Table of Contents
  • Home
    • /
  • Blog
    • /
  • AridViper (APT-C-23) Threat Actor Group
Arun KL
March 10, 2025
|
9m

AridViper (APT-C-23) Threat Actor Group

Threats

A futuristic robotic scorpion with glowing cybernetic components roams a desert landscape at sunset, symbolizing advanced cyber threats in the digital battlefield.

AridViper, also known as APT-C-23, Desert Falcons, Two-tailed Scorpion, Grey Karkadann, and Mantis, is a sophisticated and persistent cyberespionage threat actor group operating primarily in the Middle East. Believed to be state-sponsored, with potential links to Hamas, AridViper focuses on political and strategic intelligence gathering. The group has been active since at least 2013 (some reports indicate mid-2013, others 2015), demonstrating a long-term commitment to its objectives. AridViper's campaigns are characterized by a blend of technical capabilities and sophisticated social engineering techniques, making them a significant threat to government, military, media, academic, and technology organizations, particularly in Israel and Palestine, but extending to other regions. Security teams should understand this threat.

Origins & Evolution

AridViper was first publicly identified around 2015, with early campaigns such as "Operation Desert Falcons" targeting government officials, activists, and media outlets throughout the Middle East. This initial campaign leveraged custom-developed malware. Kaspersky Labs reported in 2015 that the group initially consisted of around 30 members, operating primarily out of Palestinian territories, Egypt, and Turkey. The group’s members are believed to be native Arabic speakers.

Over the years, AridViper has continually evolved its tactics, techniques, and procedures (TTPs). While initially focusing on Windows-based malware, the group has expanded its arsenal to include sophisticated mobile spyware targeting both Android and iOS devices. This shift reflects the increasing importance of mobile devices for communication and data storage. Notable malware families associated with AridViper include:

  • Mobile Malware: AridSpy, GnatSpy, FrozenCell, VAMP, SpyC23.

  • iOS Malware: Phenakite (short-lived).

  • Windows Malware: Micropsia, AridGopher, AridHelper, Barbie, BarbWire.

The group's evolution is also evident in its increasing use of multi-stage malware, such as the AridSpy Android spyware, which downloads additional payloads to evade detection. Public exposure and security reports have not deterred AridViper; they continue to operate and refine their methods, underscoring their determination and resourcefulness. The evolution from single-stage to multi-stage malware (like AridSpy) demonstrates ongoing development and adaptation. Detecting such threats requires robust security logging.

Tactics & Techniques

AridViper's operations are a combination of technical proficiency and psychological manipulation. Their attack campaigns typically involve the following stages:

  1. Initial Access:

  • Spear-phishing: Carefully crafted emails with malicious attachments (often weaponized Office documents) or links to compromised websites are a primary infection vector. These emails are designed to appear legitimate, often referencing current events or topics relevant to the target.

  • Social Engineering: AridViper heavily relies on social engineering, creating fake social media profiles (often posing as attractive young women) to build trust with targets over extended periods. These profiles are used to deliver malicious links or attachments, or to lure victims into downloading trojanized applications.

  • Trojanized Applications: The group creates or modifies legitimate applications to deliver their malware, often disguising them as messaging apps, service apps (like a Palestinian Civil Registry app), or dating apps. These apps are typically distributed outside of official app stores, requiring users to enable installation from unknown sources.

2. Execution & Persistence:

  • Custom Malware: AridViper develops and deploys custom malware tailored to their specific targets. This includes backdoors and spyware designed to be stealthy and exfiltrate data.

  • Multi-Stage Malware: The use of multi-stage malware, like AridSpy, allows the group to bypass initial detection by downloading additional payloads after the initial infection.

  • Persistence Mechanisms: AridViper's malware often employs persistence mechanisms, such as creating scheduled tasks or modifying registry keys, to ensure continued access even after a system reboot. Understanding the Windows registry structure is important to defend against such persistence.

3. Command and Control (C2):

  • Firebase: AridSpy uses Firebase for command and control communications, allowing for remote control of the infected device.

  • Custom C2 Infrastructure: The group uses a domain naming scheme of hyphenated hostnames using Western-sounding names for their C2 servers.

  • C2 Deactivation: AridSpy includes functionality to deactivate C&C communication, making detection more difficult.

4. Data Exfiltration:

  • Extensive Data Harvesting: AridViper's malware is designed to collect a wide range of sensitive data, including:

* Contacts, call logs, SMS messages

* Location data

* Photos and videos (including thumbnails)

* Recorded phone calls and surrounding audio

* Files (specific extensions and file structure)

* WhatsApp databases

* Browser history and bookmarks

* Clipboard data

* Notifications

* Facebook Messenger and WhatsApp communication (through abuse of accessibility services)

* Data from USB drives.

  • Data Encryption and Storage: Collected data is often stored locally, zipped, encrypted, and then exfiltrated to the C2 server.

  • Triggered Exfiltration: Exfiltration can be triggered by commands from the C2 server or by specific events (e.g., changes in internet connectivity, app installation/uninstallation, phone calls, SMS messages, charger connection/disconnection, device reboot).

