[itin]

The cultural significance of the name is pretty ironic: https://en.wikipedia.org/wiki/Nazar_(amulet)

[dsl]

Researchers usually pick a name when they have started looking at a collection of samples, and don't really have knowledge of what is going on or who the threat actor is yet.

The authors call it خضر, a guardian angel type from the Quran that shares secret knowledge.

[616c]

It is also the Arabic for the adjective green (plural) and the name comes from Arabic as well, and a prophet some i even heard some suggest is Buddha, in addition to other more obvious Wikipedia suggestions.

That aside, this is what drives me nuts about threat Intel: we use enough googlable Persian words and give enough hints we know Persian in our code and opsec and people have a full dossier that confirms we're Iranians? I assume there is more depth to their claims but you have to work for the reporting company to know it which makes the whole subset of the industry dubious if you ask me (but we know no one is, lol).

[wafn]

Did you forget the whole "there was some Russian in the metadata so it must have come from Russia" conclusion of CrowdStrike?

[totemandtoken]

I think you're thinking of khidr(?)

[slim]

you forgot the most common meaning : vegetables :) you know hackers can be silly sometimes

[boomboomsubban]

That explains why it's being used for the root directory.