Some of the victims are professionals and students, but some are scattered lightly throughout the Middle East. The most activity is clearly coming from within Iran, followed by June of 2012. There does not appear to be a pattern to which server reports to which Madi victims are to which. We dont know about any sort of trends of activity within the region, although the trends above may help inform those in the U.S. and abroad. We also discovered five months ago that some of the Madiinfosters were created in the region.”]
Source: https://securelist.com/the-madi-campaign-part-ii/33701/