5. Lateral Movement: While not extensively documented in all reports, AridViper has demonstrated the capability to spread across a network, searching for shared resources and connected devices. Incident response is critical to contain lateral movement.

Targets or Victimology

AridViper's targeting is highly focused, reflecting their espionage-driven objectives. Key targets include:

  • Geographic Focus: Primarily entities in Israel and Palestine. However, their activities have extended to other countries in the Middle East and beyond, suggesting a broader geopolitical agenda. Recent campaigns have focused on Arabic speakers. Victims have been detected in Palestine and Egypt, but are globally dispersed.

  • Industry Sectors:

* Government and Military: High-value targets due to access to classified information and strategic intelligence.

* Media and Communications: To gather information, potentially manipulate public opinion, and monitor journalists.

* Academic and Research Institutions: To access research data, particularly in fields like technology, defense, and international relations.

* Technology Companies: To gain access to proprietary technology and exploit vulnerabilities.

* Activists and Dissidents: To monitor and suppress opposition.

AridViper’s targeting of supply chain vendors, like Blue Yonder, highlights their understanding of interconnected systems and the potential for cascading impacts. This illustrates the importance of understanding supply chain attacks.

Attack Campaigns

Several notable attack campaigns have been attributed to AridViper:

  1. Operation Desert Falcons (2015): One of the earliest identified campaigns, targeting government officials, activists, and media across the Middle East. This campaign used custom-developed Windows malware.

  2. Operation Bearded Barbie (2018): Targeted Israeli officials using social engineering (fake social media profiles) and sophisticated malware. Focused on data exfiltration and surveillance.

  3. VIPERRAT Mobile Campaign (2017-2018): Targeted high-profile individuals in the Middle East via mobile devices, using custom Android spyware.

  4. Micropsia Malware Deployment (Ongoing): Involves the use of the Delphi-based Micropsia malware to record audio, take screenshots, gather system information, and exfiltrate data.

  5. GnatSpy Mobile Malware (2019): Targeted Android devices to collect call logs, SMS messages, and other sensitive data.

  6. Fake Dating Apps (Ongoing): Used fake dating apps to deliver malware to mobile devices.

  7. SpyC23 Mobile Malware(2019): Targeted Android devices, disguised as messaging and communication apps, specifically Telegram and Skipped Messenger (a dating app).

  8. AridSpy Campaigns (2022-Present): Five campaigns identified, using trojanized apps (LapizaChat, NortirChat, ReblyChat, Palestinian Civil Registry app, Job Opportunity app) distributed through dedicated websites. This campaign highlights AridViper's shift to multi-stage Android malware. Three of the five campaigns were still active as of June 2024. Organizations can use threat intelligence to stay ahead of these campaigns.

Defenses

Defending against AridViper's sophisticated attacks requires a multi-layered approach:

  1. Enhanced Email Security: Implement advanced email filtering, phishing detection, and sandboxing to block malicious emails and attachments.

  2. Regular Security Awareness Training: Educate users about spear-phishing, social engineering tactics, and the dangers of downloading apps from untrusted sources. Focus on recognizing suspicious emails, links, and requests. Phishing simulation exercises can be very effective.

  3. Robust Endpoint Protection: Deploy endpoint detection and response (EDR) solutions with real-time monitoring, protection against custom and zero-day malware, and regular updates.

  4. Mobile Device Management (MDM): Implement MDM solutions to monitor, manage, and secure mobile devices, particularly those used for work purposes. Enforce strong security policies, including restrictions on installing apps from unknown sources.

  5. Network Segmentation and Access Control: Implement network segmentation to limit the spread of intrusions. Enforce the principle of least privilege, restricting user access to only the resources necessary for their job functions.

  6. Incident Response Plan: Develop and regularly test a well-defined incident response plan to quickly detect, contain, and recover from attacks. Knowing what a cyber incident response plan looks like is vital.

  7. Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and address vulnerabilities before they can be exploited.

  8. Monitoring and Logging: Implement comprehensive logging and monitoring of network and endpoint activity. Regularly review logs for suspicious behavior.

  9. USB Security Policies: Implement strict policies regarding the use of removable media, including disabling autorun features and scanning USB drives for malware.

  10. Stay Informed and Collaborative: Keep up-to-date with the latest threat intelligence on AridViper and other APT groups. Share information with industry peers and collaborate with security researchers.

  11. Vulnerability Management: Regularly scan for and patch vulnerabilities in software and operating systems, particularly on mobile devices. A strong patch management strategy is key.

Conclusion

AridViper (APT-C-23) is a highly persistent and adaptable threat actor with a clear focus on espionage in the Middle East. Their combination of technical skills, sophisticated social engineering, and evolving mobile malware capabilities makes them a significant threat to a wide range of organizations. Despite public exposure and security research, AridViper continues to operate and refine its tactics, demonstrating a strong commitment to its objectives. Organizations, particularly those in the targeted sectors and regions, must implement robust, multi-layered security measures to defend against this persistent threat. Continuous vigilance, security awareness training, and proactive threat intelligence are crucial for mitigating the risks posed by AridViper and similar cyberespionage groups.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive tips like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Books

Books

Videos

Videos

Courses

Courses

Certifications

Certifications

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Cyber Security - Books

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe