{ "id": "4f93b53e-3aee-48ec-a86b-b8384a4f65e7", "created_at": "2026-04-06T00:22:10.683469Z", "updated_at": "2026-04-10T03:37:00.35081Z", "deleted_at": null, "sha1_hash": "1a19f18f1318931bce9d649307030e643ea25e68", "title": "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2512592, "plain_text": "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets\r\nUAE Dissidents - The Citizen Lab\r\nArchived: 2026-04-02 12:46:51 UTC\r\n1. Executive Summary\r\nThis report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth\r\nFalcon.  The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents.\r\n We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The\r\nRight to Fight” contacted Rori Donaghy.  Donaghy, a UK-based journalist and founder of the Emirates Center for Human\r\nRights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel.\r\n Donaghy has written critically of the United Arab Emirates (UAE) government in the past,1 and had recently published a\r\nseries of articles based on leaked emails involving members of the UAE government.2\r\nCircumstantial evidence suggests a link between Stealth Falcon and the UAE government.  We traced digital artifacts used\r\nin this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been\r\nunder government control.  We also identified other bait content employed by this threat actor.  We found 31 public tweets\r\nsent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims.  Of the 27 targets, 24 were obviously linked\r\nto the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets\r\nappeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in\r\nrelation to their Twitter activity.\r\nThe attack on Donaghy — and the Twitter attacks — involved a malicious URL shortening site.  When a user clicks on a\r\nURL shortened by Stealth Falcon operators, the site profiles the software on a user’s computer, perhaps for future\r\nexploitation, before redirecting the user to a benign website containing bait content.  We queried the URL shortener with\r\nevery possible short URL, and identified 402 instances of bait content which we believe were sent by Stealth Falcon, 73%\r\nof which obviously referenced UAE issues.  Of these URLs, only the one sent to Donaghy definitively contained spyware.\r\n However, we were able to trace the spyware Donaghy received to a network of 67 active command and control (C2)\r\nservers, suggesting broader use of the spyware, perhaps by the same or other operators.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 1 of 30\n\n2. Background\r\nRori Donaghy3\r\n is a London-based journalist who currently works for UK news organization Middle East Eye, a website\r\nthat covers news in the Middle East.4\r\n  Middle East Eye has recently published a series of articles about UAE foreign policy,\r\nbased on leaked emails involving members of the UAE government.  Previously, Donaghy led the Emirates Center for\r\nHuman Rights,5\r\n an organization he founded to “promote the defence of human rights in the United Arab Emirates …\r\nthrough building strong relationships with the media, parliaments and other relevant organisations outside the UAE”.6\r\n2.1. Political and Human Rights Situation in the UAE\r\nIn its most recent (2015) Freedom in the World ranking, Freedom House classified the UAE as “not free,” and noted that\r\nthe UAE continues to “suppress dissent”.\r\n7\r\n  Human Rights Watch stated in its most recent (2016) country report, that the\r\nUAE has “continued … to arbitrarily detain and in some cases forcibly disappear individuals who criticized the\r\nauthorities”.8  Amnesty International says that UAE courts have “accepted evidence allegedly obtained through torture”.9\r\nSpecifically in the online realm, there is evidence that the UAE government has previously conducted malware attacks\r\nagainst civil society. At least three dissidents10 including a journalist, and UAE human rights activist Ahmed Mansoor, were\r\ntargeted in 2012 with Hacking Team spyware11 by a Hacking Team customer in the UAE, apparently operating under the\r\nauspices of the office of Sheikh Tahnoon bin Zayed al-Nahyan,12 a son of the founder of the UAE, and now the UAE\r\nDeputy National Security Advisor.\r\n13\r\n  The UAE client had a license from Hacking Team to concurrently infect and monitor\r\n1100 devices.14\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 2 of 30\n\n3. The November 2015 Attack: An “Invitation”\r\nThis section describes an email attack against journalist Rori Donaghy. The operators used a Microsoft Word macro that\r\ninstalls a custom backdoor allowing operators to execute arbitrary commands on a compromised machine.\r\n3.1 Initial Attack Email\r\nIn November 2015, the journalist Donaghy received the following email message, purportedly offering him a position on a\r\npanel of human rights experts:\r\nFrom: the_right_to_fight@openmailbox.org\r\nSubject: Current Situation of Human Rights in the Middle EastMr. Donaghy,We are currently organizing a panel of experts\r\non Human Rights in the Middle East.\r\nWe would like to formally invite you to apply to be a member of the panel by responding to this email.\r\nYou should include your thoughts and opinions in response to the following article about what more David Cameron can be\r\ndoing to help aid the Middle East.\r\nhttp://aax.me/d0dde\r\nThank you.\r\nWe look forward to hearing back from you,\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 3 of 30\n\nHuman Rights: The Right to Fight\r\nDonaghy was suspicious of the email, and forwarded it to us for analysis.  We found that the link in the email\r\n(http://aax.me/d0dde) loaded a page containing a redirect to the website of Al Jazeera.  Before completing the redirect, it\r\ninvoked JavaScript to profile the target’s computer.  We describe the profiling in detail in Section 3.1-3.3 below.\r\n3.2 Communication with the Operator\r\nOn our instruction, Donaghy responded to the email, asking for further information.  The operators responded with the\r\nfollowing message:\r\nFrom: the_right_to_fight@openmailbox.org\r\nSubject: RE: Current Situation of Human Rights in the Middle EastMr. Donaghy,Thank you for getting back to us. We are\r\nvery interested in you joining our panel.\r\nThe information you requested is in the attached document.\r\nIn order to protect the content of the attachment we had to add macro enabled security.\r\nPlease enable macros in order to read the provided information about our organization.\r\nWe hope you will consider joining us. Thank you.\r\nWe look forward to hearing back from you,\r\nHuman Rights: The Right to Fight\r\nBy chance, the attachment was identified as malicious and blocked by a program running in Donaghy’s email account.  We\r\ninstructed him to follow up and request that the operators forward the attachment via another method.  Donaghy received\r\nthe following reply:\r\nFrom: the_right_to_fight@openmailbox.org\r\nSubject: RE: Current Situation of Human Rights in the Middle EastMr. Donaghy,We apologize for having problems with\r\nour attachment.\r\nPlease follow this link to download our organizational information.\r\nhttp://aax.me/a6faa\r\nThe link has been password protected. The password is: right2fight\r\nIn order to protect the content of the attachment we also had to add macro enabled security.\r\nPlease enable macros in order to read the provided information about our organization.\r\nWe hope you will consider joining us. Thank you.\r\nWe look forward to hearing back from you,\r\nHuman Rights: The Right to Fight\r\nThis second link (http://aax.me/a6faa) redirects to the following URL using an HTTP 302 redirect:\r\nhttps://cloud.openmailbox.org/index.php/s/ujDNWMmg8pdG3AL/authenticate\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 4 of 30\n\nThis is a password-protected link to a file shared on an ownCloud15\r\n instance.  We obtained this file, and found it to be a\r\nMicrosoft Word document.\r\n3.3 The Malicious Document\r\nThe document is:\r\nFilename: right2fight.docm\r\nMD5: 80e8ef78b9e28015cde4205aaa65da97\r\nSHA1: f25466e4820404c817eaf75818b7177891735886\r\nSHA256: 5a372b45285fe6f3df3ba277ee2de55d4a30fc8ef05de729cf464103632db40f\r\nWhen opened, the target is greeted with the following image, purporting to be a message from “proofpoint,” a legitimate\r\nprovider of security solutions for Office 365.16\r\n  The image claims that “This Document Is Secured” and requests that the\r\nuser “Please enable macros to continue.”\r\nIf the target enables macros, they are presented with the following document:\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 5 of 30\n\nThe document purports to be from an organization called “The Right To Fight,” and asks the target Donaghy to open the\r\nlink in the original email he received (the email containing the profiling URL).  We believe that “The Right To Fight” is a\r\nfictitious organization, as their logo appears to be copied from an exhibition about “African American Experiences in\r\nWWII”.\r\n17\r\n  Further, “The Right to Fight” has no discernable web presence.\r\n3.3.1 Profiling\r\nThe document attempts to execute code on the recipient’s computer, using a macro.  The macro passes a Base64-encoded\r\ncommand to Windows PowerShell, which gathers system information via Windows Management Instrumentation (WMI),\r\nand attempts to determine the installed version of .NET by querying the registry (full script available in Appendix A: Stage\r\nOne PowerShell Command).\r\n3.3.2 Communication \u0026 Obtaining a Shell\r\nGathered information is returned to http://adhostingcache.com/ehhe/eh4g4/adcache.txt, and the server’s response is\r\nexecuted as a PowerShell command.  At the time, adhostingcache.com resolved to 95.215.44.37.  The domain was\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 6 of 30\n\napparently deleted on November 30th 2015 (Donaghy received the malicious Word Document on November 24th 2015). A\nnew domain, adhostingcaches.com, was registered on December 3rd, which points to the same IP address. The deletion of\nadhostingcache.com may reflect operator suspicion that the file received by Donaghy had been sent to security researchers.\nThe server response is a PowerShell command that decodes and materializes an invocation of a Base64-encoded\nPowerShell command to disk as IEWebCache.vbs, and creates a scheduled task entitled “IE Web Cache” that executes the\nfile hourly (full script available in Appendix B: Stage Two PowerShell Command).\nIEWebCache.vbs runs a Base64-encoded PowerShell command, which periodically POSTs a unique identifier to\nhttps://incapsulawebcache.com/cache/cache.nfo (via HTTPS without verifying the server certificate, and with a\nhardcoded user-agent header matching Internet Explorer 10.6). The script executes server responses as PowerShell\ncommands, responding back to the server with the exit status of, output of, or any exceptions generated by the commands.\nThis gives the operator control over the victim’s computer, and allows the operator to install additional spyware or perform\nother activities. All commands and responses are encrypted using RC4 with a hardcoded key, and the encrypted message is\nprefixed with a hardcoded value.\nDespite some similarities in functionality to the Empire backdoor,\n18\n we were unable to identify any shared code, and we\nsuspect that the backdoor is custom-made.\n3.4. Technical Analysis: aax.me Browser Profiling\nWhile aax.me has a public interface where anyone may shorten a link, aax.me only conducts browser profiling of\nindividuals who click on links that are specially shortened by Stealth Falcon operators.\nIn November 2015, when we accessed the link in the second email that Donaghy received, http://aax.me/a6faa, we found\nthat it redirected directly to https://cloud.openmailbox.org/index.php/s/ujDNWMmg8pdG3AL/authenticate via an\nHTTP 302 redirect. When we accessed the link in the first email that Donaghy received, http://aax.me/d0dde, the server\nresponded with the following page:\n[redirect.php](redirect.php)\n\nWe examined the referenced JavaScript file, http://aax.me/redirect.js.  The file is designed to profile a user’s system,\r\nperhaps to gather intelligence about potentially exploitable vulnerabilities.  The file has apparently not been updated since 7\r\nMay 2013,20\r\n rendering some of the probing obsolete.  We enclose the file’s full contents in Appendix C: JavaScript\r\nProfiling File.  The profiling performs the following actions:\r\nFor Internet Explorer, it attempts to create several instances of ActiveXObject to get the versions of Flash,\r\nShockwave, Java, RealPlayer, Windows Media Player, and Microsoft Office (classified as either 2003, 2007, or\r\n2010).\r\nFor non-Internet Explorer browsers, it attempts to get a list of enabled plugins from navigator.mimeTypes.\r\nFor all browsers, it captures the user agent, whether cookies are enabled, the OS, the size of the browser window,\r\nand the timezone.  It classifies browsers into different versions, denoted by letters, based on the existence and\r\nbehavior of certain JavaScript methods.\r\nThe script attempts to exploit an information leak in older versions of Tor Browser.  We explore the technique used\r\nin Section 3.5.\r\nFor Windows browsers (except Opera, and versions of Internet Explorer before IE9), it sends a series of\r\nXMLHttpRequests to 127.0.0.1, which we believe are designed to deduce if the computer is running any one of\r\nseveral specific antivirus programs.  The code for this appears to be borrowed from the JS-Recon port scanning\r\ntool.21  The creator of JS-Recon presented the tool at BlackHat Abu Dhabi in 2010.22\r\n  We explore such techniques\r\nin more detail in Section 3.6.\r\nWe were unfamiliar with the website aax.me, so we investigated it further.  We found that the main page of aax.me\r\npurported to be a public URL shortening service, powered by YOURLS,23\r\n an open source PHP framework allowing anyone\r\nto set up their own URL shortening service.  We are unable to ascertain whether the site actually uses any YOURLS code.\r\n We also noted that the homepage contains a typo (“Shortend [sic] URL”).\r\nWe shortened a URL using the homepage, but found that clicking on the shortened URL did not trigger the loading of the\r\nintermediate page, http://aax.me/redirect.php.  We also did not find the code for redirect.php or redirect.js in the public\r\ncode repository for YOURLS.24\r\n  Thus, we deduced that this code was likely specially written by the operators, and the link\r\nsent to Donaghy was likely created by someone with administrator access to aax.me.\r\n3.5. Technical Analysis: aax.me Tor Deanonymization Attempt\r\nThe aax.me site appears to attempt to deanonymize users of Tor Browser.  While the technique the operators used was out-of-date at the time we observed the attack, the attempted Tor deanonymization speaks to their motivations and potential\r\ntargets.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 8 of 30\n\nThe script first detects Tor Browsers by checking whether navigator.buildID is set to zero (all testing was conducted on\r\nEnglish, Windows builds of Tor Browser).  Versions of Tor Browser  before 2.3.25-12 (released on 13 August 2013) had\r\ntheir buildID set to zero.  This behavior was originally introduced in TorButton,25 in support of the goal of making Tor\r\nusers appear homogenous.26\r\n  Current Tor Browser versions have navigator.buildID set to a different distinctive value,\r\n20000101000000.\r\nWhen the script detects a Tor Browser, it attempts to deduce the version of Tor Browser by checking for the existence and\r\nbehavior of certain JavaScript methods.  Once a browser is determined to be older than a certain version of Tor Browser,\r\nthe script exploits a now-fixed bug to get the disk path of the browser installation.27\r\n  The disk path may contain the target’s\r\nusername, which may include the target’s real name.\r\nThe bug in Tor Browser was first disclosed at Defcon 17, which took place in August 2009.28  The bug was first fixed on on\r\n25 May 2012 in Tor Browser release 2.2.35-13.29  The bug was, however, later reintroduced into Tor Browser on 18\r\nDecember 2013 with the release of Tor Browser 3.5, and subsequently fixed again in Tor Browser 3.6 on 29 April 2014.30\r\n However, unfortunately for the operators, they failed to update their profiling script to reflect Tor Browser’s\r\nnavigator.buildID change (before the bug was reintroduced).  Thus, the profiling script did not detect Tor Browsers with\r\nthe reintroduced bug as Tor Browsers, so it did not try to exploit them.  Even if it had been updated to reflect the\r\nnavigator.buildID change, the version check in the Tor Browser exploitation code would also have to be updated to select\r\nthe versions with the reintroduced bug for exploitation.