{ "id": "790ff1bb-0731-42ed-a2a3-f8699c35cd44", "created_at": "2026-04-06T00:06:18.02636Z", "updated_at": "2026-04-10T03:32:04.787768Z", "deleted_at": null, "sha1_hash": "177f37b73f02925df344c1bba6f60586674ef0e1", "title": "FrozenCell: Multi-Platform Surveillance Against Palestinians", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4128132, "plain_text": "FrozenCell: Multi-Platform Surveillance Against Palestinians\r\nBy Lookout\r\nPublished: 2017-10-05 · Archived: 2026-04-05 15:23:50 UTC\r\nFrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely\r\nonly used by Palestinian or Jordanian students sitting their 2016 general exams.  \r\nLookout researchers have discovered a new mobile surveillanceware family, FrozenCell. The threat is likely targeting\r\nemployees of various Palestinian government agencies, security services, Palestinian students, and those affiliated with the\r\nFatah political party.\r\nFrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \"Two-tailed\r\nScorpion/APT-C-23,\" use to spy on victims through compromised mobile devices and desktops. The desktop components of\r\nthis attack, previously discovered by Palo Alto Network, are known as KasperAgent and Micropsia. We discovered 561MB\r\nof exfiltrated data from 24 compromised Android devices while investigating this threat. More data is appearing daily,\r\nleading us to believe the actors are still highly active. We are continuing to watch it closely.\r\nThis threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns\r\nas a primary attack vector. Government agencies and enterprises should look at this threat as an example of the kind of\r\nspying that is now possible given how ubiquitous mobile devices are in the workplace. Attackers are keenly aware of the\r\ninformation they can derive from these devices and are using multi-stage (phishing + an executable), multi-platform\r\n(Android + desktop) attacks to accomplish their spying.\r\nAll Lookout customers are protected from this threat.\r\nWhat it does\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 1 of 6\n\nFrozenCell masquerades as fake updates to chat applications like Facebook, WhatsApp, Messenger, LINE, and LoveChat.\r\nWe also detected it in apps targeted toward specific Middle Eastern demographics. For example, the actors behind\r\nFrozenCell used a spoofed app called Tawjihi 2016, which Jordanian or Palestinian students would ordinarily use during\r\ntheir general secondary examination.\r\nOnce installed on a device FrozenCell is capable of:\r\nRecording calls\r\nRetrieving generic phone metadata (e.g., cell location, mobile country code, mobile network code)\r\nGeolocating a device\r\nExtracting SMS messages\r\nRetrieving a victim's accounts\r\nExfiltrating images\r\nDownloading and installing additional applications\r\nSearching for and exfiltrating pdf, doc, docx, ppt, pptx, xls, and xlsx file types\r\nRetrieving contacts\r\nThe graph below represents a split of the types of data from only one misconfigured command and control server (out of\r\nover 37 servers). This is only a small picture of the threat actor's operations.\r\nSome noteworthy files identified in content taken from compromised devices include passport photos, audio recordings of\r\ncalls, other images, and a PDF document with data on 484 individuals. The PDF lists dates of birth, gender, passport\r\nnumbers, and names.\r\nPotential targets\r\nThe actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track\r\ntargets. This data shows a distinct concentration of infected devices beaconing from Gaza, Palestine.\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 2 of 6\n\nEarly samples of FrozenCell used an online service for storing geolocation information of infected devices. Analysis of this\r\ntelemetry shows infected devices are completely based in Gaza, Palestine. It has not been confirmed whether these are from\r\ntest devices or the devices of victims.\r\nWe were also able to link the FrozenCell's Android infrastructure to numerous desktop samples that are part of the larger\r\nmulti-platform attack. It appears the attackers sent malicious executables though phishing campaigns impersonating\r\nindividuals associated with the Palestinian Security Services, the General Directorate of Civil Defence - Ministry of the\r\nInterior, and the 7th Fateh Conference of the Palestinian National Liberation Front (held in late 2016). The titles and\r\ncontents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah\r\npolitical party.\r\nSome malicious files associated with these samples were titled the following:\r\nCouncil_of_ministres_decision\r\n(محضر اجتماع جنيف الخاص بقوات ا_من) Troops on Meeting Geneva the of Minutes\r\nSummary of today's meetings.doc.exe (اليوم إجتماعات ملخص(\r\nThe most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him -\r\n(أهم نقاط إجتماع ذكرى الرئيس الراحل أبوعمار رحمه الله - ورقة رقم) 1 .No Paper\r\nFadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen (فادي فضيحة\r\n(Elsalameen Fadi-السالمني مع ضابط إسرائيلي- حصري-شاهد وقبل الحذف\r\nThe details of the assassination of President Arafat_06-12-2016_docx\r\nQuds.rar\r\nScreenshots of some of the PDF contents:\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 3 of 6\n\nMany of these executables are associated with various short links created using Bit.ly, a URL shortening service. After\r\nanalyzing the traffic associated with these short links, we determined that each one was associated with a referral path from\r\nmail.mosa.pna.ps. MOSA is the Palestinian Directorate of Social Development whose mandate is to achieve comprehensive\r\ndevelopment, social security, and economic growth for Palestinian families, according to publicly available information on\r\nthis ministry.\r\nInfrastructure\r\nAt the time of writing the following domains have either been used by this family or are currently active. We expect this list\r\nto grow given that this actor has changed its infrastructure numerous times in 2017.\r\ncecilia-gilbert[.]comgooogel[.]orgmary-crawley[.]commydriveweb[.]comrose-sturat[.]infokalisi[.]xyzdebra-morgan[.]comarnani[.]infoacount-manager[.]infogooogel-drive[.]commediauploader[.]meacount-manager[.]netupload404[.]clubupload999[.]infoal-amalhumandevelopment[.]commargaery[.]coupload202[.]comgo-mail-accounts[.]comupload101[.]netsybil-parks[.]infodavos-seaworth[.]infoupload999[.]orgacount-manager[.]comlila-tournai[.]comaccount-manager[.]orgmediauploader[.]infokalisi[.]orgaryastark[.]infomavis-dracula[.]comkalisi[.]infogoogle-support-team[.]com9oo91e[.]comuseraccount[.]websiteaccounts-fb[.]comakashipro[.]comfeteh-asefa[.]comlagertha-lothbrok[.]info\r\nOpSec fails and use of cryptography\r\nWhile looking at this infrastructure, we identified that one of these domains has directory indexing enabled. This mistake in\r\noperational security allowed us to gain visibility into exfiltrated content for a number of devices. Continued mirroring\r\nsuggests it is likely a regularly cleaned staging server. We sourced the over 561MB of exfiltrated data from this domain\r\nalone, all of which we found to be 7z compressed and password protected.\r\nPassword generation for compressed files takes place client-side with each device using a unique key in most scenarios. Key\r\ninformation consists of an MD5 hash of the device's Android ID, the device manufacturer, and the device model with each\r\nseparated by an underscore. Visually, this can be represented as follows:\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 4 of 6\n\nWhen combined with our analysis of indexed directories on C2 infrastructure, we were able to easily automate the\r\ngeneration of the password used by each device and, in turn, successfully decompress all exfiltrated content from\r\ncompromised devices.