This <http://blog.trendmicro.com/trendlabs-security-intelligence/the-mysterious-mevade-malware/> explains the Israel anomaly, I think.
> The Mysterious Mevade Malware > Published on September 5th, 2013 > Written by: Feike Hacquebord (Senior Threat Researcher) > > ... > > Yesterday, Fox-IT published evidence for this plausible explanation. > The Mevade malware family downloaded a Tor component, possibly as a > backup mechanism for its C&C communications. (We will release a > second blog post describing in more detail the behavior of the > Mevade variants we have encountered.) > > Feedback provided by the Smart Protection Network shows that the > Mevade malware was, indeed, downloading a Tor module in the last > weeks of August and early September. Tor can be used by bad actors > to hide their C&C servers, and taking down a Tor hidden service is > virtually impossible. > > The actors themselves, however, have been a bit less careful about > hiding their identities. They operate from Kharkov, Ukraine and > Israel and have been active since at least 2010. One of the main > actors is known as “Scorpion”. Another actor uses the nickname > “Dekadent”. Together, they are part of a well organized and > probably well financed cybercrime gang. > > ... -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