\r\nThe version of Tor Browser (as determined by JavaScript checks) is submitted back to the server, along with the value of\r\nnavigator.oscpu (which reveals the version of the OS on which Tor Browser is running — e.g., the latest version of Tor\r\nBrowser on OSX El Capitan reveals: “Intel Mac OS X 10.11”) which is set to “Windows NT 6.1” in the latest Tor browser,\r\nnavigator.vendor (which appears blank in the latest Tor Browser), and any data gathered about the installation path.\r\n3.6. Technical Analysis: aax.me Antivirus Profiling\r\nInterestingly, aax.me also attempts to determine the presence of various antivirus products on a target’s machine.\r\nWe expand on the probing of antivirus programs which we observed on aax.me, as we were unfamiliar with this technique.\r\n The technique appears to work on any modern version of Windows, with the latest versions of Chrome, Firefox, and\r\nIE/Edge (though, the profiling script excludes IE versions less than IE9 from the profiling, using the vertical tab test).31\r\n Specifically, the script conducts GET XMLHttpRequests (one at a time) to 127.0.0.1/ on the following ports: 12993,\r\n44080, 24961, 1110, 6646, 6999, 30606.  The script stops conducting these requests if it finds one request whose\r\nreadyState is set to 4 less than 20ms after the request was initiated (200ms for port 6646), and submits the number of this\r\nport to the server.\r\nThe latest versions of Internet Explorer/Edge, Chrome, and Firefox (except Tor Browser) will all perform these\r\nXMLHttpRequests to 127.0.0.1 on behalf of any site.  Of course, the result of such a request will most likely not be\r\navailable to the script, due to the same-origin policy, and likely absence of a CORS32\r\n header in the response.  Indeed, the\r\nscript does not attempt to read the results of its requests.  Rather, it leverages the fact that the web browser makes the status\r\nof the request sent available, via the readyState parameter of an XMLHttpRequest instance (1 approximately represents\r\nTCP SYN sent, and 4 represents HTTP response received or TCP connection terminated).  For a closed port, Windows will\r\nissue an RST/ACK for each SYN sent.  However, it appears that Windows’ TCP stack will not consider an outgoing\r\nconnection it is initiating to be terminated until it has sent 3 SYNs, and received three corresponding RST/ACKs (or\r\ntimeouts).\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 9 of 30\n\nWhen testing with a TCP connection from Windows to a remote host, we can clearly see that Windows transmits the second\r\nSYN ~500ms after the first RST/ACK, and the third SYN ~500ms after the second RST/ACK.\r\nThus, the readyState value for a request to a closed port on 127.0.0.1 will not be set equal to 4 until approximately 1000ms\r\nafter the request is issued.  In summary, one can use this technique to distinguish between a closed port (readyState set to 4\r\nat around 1000ms), an open port (readyState set to 4 before 1000ms), and a filtered port (readyState set to 4 long after\r\n1000ms).\r\nThis script was apparently designed to detect the presence of certain components of Avast, Avira, ESET, Kaspersky, and\r\nTrend Micro antivirus products.  We were not able to determine which program the probing of port 24961 was designed to\r\ndetect.  We verified that the latest version of Avast can be detected by this script, as it opens TCP port 12993, which is\r\nassociated with its Mail Shield component for scanning email traffic; port 6999 is opened by Trend Micro’s tmproxy33\r\nwhich scans web and email traffic; port 1110 is used by Kaspersky34\r\n to scan web and email traffic; it appears that Avira’s\r\nWeb Protection component for scanning web traffic used to open port 44080,35\r\n though we observed it opening 44081\r\ninstead; port 30606 appears to have been used by ESET to scan web and email traffic,36 but we did not observe this port\r\nopen while testing the latest version of ESET; port 6646 may be used by McAfee, though we did not test this.37\r\nThe code for the port scanning appears to be adapted from the JS-Recon port scanning tool.38  JS-Recon is a generic tool\r\nthat enumerates all open ports on 127.0.0.1 in a range; it does not specifically target anti-virus programs.  The scan_xhr\r\nand check_ps_xhr functions in the aax.me profiling script are similar to the scan_ports_xhr and check_ps_xhr functions\r\nin JS-Recon.  The creator of JS-Recon seems to have first presented the tool at BlackHat Abu Dhabi in 2010.39\r\nNote that this technique can be generalized to any remote content timing side channel (e.g, the onerror event for an\r\nImage).  Additionally, one can identify the presence of an open port on 127.0.0.1 that speaks HTTP without using timing\r\ninformation, and thus without the Windows TCP behavior assumption (e.g., by handling the onerrorand oncompleteevents\r\nof certain types oflinkelements).\r\nWe are unsure whether the purpose of the antivirus profiling is to identify potentially exploitable antivirus software running\r\non a target’s computer, or for evasion of antivirus products.  In December 2015, Google Security discovered a critical\r\nvulnerability in Avast’s antivirus product, which involved a webpage sending HTTP requests to a port that Avast opens on\r\n127.0.0.1.  Google Security demonstrated that the vulnerability allowed exfiltration of arbitrary files from a victim’s disk.41\r\n In January 2016, Google Security discovered a critical vulnerability in Trend Micro’s antivirus product, which similarly\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 10 of 30\n\ninvolved a web page sending HTTP requests to a port that Trend Micro opens on 127.0.0.1.  Google Security demonstrated\r\nthat the vulnerability allowed arbitrary command execution.\r\n4. The Case of the Fake Journalist\r\nIn the course of our investigation we scanned the e-mail of journalist Donaghy and found evidence that he had been\r\ncontacted by a fictitious journalist, whom we linked to Stealth Falcon.\r\nWe scanned Donaghy’s GMail account for any previous messages featuring links that redirected through aax.me.  We\r\nidentified the following message from December 2013, purporting to be from a UK journalist named Andrew Dwight:\r\nFrom:andrew.dwight389@outlook.com\r\nSubject: FW: Correspondence RequestGreetings Mr. Donaghy,I have been trying to reach you for comment and I am\r\nhoping that this e-mail reaches the intended recipient. My name is Andrew Dwight and I am currently writing a book about\r\nmy experiences in the Middle East. My focus is on human factors and rights issues in seemingly non-authoritarian regimes\r\n(that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work,\r\nspecifically this piece (http://goo.gl/60HAqJ), for the book. I’m quite impressed with the way you articulate this complex\r\nissue for the masses, and hope to have a similar impact with my book.\r\nHappy New Year,\r\nAndrew\r\nThe link in the email, http://goo.gl/60HAqJ, redirects to http://aax.me/0b152, which, as of December 2015, redirected to\r\na 2013 Huffington Post blog post authored by Donaghy.\r\n42\r\n  We did not observe any redirect.php behavior with this link; as\r\nof December 2015, the aax.me link directly served an HTTP 302 redirect to the Huffington Post (we omitted the date\r\nheader below).  However, it is possible that the link formerly exhibited redirect.php behavior:\r\nHTTP/1.1 302 Moved Temporarily\r\nDate:\r\nServer: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g\r\nX-Powered-By: PHP/5.2.6-1+lenny13\r\nLocation: http://www.huffingtonpost.co.uk/rori-donaghy/uae-94_b_3549671.html\r\nVary: Accept-Encoding\r\nContent-Type: text/html\r\nWe found that Donaghy had responded to this message shortly after receiving it, offering to meet in-person with Andrew in\r\nthe UK.  Andrew responded several weeks later with the following:\r\nFrom:andrew.dwight389@outlook.com\r\nSubject: RE: Correspondence RequestHello Rori,Happy New Year! I apologize for the delay in getting back to you. I was\r\non a ski holiday in upstate New York for the New Year and just returned to my current accommodations in the city. I was\r\ndue back sooner, but as you may know, the weather has not been agreeable here in the Eastern United States!\r\nI am currently situated in the US. while I complete my book to be closer to my publisher and editor. The book focuses on\r\nthe various guises used by Middle Eastern countries to demonstrate that they are providing equal and fair treatment with\r\nconcern to human rights. I am working with several organizations in identifying cases that reveal their true lack of concern\r\nfor liberty and personal freedoms. I’m using these cases as testimony about this under reported issue. Have you heard of a\r\nSwedish organization named Al Karama?