\r\nWhile exfiltrated content is encrypted, information used to generate the password is plainly visible in the top level\r\ndirectories for each device. Taking this information from directory listings, like the one shown above, allowed for the\r\ndecryption of all content. In this case, FrozenCell has primarily netted the actors behind it with recorded outbound calls\r\nfollowed closely by images and recorded incoming calls.  \r\nFrozenCell is part of a very successful, multi-platform surveillance campaign. Attackers are growing smarter, targeting\r\nindividuals through the devices and the services they use most. Government agencies and enterprises should plan to be hit\r\nfrom all angles - cloud services, mobile devices, laptops - in order to build comprehensive security strategies that work.\r\nIndicators of Compromise (mobile)\r\nSHA1Package NameTitle0ff709db71c63a925285ac109c7cd861f91363e3com.dev.chat.gochatGo\r\nChatfed082b2fd5687af48fb75245a55005d11f3551acom.app.chat.gochatGo\r\nChatddb148e8b700a08375b357d3be92fbb0bb11948dcom.dev.chat.gochatGo\r\nChatb9b0cded79369e84fc7cda1837d8c4019850f0fccom.facebook.updateFacebook\r\nUpdateba2caf83aa8667072bc23f904b684e628da1c7dccom.myapps.updateWhatsApp\r\nUpdate7312db721b57a1d43ac520f617eac1798b5c1b3dcom.myapps.updateGoogle Play\r\nUpdate8820f511e11f724f03a19174c9706e104dcbe6f3com.myapps.updateFacebook\r\nUpdate2ff7f56726e41090c3ba16a5828114d1a5f8b6abcom.myapps.updateMessenger\r\nUpdateb3783f3a6c3bbec57fe588be6cab6483b165f99fcom.myapps.lineLINEc89f829f3a334bd4bd8d2bf7f5c7b2a5d82e63d2com.app.waupdateWhatsApp\r\nUpdate30461be7eecfdc6d5638fdc6a43097aba1a2eedccom.wadev.appupdateWhatsApp\r\nUpdate84d5ff14328d71d3fa3c03962734cc7179d2685ecom.myapps.updateFacebook\r\nUpdate493a2d6129d9b2d0bbc49a5e07fb4123549b60dccom.app.waupdateWhatsApp\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 5 of 6\n\nUpdate14841dd294bb1207f40d112377387b7d7e240ffecom.myapps.updateFacebook\r\nUpdate9a74d68349fb5918c3c52b04cb0c011fc46000ebcom.app.fauFacebook\r\nUpdateceda754a6e6c034d1b8256c9ce7429ac0771c9e2com.dev.chat.lovechatLove\r\nChat125c380f573ff3e59290f313285d763939360c83com.app.waupdateWhatsApp\r\nUpdate48a79ff5c9f711e86438aaf2335a28458ec02678com.app.updateWhatsApp\r\nUpdate4a56b4968f2559459d98ab35a01a6b7b946d6ab8com.dev.updateFacebook\r\nUpdate6d02734a39867f65948f01cc2c055b01fe83a252com.myapps.updateWhatsApp\r\nUpdateff675f6862fc4cb474f7e62406b1ad17d4128aefcom.facebook.updateFacebook\r\nUpdate9b60a3513dcb53a12e67166ef6f721ad9d194a60com.facebook.updateFacebook\r\nUpdate7877661025f315c7d1023c7e124756cab2a3f035com.mobile.updateFacebook\r\nUpdated098c57edc2eaaaac771deb0df1d00c1917cf92bcom.app.updateFacebook\r\nUpdateaf7552ad0794e9de4a33390b4669b941ef5b69c6com.dev.chat.lovechatLove\r\nChata5ee1f12a50d84d8283e9bfbec1050b989e07e78com.facebook.updateFacebook\r\nUpdate1d3eccdf4fbd9ca548d85cdf3b6c6c813a3225aecom.askit.tawjihiTawjihi 2016\r\nIndicators of Compromise (desktop)\r\nSHA15e706e34634cfb1fcae11ddf1260b540810b156590f93de55145b6577525421354ff05842cbe6271b53b01fccf08ceadc75f2041c00336c36cbc2ac4fe08\r\nAll these indicators can be found on AlienVault under the FrozenCell pulse.\r\nSource: https://blog.lookout.com/frozencell-mobile-threat\r\nhttps://blog.lookout.com/frozencell-mobile-threat\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://blog.lookout.com/frozencell-mobile-threat" ], "report_names": [ "frozencell-mobile-threat" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433978, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/177f37b73f02925df344c1bba6f60586674ef0e1.pdf", "text": "https://archive.orkl.eu/177f37b73f02925df344c1bba6f60586674ef0e1.txt", "img": "https://archive.orkl.eu/177f37b73f02925df344c1bba6f60586674ef0e1.jpg" } }