Seculert found numerous clues suggesting that the malware had been built by Iranians. About half of the 800 known systems infected by Mahdi have been in Iran, while roughly 7% of infections were in Israel. One server is used mostly with Israeli targets, while the other three are for Iranian and Arab targets. All four C&C servers were also hosted by the same provider in Canada, although a whois lookup on the IP addresses claims that they’re based in Azerbaijan, and in one case on the premises of that country’s Royal Bank.”]
Source: https://www.darkreading.com/attacks-breaches/mahdi-malware-makers-push-anti-american-update