\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 11 of 30\n\nThere website: http://en.alkarama.org/index.php?option=com_content\u0026view=article\u0026id=1005\u0026Itemid=74\u0026slid=102\r\nI have spoken to one of their junior editors and I am hoping to obtain input from some of their sources as well.\r\nThis issue never gets any smaller does it? I hope that a few loud voices (and a well received book) can make a difference.\r\nCheers,\r\nAndrew\r\nWhile attempting to determine whether “Andrew Dwight” was a real person, we we found a Twitter profile, @Dwight389\r\nfor the same persona, and that mentions the same address from which Donaghy received the email.\r\nWe found that this account messaged three UAE dissident accounts via Twitter mentions.  While we were unable to\r\nestablish if @Dwight389 successfully attacked any of these individuals, we profile the targets below.\r\n4.1. Another Target: Obaid Yousef Al-Zaabi\r\nThis section describes how the fake journalist persona contacted Obaid Yousef Al-Zaabi, a blogger who was arrested for\r\ncriticising the UAE.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 12 of 30\n\nObaid Yousef Al-Zaabi was arrested on 2 July 201343\r\n for Tweeting about the UAE94 detainees (94 defendants prosecuted\r\nin a mass trial on charges of attempting to overthrow the government)44\r\n on his @bukhaledobaid account, which displays\r\nhis real name.45  He was released due to health problems a month later, but was arrested again on 12 December 2013,46 a\r\nday after talking to CNN47 about the condition of US citizen Shezanne Cassim, imprisoned for making a parody video48\r\nabout “youth culture in Dubai”.\r\n49\r\n  Al-Zaabi and Cassim were imprisoned in the same cellblock.  Al-Zaabi was acquitted on\r\n23 June 2014 of all charges including “slander concerning the rulers of the UAE using phrases that lower their status, and\r\naccusing them of oppression” and “disseminating ideas and news meant to mock and damage the reputation of a\r\ngovernmental institution,” but, according to information received from two UAE sources, Al-Zaabi is still imprisoned in the\r\nprisoners ward of a hospital.  A coalition of 13 human rights organizations including Amnesty International consider Al-Zaabi’s ongoing detention to be arbitrary, and without legal basis.50\r\n  Amnesty International reported that “a senior State\r\nSecurity Prosecution official” told Al-Zaabi he would continue to be detained even if acquitted.51\r\nAl-Zaabi’s brother, Dr. Ahmed Al-Zaabi, is one of the UAE94 detainees and is currently serving a 10 year prison sentence.\r\n According to a report by the Gulf Center for Human Rights, Ahmed was tortured in prison: his fingernails were pulled out,\r\nand he was “beaten to the point he was left swollen, covered in bruises all over his body and with large amounts of blood in\r\nhis urine”.52\r\n4.2. Another Target:Professor Abdullah Al-Shamsi\r\nThis section describes how the fake journalist persona contacted professor Abdullah Al-Shamsi, Vice Chancellor of the\r\nBritish University in Dubai.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 13 of 30\n\nProfessor Abdullah Al-Shamsi (@shamsiuae58) is the Vice Chancellor of the British University in Dubai.53\r\n  He (Arabic\r\n(أ.د.عبدالله محمد رحمة الشاميس :name\r\n54\r\n is signatory #79 (out of 133) to a March 2011 petition to the UAE government55 for\r\ndirect elections56\r\n (UAE activist Ahmed Mansoor was arrested after signing the same petition).57\r\n  Al-Shamsi’s father (محمد\r\nالشاميس العامري رحمة بن (was appointed to, and chaired the first sessions of, the Federal National Council (FNC), a legislative\r\nadvisory council that is now an elected body.  He called for more powers to be given to the FNC.58\r\n4.3. Additional Targets: Qatari Citizens Sentenced to Prison\r\nIn May 2015, five Qataris were sentenced (one present in the UAE to 10 years in prison, and four in absentia to life in\r\nprison), for posting allegedly offensive pictures of the UAE Royal Family on three Twitter accounts and two Instagram\r\naccounts,59\r\n including @northsniper.\r\n60\r\n  At trial, the prosecution accused the five of being agents of Qatar’s State Security,\r\nand posting the allegedly offensive pictures as part of a “military mission” to “show that Emiratis had offended their own\r\nleaders”.61\r\n  The @northsniper account is currently suspended.  One Instagram account allegedly used by defendants in\r\nthis case (@9ip) is still active, and still appears to display unflattering photoshopped images of the President, Crown\r\nPrince, and Founder of the UAE.62\r\n5. Stealth Falcon’s Widespread Targeting of UAE Figures\r\nThis section describes how we identified additional Stealth Falcon victims and bait content, and traced Stealth Falcon’s\r\nspyware to additional C2 servers.\r\nGiven Stealh Falcon’s use of public Twitter mentions to contact individuals, we searched Google and Twitter for instances\r\nof aax.me links.  The links we found indicated that we could easily probe aax.me to get a comprehensive list of all\r\ncurrently active short URLs, and their corresponding long URLs.  Our findings point to a UAE-focused operator, whose\r\nbait content and targets are linked to the Emirates.  Furthermore, we were able to connect this attack to case from December\r\n2012, where an anonymous UAE activist contacted us and claimed to have received a suspicious link from a Twitter\r\naccount that was purportedly under government control.\r\n5.1. Public Targets and Links to Arrests\r\nThis section describes 24 Stealth Falcon Twitter targets we identified on the basis of them receiving an aax.me link in a\r\nTwitter mention.\r\nWe found aax.me links targeting 24 accounts, each of whom was mentioned in a tweet that also contained an aax.me\r\nshortened link.  We were unable to get details about 17 of the accounts.  Of the accounts we have been able to identify,\r\nseveral individuals were subsequently arrested or convicted in absentia by the UAE Government in relation to their\r\nonline activities.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 14 of 30\n\nThe following table outlines these cases, and notes arrests.  For completeness, the table includes the cases from Section 4.1-\r\n4.3:\r\nHandle Targeting\r\nRelated Arrests\r\n/ Convictions\r\nNote\r\n@omran83\r\n14 January\r\n201263\r\n16 July 201264\r\n(arrested)\r\nUAE94 prisoner; serving 7 years in prison.65\r\n@weldbudhabi\r\n5 August\r\n2012;66\r\n20 October\r\n201267\r\n14 December\r\n201268\r\n(arrested)\r\n \r\n@intihakat\r\n5 August\r\n201269\r\n25 December\r\n201370\r\n(convicted)\r\nQatari convicted in absentia; sentenced to 5\r\nyears in prison.\r\n@bukhaledobaid\r\n(Sec 4.1)\r\n24 April\r\n201371\r\n2 July 2013;72\r\n12 December\r\n201373\r\n(arrested)\r\nBrother of UAE94 prisoner; acquitted of\r\ncharges; indefinitely detained in prisoners\r\nward of hospital.\r\n@northsniper\r\n(Sec 4.3)\r\n7 November\r\n201374\r\n18 May 201575\r\n(convicted)\r\nFive Qataris convicted; sentences ranged\r\nfrom 10 years to life in prison.\r\n@71UAE\r\n9 January\r\n201276\r\n \r\nLast tweeted 1 July 2013, a day before arrest\r\nof @bukhaledobaid.\r\n@kh_oz\r\n10 January\r\n201277\r\n  Likely son of @bukhaledobaid.78\r\n@shamsiuae58\r\n(Sec 4.2)\r\n9 May\r\n201379\r\n \r\nSigned 2011 pro-democracy petition that\r\nAhmed Mansoor was arrested after signing.\r\n@newbedon\r\n9 January\r\n201280\r\n \r\nDonaghy describes the account as “ensur[ing\r\nthat] details of mistreatment [by security\r\nforces] are readily available”.81\r\n@bomsabih\r\n9 January\r\n201282\r\n \r\nInactive since 8 October 2014.  Owner\r\nclaimed affiliation with State Security\r\nApparatus.\r\ntable 1\r\nWe list additional details in Appendix D: Public Stealth Falcon Tweets.\r\n5.2. Ennumerating aax.me for Bait Content\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 15 of 30\n\nThis section describes how we probed every conceivable short URL on aax.me, and found 402 pieces of bait content that we\r\nbelieve were sent by Stealth Falcon.\r\nAll of the public aax.me links we found, as well as the links sent to Donaghy, matched the regular expression /aax.me/[0-\r\n9a-f]{5}/.  Assuming all links shortened via aax.me match this regular expression, there are only 165 (1,048,576) possible\r\nshort URLs.  