{
	"id": "8fce6c76-7904-48ae-b8c1-7f8230afe4f1",
	"created_at": "2026-04-06T01:28:57.615609Z",
	"updated_at": "2026-04-10T03:32:04.755684Z",
	"deleted_at": null,
	"sha1_hash": "01fd651631328903573e4aec9f87ea850bea2f8b",
	"title": "APT‑C‑23 is Still Active and Enhancing its Mobile Spying Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35593,
	"plain_text": "APT‑C‑23 is Still Active and Enhancing its Mobile Spying\r\nCapabilities\r\nBy Cyware Labs\r\nPublished: 2020-10-02 · Archived: 2026-04-06 00:10:15 UTC\r\nAPT-C-23, a group of cyber mercenaries known for targeting victims in the Middle East, is still active and\r\nenhancing its surveillance capabilities. A recent report from ESET researchers suggests that it has made several\r\ndeadly improvements to its toolset.\r\nWhat has been discovered?\r\nThe report suggests that it has made several enhancements to its spyware Android/SpyC32.A, and is using it to\r\ntarget victims in the Middle East.\r\nThe new variant of Android/SpyC32.A can snoop on social media apps WhatsApp and Telegram. \r\nThe identified samples were in the guise of genuine messaging app WeMessage, offered through Google\r\nPlay, but have an entirely different interface from the original app and no real functionality.\r\nBesides recording Whatsapp calls and reading notifications from social media apps, including Facebook\r\nand Skype, the malware can now create screen overlays to put on the Android screen when it makes calls to\r\nhide its activities.\r\nIt is also capable of dismissing notifications from built-in security apps, such as SecurityLogAgent\r\nnotifications (Samsung), MIUI Security notifications (Xiaomi), and Phone Manager (Huawei).\r\nRecent incidents\r\nDesert Falcon has been using the Android/SpyC23.A for its espionage operations since May 2019.\r\nIn June, some samples of Android/SpyC23.A were detected by MalwareHunterTeam, attempting to target\r\nclient devices in Israel.\r\nIn April, MalwareHunterTeam had detected a new Android malware (later linked to APT-C-23 group),\r\nwhich no security vendor was able to detect besides ESET.\r\nWorth noting\r\nThreat groups such as APT-C-23 seem to have mastered in leveraging sophisticated spyware toolsets to carry out\r\nespionage activities. Thus, it becomes important for organizations to stay informed about the latest attack tactics.\r\nExperts suggest users to avoid downloading apps from unofficial sources and checking the requested permissions\r\nbefore installing any application.\r\nSource: https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4\r\nhttps://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"
	],
	"report_names": [
		"aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438937,
	"ts_updated_at": 1775791924,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01fd651631328903573e4aec9f87ea850bea2f8b.pdf",
		"text": "https://archive.orkl.eu/01fd651631328903573e4aec9f87ea850bea2f8b.txt",
		"img": "https://archive.orkl.eu/01fd651631328903573e4aec9f87ea850bea2f8b.jpg"
	}
}