{
	"id": "b9012f62-826e-483d-9f5c-1df6b5520479",
	"created_at": "2026-04-06T00:20:14.911632Z",
	"updated_at": "2026-04-10T13:12:27.159568Z",
	"deleted_at": null,
	"sha1_hash": "12b4c6aba519204290a48b33c49e9ac73596dd46",
	"title": "Starry Addax targets human rights defenders in North Africa with new malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 807004,
	"plain_text": "Starry Addax targets human rights defenders in North Africa with\r\nnew malware\r\nBy Cisco Talos\r\nPublished: 2024-04-09 · Archived: 2026-04-05 18:39:48 UTC\r\nCisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights\r\nactivists associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile\r\nmalware. \r\nStarry Addax conducts phishing attacks tricking their targets into installing malicious Android applications\r\nwe’re calling “FlexStarling.” \r\nFor Windows-based targets, Starry Addax will serve credential-harvesting pages masquerading as login\r\npages from popular media websites. \r\nTalos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this\r\ninvestigation. \r\nStarry Addax has a special interest in Western Sahara\r\nThe malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of\r\nthe Sahara Press Service (SPSRASD) App. The Sahara Press Service is a media agency associated with the\r\nSahrawi Arab Democratic Republic. The malware will serve content in the Spanish language from the SPSRASD\r\nwebsite to look legitimate to the victim. However, in actuality, FlexStarling is a highly versatile malware capable\r\nof deploying additional malware components and stealing information from the infected devices. \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 1 of 10\n\nSplash screen for the malicious application.\r\nStarry Addax’s infrastructure can be used to target Windows- and Android-based users. This campaign's infection\r\nchain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers,\r\nespecially human rights activists in Morocco and the Western Sahara region. The email contains content that\r\nrequests the target to install the Sahrawi News Agency’s Mobile App or include a topical theme related to the\r\nWestern Sahara.  \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 2 of 10\n\nSome examples of the subject lines of the phishing emails consist of: \r\nطلب تثبيت التطبيق على هواتف متابعي وكالة\r\n األنباء الصحراوية\r\nRequest to install the application on the phones of Sahrawi News\r\nAgency followers \r\nبتصريحات يدلي األوروبي برلماني الوفد  The European Parliament delegation makes statements \r\nبتصريحات يدلي برلماني الوفد  A parliamentary delegation makes statements \r\nإلبايس جريدة عن الً ونق وبالفيديو عاجل  Urgent, video, and quoted from El Pais newspaper \r\nThe email originating from an attacker-owned domain, ondroid[.]site, consists of a shortened link to an attacker-controlled website and domain. Depending on the requestor’s operating system, the website will either serve the\r\nFlexStarling APK for Android devices or redirect the victim to a social media login page to harvest their\r\ncredentials. The links observed by Talos so far are:  \r\nwww[.]ondroid[.]store/aL2mohh1 \r\nwww[.]ondroid[.]store/ties5shizooQu1ei/ \r\nStarry Addax likely to escalate momentum \r\nCampaigns like this that target high-value individuals usually intend to sit quietly on the device for an extended\r\nperiod. All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this\r\nspecific campaign indicating a heavy focus on stealth and conducting activities under the radar. The use of\r\nFlexStarling with a Firebase-based C2 instead of commodity malware or commercially available spyware\r\nindicates the threat actor is making a conscious effort to evade detections and operate without being detected. \r\nThe timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may\r\nbe in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 3 of 10\n\nFlexStarling – A highly capable implant \r\nThe FlexStarling malware app requests a plethora of permissions from the Android OS to extract valuable\r\ninformation from the infected mobile device. The following list contains the permissions acquired by FlexStarling\r\nvia its AndroidManifest[.]xml: \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 4 of 10\n\nSome of these permissions are dynamically requested at runtime: READ_CALL_LOG,\r\nREAD_EXTERNAL_STORAGE, READ_SMS, READ_CONTACTS, WRITE_EXTERNAL_STORAGE,\r\nINTERNET, ACCESS_NETWORK_STATE, RECORD_AUDIO, READ_PHONE_STATE. \r\nAnti-emulation checks \r\nWhen the implant runs, it checks the BUILD information for keywords or phrases that indicate that it is running\r\non an emulator or analysis tool. The implant checks for the following keywords: \r\nBUILD[MANUFACTURER] does not contain: “Genymotion”. \r\nBUILD[MODEL] does not contain any of: “google_sdk”, “droid4x”, “Emulator”, \"Android SDK built for\r\nx86\" \r\nBUILD[HARDWARE] does not contains any of: “goldfish”, “vbox86”, “nox”. \r\nBUILD[FingerPrint] does not start with “generic”. \r\nBUILD[Product] does not consist of any of: “sdk”, “google_sdk”, “sdk_x86”, “vbox86p”, “nox”. \r\nBUILD[Board] does not contain: “nox”. \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 5 of 10\n\nBUILD[Brand] or Device does not start with “generic”.  \r\nThe implant also checks for the presence of the following emulation/virtualization-related files in the filesystem: \r\n/dev/socket/genyd \r\n/dev/socket/baseband_genyd \r\n/dev/socket/qemud \r\n/dev/qemu_pipe \r\nueventd.android_x86.rc \r\nX86.prop \r\nueventd.ttVM_x86.rc \r\ninit.ttVM_x86.rc \r\nfstab.ttVM_x86 \r\nfstab.vbox86 \r\ninit.vbox86.rc \r\nueventd.vbox86.rc \r\nfstab.andy \r\nueventd.andy.rc \r\nfstab.nox \r\ninit.nox.rc \r\nUeventd.nox.rc \r\nIf none of the keywords or files are found or all checks are passed, the malicious app tries to gain permissions for\r\nmanaging external storage areas (shared storage space) on the device using the permission\r\n“MANAGE_EXTERNAL_STORAGE”.  The actor wants to gain the ability to read, write, modify, delete and\r\nmanage files on external storage locations.  \r\nStealing information and executing arbitrary code \r\nThe malware obtains command codes and accompanying information from the C2 server. It then generates the\r\nMD5 hash string of the command code and compares its list of hardcoded hashes. The corresponding activity is\r\ncarried out by the implant once a match is found. \r\nThe various commands supported by the sample are: \r\nCommand code MD5 hash  Decode command code  Intent \r\n801ab24683a4a8c433c6eb40c48bcd9d  Download \r\nDownload a file specified by a\r\nURL to the Downloads\r\ndirectory. \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 6 of 10\n\ne8606d021da140a92c7eba8d9b8af84f  unknown \r\nCopy files from the download's\r\ndirectory to the application\r\npackage directory \r\n725888549d44eb5a3a676c018df55943  unknown \r\nDecrypt a dex file located in the\r\napplication package directory and\r\nreflectively load it. \r\n3a884d7285b2caa1cb2b60f887571d6c  unknown \r\nCleanup directories – remove all\r\nfiles: \r\nCache directory. \r\nApplication package\r\ndirectory (including\r\n“/oat/”). \r\nExternal Cache Directory. \r\nf2a6c498fb90ee345d997f888fce3b18  Delete  Delete a specified filepath. \r\n3e679cff5b3a6f6f8f32aead541a0a12  Drop \r\nUpload a local file to the\r\nattacker’s dropbox folders using\r\nthe Dropbox API. \r\nThe ACCESS TOKEN, local\r\nfilepath and remote upload path\r\nis specified by the C2. \r\nfb84708d32d00fca5d352e460776584c  DECRYPT \r\nAES Decrypt a file from the\r\napplication package directory\r\nusing the secret key and IV\r\nspecified and write it to a file\r\nnamed “.EXEC.dex” \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 7 of 10\n\n0ba4439ee9a46d9d9f14c60f88f45f87  check \r\nCheck if a file inside the\r\napplication package directory\r\nexists. \r\nThese commands are supported by accompanying information and consist of the following variables being sent\r\nacross by the C2: \r\nDURL: Indicates the download URL used by the “Download” command above. \r\nAPPNAME: Indicates the filename to use for the destination file during the “Download” command. \r\nDEX: Contains the source file name to be used during the Decrypt (and reflectively load) commands. \r\nky1: Indicates a value to be used in the context of specific command codes: \r\nDelete = File to be deleted. \r\nDrop = File to be read and uploaded to Dropbox. \r\nDECRYPT = Secret key used for AES decryption. \r\nCheck = Filename to be whose presence is to be checked in the application package directory. \r\n ky2: Indicates a value to be used in the context of specific command codes: \r\nDrop = Remote file location where the local file needs to be uploaded on Dropbox. \r\nDECRYPT = IV used for AES decryption. \r\n ky3: Indicates a value to be used in the context of specific command codes: \r\nDrop = Dropbox ACCESS TOKEN value to be used during file upload. \r\nDECRYPT = IV used for AES decryption. \r\n fl: Filename used during the DEX reflective load process.  \r\nky4: Used as a parameter during reflective loading of the DEX file. \r\nky5: Secret key used for AES decryption as part of the implant’s DEX decrypt and reflective load. \r\nky6: IV used for AES decryption as part of the implant’s DEX decrypt and reflective load. \r\nky7: Contains the source file name to be used during the AES decryption as part of the implant’s DEX decrypt and\r\nreflective load. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 8 of 10\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\n Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\n Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here. \r\nHashes \r\nf7d9c4c7da6082f1498d41958b54d7aeffd0c674aab26db93309e88ca17c826c \r\nec2f2944f29b19ffd7a1bb80ec3a98889ddf1c097130db6f30ad28c8bf9501b3 \r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 9 of 10\n\nNetwork IOCs \r\nhxxps[://]runningapplications-b7dae-default-rtdb[.]firebaseio[.]com \r\nondroid[.]site \r\nondroid[.]store \r\nbit[.]ly/48wdj1m \r\nwww[.]ondroid[.]store/aL2mohh1 \r\nbit[.]ly/48E4W3N \r\nwww[.]ondroid[.]store/ties5shizooQu1ei/ \r\nSource: https://blog.talosintelligence.com/starry-addax/\r\nhttps://blog.talosintelligence.com/starry-addax/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/starry-addax/"
	],
	"report_names": [
		"starry-addax"
	],
	"threat_actors": [
		{
			"id": "523b5a65-737e-4c7f-be83-2ae385128874",
			"created_at": "2024-04-19T02:00:03.630014Z",
			"updated_at": "2026-04-10T02:00:03.617755Z",
			"deleted_at": null,
			"main_name": "Starry Addax",
			"aliases": [],
			"source_name": "MISPGALAXY:Starry Addax",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12b4c6aba519204290a48b33c49e9ac73596dd46.pdf",
		"text": "https://archive.orkl.eu/12b4c6aba519204290a48b33c49e9ac73596dd46.txt",
		"img": "https://archive.orkl.eu/12b4c6aba519204290a48b33c49e9ac73596dd46.jpg"
	}
}