We sent a request to aax.me for each possible URL, and observed the returned page or redirect.  We found 57\r\nURLs that exhibited the redirect.php profiling behavior, and 524 URLs that returned an HTTP 302 redirect to an expanded\r\nURL.  The other 1,047,995 aax.me links returned a HTTP 302 redirect to the aax.me homepage; we assume these short\r\nURLs were unassigned to an expanded URL, as of the time of our scan.\r\nWe coded the long URLs where the URLs were still active, or where we could find an archived copy of, or some\r\ninformation about, the URL.  We were able to code 535 URLs, and failed to code 46 URLs as the corresponding websites\r\nwere down, and we could not find reliable information about what content the URLs contained.  See Appendix E: Results\r\nof aax.me Scan for details.  We coded 133 URLs as “advertisement” (25% of all coded URLs), as they appeared to\r\nrepresent an advertisement for a product.  The vast majority of these advertisements seemed to be products typically\r\nmarketed via spam (e.g., “dietary supplement” or “green coffee”).  We suspect that these links may have been shortened by\r\nspammers, as the aax.me URL shortening page is pubilcly accessible and indexed by Google, and YOURLS advises that\r\npublicly accessible URL shorteners will receive spam.83\r\n  All “advertisement” links were 302 redirects, and none were\r\nredirect.php links.  This is consistent with our observation that the aax.me public interface only permits visitors to shorten\r\nlinks using the 302 redirect method.\r\nWe filtered out the short URLs classified as “advertisement.”  There were 402 non-advertisement short URLs that we\r\ntagged.  We display a summary of the top ten tags below:\r\nTag Number of Short URLs % of non-advertisement URLs\r\nUAE 292 73%\r\nTorture 57 14%\r\nSecurity Forces 49 12%\r\nDenaturalization 46 11%\r\nIsa bin Zayed 42 10%\r\nRule of Law 40 10%\r\nCriticism 40 10%\r\nABC News 40 10%\r\nViolations 33 8%\r\nIslam 29 7%\r\ntable 2\r\nWe noted that a number of long URLs had multiple corresponding short URLs.  We display the top ten long URLs below.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 16 of 30\n\nLong URL\r\n#\r\nShort\r\nURLs\r\nDescription\r\nhttp://www.youtube.com/watch?v=F6NU4pc378k 40\r\nABC News\r\nreport featuring\r\nvideo of Abu\r\nDhabi Crown\r\nPrince’s\r\nbrother, Sheikh\r\nIsa bin Zayed\r\nal-Nahyan,\r\ntorturing an\r\nAfghani grain\r\nsalesman.\r\nhttp://mohaamoon.com/uae/17.htm 40\r\nPersonal\r\nwebsite\r\ncriticizing rule\r\nof law and\r\nhuman rights\r\nissues in the\r\nUAE, including\r\ntorture, slavery,\r\nand\r\nimprisonment\r\nfor debts.\r\n19 /اتحاد-المنظمات-اإلسالمية-في-أوروبا-يس/2012/01/09/com.wordpress2.aluae7r://https\r\nCopied\r\nstatement from\r\nthe Federation\r\nof Islamic\r\nOrganizations\r\nin Europe\r\n(FIOE),\r\ncriticizing the\r\nUAE’s\r\ndenaturalization\r\nof citizens.\r\nhttps://www.a7rarelemarat.com/vb 10 Purported to be\r\nan opposition\r\nweb forum for\r\ndiscussing\r\nEmirati issues,\r\nand providing\r\nproxy tools.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 17 of 30\n\nLong URL\r\n#\r\nShort\r\nURLs\r\nDescription\r\n The site is now\r\ndown, so we\r\ncannot inspect\r\nthe specific\r\nforum posting.\r\nhttp://google.com 9 Google.\r\nhttps://www.a7rarelemarat.com/vb/showthread.php?p=3423#post3423 6\r\n(see\r\na7rarelemarat\r\nabove)\r\nhttp://www.youtube.com/watch?v=Xcc9Tdc_Hxg\u0026feature=player_embedded#! 5\r\nVideo montage\r\ntalking about\r\ntorture by UAE\r\nsecurity forces.\r\nhttp://www.youtube.com/watch?\r\nv=izeSn9Am6us\u0026list=UU2wwG6r1J_GRgXuMGi9m8FQ\u0026index=1\u0026feature=plcp\r\n5\r\nVideo\r\nunavailable.\r\nhttps://www.youtube.com/watch?feature=player_embedded\u0026v=Q3aQpfyXSrg 5\r\nVideo\r\npublished by Al\r\nIslah, which\r\nappears to be a\r\nmontage of\r\nUAE political\r\ndetainees.\r\nhttps://www.a7rarelemarat.com/vb/forumdisplay.php?f=3 5\r\n(see\r\na7rarelemarat\r\nabove)\r\ntable 3\r\n5.3. A Connection to an Account Potentially Under UAE Government Control\r\nThis section describes a case from December 2012 where an Emirati activist said he received links connected to aax.me\r\nfrom an account that may have been  under UAE government control.\r\nIn December 2012, an author of this report was contacted by an Emirati activist, who reported that an account,\r\n@WeldBudhabi, had sent him a link on 14 December 2012 via Twitter direct message that took him to a page on\r\na7rarelemarat.com.  A report by BBC notes that UAE authorities on 14 December 2012 arrested an individual who they\r\nbelieved to be associated with @WeldBudhabi, and that the account was “reportedly hacked by the authorities” on the\r\nsame day.\r\n84\r\n  The Emirati activist told us that he later contacted @WeldBudhabi, who reported that he did not send the link.\r\nThis link provides the strongest connection between Stealth Falcon and the UAE Authorities that we are aware of.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 18 of 30\n\na7rarelemarat.com is a now-defunct website that purported to be an opposition web forum for discussing Emirati issues,\r\nand providing proxy tools for “hiding from the thugs” (presumably a reference to the UAE State Security Apparatus).  We\r\nfound four links involving aax.me posted by the site’s Twitter account, @a7rarelemarat.  We display two Tweets below, as\r\nthe rest of the Tweets had the same links:\r\nTwitter’s API records the date of the tweet’s creation:\r\nSun Oct 21 05:05:41 +0000 2012\r\nWe also accessed the goo.gl link statistics, and found that the goo.gl link in the tweet was created less than two minutes\r\nprior to the tweet:\r\n2012-10-21T05:03:45.585+00:00\r\nThe second tweet exhibited a similar pattern:\r\nTwitter’s API records the date of the tweet’s creation:\r\nWed Oct 03 06:54:33 +0000 2012\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 19 of 30\n\nWe again accessed the goo.gl link statistics, and found that the goo.gl link in the tweet was created less than one minute\r\nprior to the tweet:\r\n2012-10-03T06:53:45.151+00:00\r\nThe link redirects to https://www.a7rarelemarat.com/vb/showthread.php?p=3423#post3423 via http://aax.me/d910a.\r\nThe use of both goo.gl and aax.me in these cases suggests that the goo.gl link may have been designed to conceal the\r\naax.me domain.  Also, the proximity in creation time between the Tweet and the goo.gl link suggests that the person who\r\nposted the Tweet through @a7rarelemarat was likely the same person who created the goo.gl link.\r\nWe suspect that the aax.me operator had some control over @a7rarelemarat at the time, and may have had control of\r\na7rarelemarat.com as well.\r\n5.4. Infrastructure Analysis of Stealth Falcon Command \u0026 Control\r\nThis section describes how we traced Stealth Falcon’s spyware to live C2 servers and domain names.\r\nWe fingerprinted the behavior of adhostingcache.com (the C2 server for the Stage One spyware that Donaghy received)\r\nand traced it to a series of 14 active IP adresses and 11 domains (using PassiveTotal85\r\n).  Nine domains are named like\r\ngeneric Internet backend servers (e.g., simpleadbanners.com, clickstatistic.com), whereas two appear to be thematically\r\nrelated to travel (bestairlinepricetags.com, fasttravelclearance.com), perhaps indicative of travel-themed targeting or\r\ntargets.\r\nWe fingerprinted the behavior of incapsulawebcache.com (the C2 server for the Stage Two spyware that Donaghy receied)\r\nand scanned the Internet (including historical scanning results86\r\n) for servers that matched our fingerprint.  We also used\r\nPassive DNS to correlate IP addresses to domains.  In total, we associated 67 active (and 30 historical) IP addresses with the\r\nStage Two spyware.  Using PassiveTotal, we linked 69 domain names to these IP addresses, the earliest registered on 28\r\nJanuary 2013, and the most recent registered on 19 April 2016.  The vast majority of the domains are named like generic\r\nInternet backend servers.  One domain name appears to be travel-themed (airlineadverts.com), and two appear to be news\r\nand/or government themed (ministrynewschannel.com, ministrynewsinfo.com).\r\nThe earliest date we found an IP addresses matching our Stage Two fingerprint was 21 July 2014, as recorded by sonar-ssl\r\nscans.  It is possible that the operator used a different configuration of spyware between January 2013 and July 2014.\r\nWe traced several additional domains to Stealth Falcon using WHOIS information, or Passive DNS.  