584 } // n = 6, score = 100 // 83658000 \| and dword ptr [ebp - 0x80], 0 // 8d4584 \| lea eax, [ebp - 0x7c] // 53 \| push ebx // 50 \| push eax // e8???????? \| // 0fbe4584 \| movsx eax, byte ptr [ebp - 0x7c] $sequence_6 = { 68???????? eb44 837d8c06 7543 68???????? eb37 8d856c030000 } // n = 7, score = 100 // 68???????? \| // eb44 \| jmp 0x46 // 837d8c06 \| cmp dword ptr [ebp - 0x74], 6 // 7543 \| jne 0x45 // 68???????? \| // eb37 \| jmp 0x39 // 8d856c030000 \| lea eax, [ebp + 0x36c] $sequence_7 = { 8bcf 8d950cf9ffff e8???????? 33c0 } // n = 4, score = 100 // 8bcf \| mov ecx, edi // 8d950cf9ffff \| lea edx, [ebp - 0x6f4] // e8???????? \| // 33c0 \| xor eax, eax $sequence_8 = { bf04010000 57 8d8504f7ffff 50 53 } // n = 5, score = 100 // bf04010000 \| mov edi, 0x104 // 57 \| push edi // 8d8504f7ffff \| lea eax, [ebp - 0x8fc] // 50 \| push eax // 53 \| push ebx $sequence_9 = { 8d7902 668b31 41 41 6685f6 } // n = 5, score = 100 // 8d7902 \| lea edi, [ecx + 2] // 668b31 \| mov si, word ptr [ecx] // 41 \| inc ecx // 41 \| inc ecx // 6685f6 \| test si, si condition: 7 of them and filesize < 204800 }
[TLP:WHITE] win_cadelspy_w0 (20170410 \| No description) rule win_cadelspy_w0 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = { 56 57 8B F8 8B F1 33 C0 3B F0 74 22 39 44 24 0C 74 18 0F B7 0F 66 3B C8 74 10 66 89 0A 42 42 47 47 4E FF 4C 24 0C 3B F0 75 E2 3B F0 75 07 4A 4A B8 7A 00 07 80 33 C9 5F 66 89 0A 5E C2 04 00 } $s2 = "ntsvc32" $s3 = "ntbind32" condition: $s1 and ($s2 or $s3) }
[TLP:WHITE] win_cadelspy_w1 (20170410 \| No description) rule win_cadelspy_w1 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "[EXECUTE]" wide ascii $s2 = "WebCamCapture" wide ascii $s3 = "</DAY>" wide ascii $s4 = "</DOCUMENT>" wide ascii $s5 = "<DOCUMENT>" wide ascii $s6 = "<DATETIME>" wide ascii $s7 = "Can't open file for reading :" wide ascii $s8 = "</DATETIME>" wide ascii $s9 = "</USERNAME>" wide ascii $s10 = "JpegFile :" wide ascii $s12 = "[SCROLL]" wide ascii $s13 = "<YEAR>" wide ascii $s14 = "CURRENT DATE" wide ascii $s15 = "</YEAR>" wide ascii $s16 = "</MONTH>" wide ascii $s17 = "<PRINTERNAME>" wide ascii $s18 = "</DRIVE>" wide ascii $s19 = "<DATATYPE>" wide ascii $s20 = "<MACADDRESS>" wide ascii $s21 = "FlashMemory" wide ascii condition: 12 of them }
[TLP:WHITE] win_cadelspy_w2 (20170410 \| No description) rule win_cadelspy_w2 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "SOFTWARE\\ntsvc32\\HDD" wide ascii $s2 = "SOFTWARE\\ntsvc32\\ROU" wide ascii $s3 = "SOFTWARE\\ntsvc32\\HST" wide ascii $s4 = "SOFTWARE\\ntsvc32\\FLS" wide ascii $s5 = "ntsvc32" wide ascii $s6 = ".Win$py." wide ascii $s7 = "C:\\users\\" wide ascii $s8 = "%system32%" wide ascii $s9 = "\\Local Settings\\Temp" wide ascii $s10 = "SVWATAUAVAW" wide ascii $s11 = "\\AppData\\Local" wide ascii $s12 = "\\AppData" wide ascii condition: 6 of them }
[TLP:WHITE] win_cadelspy_w3 (20170410 \| No description) rule win_cadelspy_w3 { meta: author = "Symantec" source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" malpedia_version = "20170410" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "AppInit_DLLs" wide ascii $s2 = { 5C 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 } $s3 = { 5C 00 75 00 70 00 64 00 61 00 74 00 65 00 00 } $s4 = "\\cmd.exe" wide ascii condition: all of them }

CadelSpy Propose Change

References

Yara Rules

CadelSpy