Of these, one was\r\ndesigned to impersonate a China-based provider of VoIP solutions (yeastarr.com), and two appeared to perhaps contain the\r\nArabic word for security, “amn,” (amnkeysvc.com, amnkeysvcs.com).  Full scan results and other indicators of targeting\r\ncan be found in Appendix F: Indicators of Targeting.\r\nThe domain names we found were typically registered with WHOIS privacy providers.  Although, in some cases, we were\r\nable to obtain the true registration email through historical WHOIS.  Typically, the operators practiced disciplined\r\noperational security: we rarely found an email address that was used to register two domains, and we rarely found two\r\ndomains linked to the same IP address.\r\n5.5. May 2016: New Stealth Falcon Document\r\nIn May 2016, the following document was submitted to VirusTotal:\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 20 of 30\n\nFilename: message_032456944343.docm\r\nMD5: 87e1df6f36b96b56186444e37e2a1ef5\r\nSHA1: 1c3757006f972ca957d925accf8bbb3023550d1b\r\nSHA256: 4320204d577ef8b939115d16110e97ff04cb4f7d1e77ba5ce011d43f74abc7be\r\nThe document was similar to the one sent to Donaghy, except that it purported to be encrypted with WordSecure, “a simple,\r\nHIPAA .. business-grade software for sharing encrypted files and secure messages with anyone”.\r\n87\r\n  The bait content was a\r\nsingle line of text reading:\r\nMESSAGE_ERROR: 0E684AD042_(LANGUAGE NOT SUPPORTED)\r\nThe document’s macro was identical to the one sent to Donaghy, except it reported back to, and downloaded Stage Two\r\nfrom a different URL: http://optimizedimghosting.com/wddf/hrrw/ggrr.txt.  The server optimizedimghosting.com\r\nmatched our Stage One fingerprint for adhostingcache.com.\r\nWe obtained Stage Two, which appeared to be a newer version of the Stage Two than in Donaghy’s case.  The Stage Two in\r\nthis case reported back to https://edgecacheimagehosting.com/images/image.nfo.  The server\r\nedgecacheimagehosting.com matched our Stage Two fingerprint for incapsulawebcache.com.\r\nWhen we connected, the Stage Two server sent us additional commands (which we were unable to obtain in Donaghy’s\r\ncase).  The Stage Two C2 sent us a bundle of 7 commands, that did the following:\r\n1. Gathered system info from WMI\r\n2. Gathered the ARP table\r\n3. Gathered a list of running processes\r\n4. Materialized a file “OracleJavaUpdater.ps1” to disk.  This file gathers passwords and web browser data from a\r\nvariety of sources: Windows Credential Vault, Internet Explorer, Firefox, Chrome, Outlook.  In general, the file\r\nappears to be bespoke attacker code, though some routines are copied from other sources (e.g., some Internet\r\nExplorer password gathering code appears to be lifted from the GPLv3-licensed QuasarRAT\r\n88\r\n)\r\n5. Executed “OracleJavaUpdater.ps1”\r\n6. Deleted “OracleJavaUpdater.ps1”\r\n7. Gathered a list of running processes again\r\nAfter command execution, results were returned to the Stage Two C2.\r\nWe suspect that the activity we have observed is simply the tip of the iceberg in ongoing attacks against dissidents in the\r\nUAE.  Reuse of tactics, techniques and procedures and general carelessness by operators can often lead to discovery of\r\nlinks between campaigns.  We briefly discuss some instances of potentially related attacks below.\r\n6.1. An Instagram Attack?\r\nWe noticed that one of the Twitter accounts that sent out aax.me links, @um_zainab123, solicited followers for an\r\nInstagram account @al7ruae2014.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 21 of 30\n\nWe contacted an activist with knowledge of the UAE94 case, who told us that the @al7ruae2014 Instagram account got in\r\ntouch with several family members of detainees involved in  the case, and was soliciting information from them via\r\nInstagram private message.  The domain name al7ruae2014.com has the same name as the Instagram account, so we\r\nsuspect it may also be related to the operator.\r\n6.2. A Fake File Sharing Site?\r\nWe identified one aax.me link (http://aax.me/4b708) that points to http://velocityfiles.com/download.php?\r\nid=a81abdd8a0c0cd1d5d3b6baadcc9eb18.  We visited this link in February 2016, and were served a blank page.\r\n VelocityFiles appears to have been disabled in March 2016.\r\nWe found that the site purported to be a file hosting site, where users could register and upload files.  However, the\r\nregistration and signup pages are currently blank, and were blank as of the Internet Archive’s oldest capture of the pages in\r\nDecember 2013.89\r\n  We were unable to identify any links to velocityfiles.com from Twitter, or any pages indexed by\r\nGoogle.\r\nThe design of VelocityFiles appeared to be a loosely modified version of a public website design template.90\r\n  Given that the\r\nsite appears to be designed to pose as a public file sharing service, has no obvious public functionality, and was linked to\r\nthrough aax.me, we suspect that it may have been an attack site.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 22 of 30\n\nGiven VelocityFiles’ reference to “FREE MD5 HASHING” (their emphasis), it is possible that the value of the id\r\nparameter in the URL, a81abdd8a0c0cd1d5d3b6baadcc9eb18, represents the MD5 hash of a file.  We were, however,\r\nunable to locate any file with this MD5 hash.\r\n6.3. Fake Web Forums?\r\nWe found an aax.me link91 that pointed to https://call4uaefreedom.com/vb.  The domain was registered on 5/15/2013 and\r\nexpired on 5/15/2015.  We were unable to find any webpages or tweets linking to this website.  A Google search for\r\n“call4uaefreedom” reveals a blog, containing five posts, all within a 30 minute span on 4 June 2013, and an empty Twitter\r\naccount @call4uaefreedom, created in May 2013.  Given the suspicious activity associated with the alias\r\n“call4uaefreedom,” this may have been created by operators.\r\nWhile searching for domains with similar domain names, we came across uaefreedom.com.  The domain name was first\r\nregistered on 11 June 2010 by the administrators of UAE Hewar,\r\n92\r\n an online discussion forum founded in 2009 that was a\r\nfrequent government target.  The domain name expired on 11 June 2011, but was re-registered by a different registrant on 7\r\nOctober 2012.\r\nOn 16 October 2012, we find the only tweet linking to uaefreedom.com.  A Google search yields no links to the site and\r\nwe found no passive DNS data available for this domain.  The tweet was sent from account @FreeUAE2012, directed at\r\n@uaemot.  An individual based in Qatar was convicted in absentia on 25 December 2013 for running @uaemot.93\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 23 of 30\n\nOther public tweets involving @FreeUAE2012 included two responses94\r\n from Ahmed Mansoor to @FreeUAE2012 on 10\r\nOctober 2012, regarding the 10 October 2012 Citizen Lab report about how Ahmed Mansoor was targeted with Hacking\r\nTeam spyware.  The tweets from @FreeUAE2012 to which Ahmed Mansoor was responding appear to have been deleted.\r\nThree days later, @FreeUAE2012 attempted to convince Ahmed Mansoor that Tor Browser logged private information of\r\nits users, posting a screenshot of the Tor Metrics page, which provides non-sensitive data for researchers.95\r\n7. Attribution\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 24 of 30\n\nIn this section, we analyze two competing hypotheses about the identity of Stealth Falcon, and conclude that the balance of\r\nevidence suggests Stealth Falcon may be linked to the UAE government.\r\nHypothesis 1: Stealth Falcon is State Sponsored\r\nStealth Falcon is a sophisticated threat actor, capable of deploying a wide range of technical and social engineering\r\ntechniques against a potential target. The operations targeting Donaghy are linked to a series of primarily UAE-focused\r\ncampaigns against UAE dissidents, starting in January 2012.  While there is no “smoking gun,” several pieces of evidence\r\nsuggest a connection between Stealth Falcon and the UAE Government.  \r\nUAE Focused Targeting, Links to Arrests\r\nThe majority (73%) of bait content on aax.me was focused on UAE-related political issues (Section 5.2). Furthermore, of\r\nthe 27 victim Twitter accounts we linked to public Stealth Falcon targeting, 24 primarily engaged in political activities, or\r\nwere otherwise critical of the UAE government (Section 5.1).  Of these 24, we were able to find a subsequent arrest or a\r\nconviction in absentia by the UAE government.\r\nTweets During a Period of Government Control\r\nA reported case in which a Twitter account apparently under UAE Government control shared a Stealth Falcon link also\r\nsuggests a connection.\r\nIn December 2012, an activist contacted us and asserted that an a7rarelemarat.com link was sent to him in a private\r\nmessage from the @WeldBudhabi account the same day that an individual accused of operating the account was arrested,\r\nand while the account was “reportedly hacked by authorities”.\r\n96\r\n The activist asserted that he contacted an owner of the\r\naccount, who claimed he did not send that link.  The Twitter account associated with a7rarelemarat.com,\r\n@a7rarelemarat, appears to have been under the control of Stealth Falcon at some point during October 2012 (and\r\npossibly before and after), as the account sent several aax.me links in October 2012.\r\nSophisticated Target Knowledge and Operational Security\r\nStealth Falcon demonstrates some familiarity with the patterns of behavior, interests, and activities of its targets, suggesting\r\nthat the operators may have been working with other sources of information about their targets’ behaviors.  In addition,\r\nStealth Falcon displayed above-average operational security throughout the campaign.  Some of the social engineering was\r\nhighly intricate, particularly the email from Andrew Dwight about his ski holiday.  Stealth Falcon also shows familiarity\r\nwith creating and maintaining a range of fictitious personas, and registering and managing a significant amount of attack\r\nand C2 infrastructure with concern for operational security.\r\nThe infrastructure behind the malware attacks showed good compartmentalization of identities. We rarely found the same\r\n(fake) registration information used for more than one C2 domain. Stealth Falcon operators also appear to have deleted one\r\nof their attack domains, adhostingcache.com when they realized their attempt to target Donaghy had failed.  We also noted\r\nthat the (self-signed) SSL certificates on the C2 domains were changed several times as we monitored the infrastructure,\r\nperhaps in an attempt to thwart fingerprinting of their infrastructure via SSL certificates.\r\nThis level of sophistication is consistent with a state sponsored attacker.  Importantly, we found little evidence that indicate\r\ncriminal or other motivation for the attack, with no evidence of financial or industry targeting.\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 25 of 30\n\nWe also note that while some Stealth Falcon domains were registered on anonymousbitcoindomains.com, which is linked to\r\nAPT28 activities, we found no evidence to support such a connection.  See Appendix G: No Evidence of APT28\r\nConnection for more details.\r\nHypothesis 2: Stealth Falcon is Not State Sponsored\r\nWe have considered the possibility that Stealth Falcon’s operators are not state sponsored, but ultimately find little evidence\r\nto support this possibility.\r\nStealth Falcon’s attacks show no evidence of cyber criminal motivations, like financial theft or fraud, nor is there any\r\nevidence of attempts to steal intellectual property or conduct other forms of economic espionage. Instead, the targets are\r\npolitically engaged individuals and public figures. Furthermore, the activity of targets we have been able to identify often\r\nconcerns domestic UAE issues.  Therefore, we would need to posit an operator with an interest in individuals known for\r\ntheir engagement in domestic UAE issues.\r\nOther potential motivations might include blackmail or extortion. If this were the case, however, we might expect follow-up\r\ninteractions between attackers and successful victims, and we would also expect attackers to use off-the-shelf Remote\r\nAccess Tools (RATs), rather than apparently coding a general-purpose RAT from scratch. This would save them the trouble\r\nof needing to load additional malware to exfiltrate files or other material.  We are aware of no evidence of follow-up\r\ninteractions between the operators and successful victims as part of any extortion attempts.  Furthermore, Stealth Falcon’s\r\nuse of JavaScript to profile and de-anonymize victims seems inconsistent with a primary motivation of collecting\r\ninformation that could be used for blackmail.\r\nThe strongest scenario for a non-state sponsored attacker is thus a politically motivated group.  Stealth Falcon targets are\r\nprimarily individuals known for their criticism of the UAE government. It is perhaps conceivable that a group of pro-government hackers might, without coordination, target these individuals.\r\nThere are, however, several features of Stealth Falcon’s activities that tell against this possibility. First, there is limited\r\nexisting evidence that such autonomous groups exist and are active in the UAE.  Given what is known about this kind of\r\ngroup, we might expect such a group to have engaged in defacements, public boasting, or other public-facing activities\r\nrelated to Stealth Falcon’s campaign.  Furthermore, it seems unlikely that a previously unknown political group would have\r\nthe resources to develop and maintain Stealth Falcon’s fictitious personas and compartmentalized infrastructure.\r\nEvaluation of Hypotheses\r\nWe evaluated both hypotheses and found Hypothesis 1: Stealth Falcon is State Sponsored to be the best at explaining the\r\nmany elements that we have observed. Stealth Falcon’s tactics, resources, and targets all fit with the profile of a state\r\nsponsored attacker.  Furthermore, the circumstantial evidence we have presented in this report is suggestive of a link\r\nbetween Stealth Falcon and an entity within the UAE Government.\r\n8. Conclusion: The Big Picture\r\nStealth Falcon appears to be a new, state sponsored threat actor.  As an operator, Stealth Falcon is distinguished by well\r\ninformed and sophisticated social engineering, combined with moderately sophisticated97 technical attempts to\r\ndeanonymize and monitor political targets working on the UAE, and relatively simple malcode.98\r\nSocial Engineering and the Achilles Heel of Civil Society\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 26 of 30\n\nStealth Falcon’s technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective.\r\nAnalyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and\r\nunmasking a class of targets.  Stealth Falcon’s campaign highlights the power of social engineering, once a technical bar\r\nhas been met, in conducting a large scale campaign.\r\nContemporary social movements and civil society groups rely heavily on the internet for both their core operations, as well\r\nas advocacy activities.  Yet these groups are often operating outside a centrally managed IT environment.  The constant\r\nsharing of links and materials, as well as regular communications with journalists makes them especially vulnerable to\r\ntargeting with social engineering.\r\nHowever, the emphasis on social engineering can also cut in the other direction. Many modern attack techniques require an\r\nattacker to interact with a target.  When operators like Stealth Falcon send malicious e-mails and tweets, there are a range of\r\nopportunities for retrospective investigation.  As this report shows, the inboxes of targets, for example, are often a more\r\nefficient object of investigation than computers themselves, especially once features of a particular campaign are\r\nrecognized.\r\nThe Growing Trend of Impersonating Journalists\r\nStealth Falcon is only the latest example of civil society-focused threat actors impersonating NGOs and journalists to\r\nconduct espionage operations. The tactic has been used by a wide range of actors, including Bahrain’s government,99\r\nPackrat in Latin America,100\r\n Iranian groups,\r\n101\r\n and China related groups,102 among others. Threat actors seem to gravitate\r\ntowards this tactic because interacting with journalists is an essential part of civil society activity. It is common for\r\njournalists to send unsolicited messages to activists and civil society organizations asking for information, and there is\r\ntypically a strong incentive for the organization to engage. Indeed, even Western law enforcement agencies have\r\noccasionally adopted the approach.103\r\n  The reporter-source relationship is protected in many jurisdictions, based on the\r\nunderstanding that protecting this trust is important to a healthy and vibrant civil society.  Tactics that play on this trust are\r\nrisky, and can quickly contribute to eroding the trust on which civil society is based.\r\nFinal Note: A Plea for More Research\r\nImportantly, while we were unable to identify evidence of a conclusive link between Stealth Falcon and a particular\r\nsponsor, we have assembled a body of circumstantial evidence that points to an alignment of interests between Stealth\r\nFalcon and the UAE Security Forces.  We hope that other researchers will draw from our findings and work to identify\r\nadditional cases.  Finally, we urge anyone who recalls receiving a link to “aax.me,” or an email from “Andrew Dwight” to\r\ncontact the authors of this report for further investigation.\r\nAcknowledgements\r\nSpecial thanks to PassiveTotal and Rori Donaghy.  Thanks to Jeffrey Knockel, Sarah McKune, Chris Doman, Mansoureh\r\nMills.\r\nFootnotes\r\n1\r\n http://www.youthdiplomaticservice.com/zzold-business-blog/category/business\r\n2\r\n See for example: http://www.middleeasteye.net/news/leaks-show-uae-shipped-weapons-libya-violated-un-resolution-1712843977; http://www.middleeasteye.net/news/uae-paid-pr-firm-millions-brief-uk-journalists-qatar-muslim-brotherhood-attacks-1058875159; http://www.middleeasteye.net/news/leaks-show-uae-shipped-weapons-libya-violated-un-resolution-1712843977; http://www.middleeasteye.net/news/exclusive-emirati-plan-ruling-egypt-2084590756\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 27 of 30\n\n3\r\n http://www.middleeasteye.net/users/rori-donaghy\r\n4\r\n http://www.middleeasteye.net/about-middle-east-eye-1798743352\r\n5\r\n http://www.echr.org.uk/\r\n6\r\n http://www.echr.org.uk/?page_id=25\r\n7\r\n https://freedomhouse.org/report/freedom-world/2015/united-arab-emirates\r\n8\r\n https://www.hrw.org/world-report/2016/country-chapters/united-arab-emirates\r\n9\r\n https://www.amnesty.org/en/countries/middle-east-and-north-africa/united-arab-emirates/\r\n10\r\n https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf\r\n11\r\n https://citizenlab.ca/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/\r\n12\r\n https://wikileaks.org/hackingteam/emails/emailid/585453\r\n13\r\n http://www.uae-embassy.org/news-media/sheikh-mohamed-bin-zayed-al-nahyan-meets-congressional-leaders-and-senior-us-government\r\n14\r\n https://ht.transparencytoolkit.org/rcs-dev%5Cshare/HOME/cristian/9.4%20lic/UAEAF/LICENSE-1262004202-v9.4.lic\r\n15\r\n https://owncloud.org/\r\n16\r\n https://www.proofpoint.com/us/office365\r\n17\r\n http://righttofightexhibit.org/home/\r\n18\r\n http://www.powershellempire.com/\r\n19\r\n http://www.aljazeera.com/indepth/opinion/2015/11/british-pm-middle-east-human-rights-151103070038231.html\r\n20\r\n Based on last-modified header\r\n21\r\n http://www.andlabs.org/tools/jsrecon.html\r\n22\r\n https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-slides.pdf\r\n23\r\n https://yourls.org/\r\n24\r\n https://github.com/YOURLS/YOURLS\r\n25\r\n A Firefox extension to be used in conjunction with Tor, before the introduction of Tor Browser\r\n26\r\n Importantly, making Tor users appear similar to non-Tor users was a not a goal\r\n27\r\n https://trac.torproject.org/projects/tor/ticket/5922\r\n28\r\n https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf\r\n29\r\n https://blog.torproject.org/blog/new-tor-browser-bundles-windows\r\n30\r\n https://blog.torproject.org/blog/tor-browser-36-released\r\n31\r\n https://msdn.microsoft.com/en-us/library/2yfce773(v=vs.94).aspx#s-e6f6a65cf14f462597b64ac058dbe1d0-system-media-system-caps-note\r\n32\r\n https://en.wikipedia.org/wiki/Cross-origin_resource_sharing\r\n33\r\n https://esupport.trendmicro.com/en-us/home/pages/technical-support/1057722.aspx\r\n34\r\n http://support.kaspersky.com/us/11255\r\n35\r\n http://ssj100.fullsubject.com/t446-avira-antivir-premium-allows-all-outbound\r\n36\r\n http://www.wilderssecurity.com/threads/port-80-is-redirected-to-30606-and-no-webpage-is-opened.212599/\r\n37\r\n https://community.mcafee.com/thread/21790?tstart=0\r\n38\r\n The tool is available at: http://www.andlabs.org/tools/jsrecon.html. The JavaScript source code may be viewed by\r\nviewing the source of jsrecon.html\r\n39\r\n https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-slides.pdf\r\n40\r\n http://www.andlabs.org/tools/jsrecon/jsrecon.html\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 28 of 30\n\n41\r\n https://code.google.com/p/google-security-research/issues/detail?id=679\r\n42\r\n http://www.huffingtonpost.co.uk/rori-donaghy/uae-94-verdict_b_3549671.html\r\n43\r\n http://en.rsf.org/emirats-arabes-unis-journalist-held-incommunicado-02-08-2013,45013.html\r\n44\r\n https://www.indexoncensorship.org/2015/03/united-arab-emirates-stop-the-charade-and-release-activists-convicted-at-the-mass-uae-94-trial/\r\n45\r\n http://blogs.voanews.com/repressed/2014/01/14/update-shez-cassim-back-home-after-months-in-uae-jail/\r\n46\r\n http://www.al-monitor.com/pulse/originals/2014/07/uae-twitter-imprisoned-not-guilty-activist-cyber-crime.html\r\n47\r\n http://newday.blogs.cnn.com/2013/12/11/u-s-man-in-jail-in-dubai-over-parody-video/\r\n48\r\n https://www.youtube.com/watch?v=IUk5CB9kaBY\r\n49\r\n http://www.nydailynews.com/news/national/shezanne-cassim-sentenced-year-united-arab-emirates-parody-video-article-1.1556327\r\n50\r\n https://www.article19.org/resources.php/resource/37279/en/united-arab-emirates:-stop-the-charade-and-release-activists-convicted-at-the-mass-uae-94-trial\r\n51\r\n https://www.amnesty.org/en/documents/mde25/015/2014/en/\r\n52\r\n http://www.gc4hr.org/report/view/33\r\n53\r\n http://www.buid.ac.ae/vc\r\n54\r\n http://www.wam.ae/ar/news/emirates/1395239973989.html\r\n55\r\nhttp://emarati.katib.org/2011/03/09/%D8%A5%D9%85%D8%A7%D8%B1%D8%A7%D8%AA%D9%8A%D9%88%D9%86-\r\n%D9%8A%D8%B1%D9%81%D8%B9%D9%88%D9%86-%D8%B1%D8%B3%D8%A7%D9%84%D8%A9-\r\n%D9%84%D8%AD%D9%83%D8%A7%D9%85-%D8%A7%D9%84%D8%A5%D9%85%D8%A7%D8%B1%D8%A7/\r\n56\r\n http://www.cnn.com/2011/WORLD/meast/03/09/uae.petition/\r\n57\r\n http://www.bbc.com/news/world-middle-east-13043270\r\n58\r\n http://www.alittihad.ae/details.php?id=8416\u0026y=2005\r\n59\r\n http://www.thenational.ae/uae/courts/defendant-denies-insulting-leaders-of-uae-on-social-media\r\n60\r\n http://dohanews.co/uae-court-convicts-qataris-for-insulting-royals-on-social-media/\r\n61\r\n http://www.thenational.ae/uae/foreign-agent-ordered-to-spread-false-information-about-uae\r\n62\r\n https://www.instagram.com/9ip/\r\n63\r\n https://twitter.com/Bu_saeed2/status/158267593269063680\r\n64\r\n http://www.gc4hr.org/news/view/198\r\n65\r\n http://www.echr.org.uk/?page_id=207\r\n66\r\n https://twitter.com/islam_way_2030/status/232392466760863744\r\n67\r\n https://twitter.com/a7rarelemarat/status/259883131807621120\r\n68\r\n http://www.bbc.com/news/world-middle-east-20768205\r\n69\r\n https://twitter.com/islam_way_2030/status/232393358243401728\r\n70\r\n http://www.echr.org.uk/?p=1104\r\n71\r\n https://twitter.com/Dwight389/status/327033672979079168\r\n72\r\n http://en.rsf.org/emirats-arabes-unis-journalist-held-incommunicado-02-08-2013,45013.html\r\n73\r\n http://www.al-monitor.com/pulse/originals/2014/07/uae-twitter-imprisoned-not-guilty-activist-cyber-crime.html\r\n74\r\n https://twitter.com/Dwight389/status/398413653315031041\r\n75\r\n http://www.thenational.ae/uae/courts/20150518/five-qataris-found-guilty-of-insulting-uae-royals\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 29 of 30\n\n76\r\n https://twitter.com/MiriamKhaled/status/156625204280434688\r\n77\r\n https://twitter.com/Bu_saeed2/status/156781983983349760\r\n78\r\n https://twitter.com/kh_oz/status/351828658371039233\r\n79\r\n https://twitter.com/Dwight389/status/332452681325088768\r\n80\r\n https://twitter.com/r7aluae2/status/156418043424157696\r\n81\r\n http://www.huffingtonpost.co.uk/rori-donaghy/uae-94-verdict_b_3549671.html\r\n82\r\n https://twitter.com/Bu_saeed2/status/156406670866653184\r\n83\r\n https://github.com/YOURLS/YOURLS/wiki/Spam\r\n84\r\n http://www.bbc.com/news/world-middle-east-20768205\r\n85\r\n https://www.passivetotal.org/\r\n86\r\n sonar-ssl\r\n87\r\n https://wordsecure.com/\r\n88\r\n https://github.com/quasar/QuasarRAT/blob/master/Client/Core/Recovery/Browsers/InternetExplorer.cs\r\n89\r\n See https://web.archive.org/web/20131207060523/https://velocityfiles.com/login.php and\r\nhttps://web.archive.org/web/20131207054158/https://velocityfiles.com/register.php\r\n90\r\n http://templates.entheosweb.com/template_number/live_demo.asp?TemplateID=54257\r\n91\r\n http://aax.me/1a732\r\n92\r\n https://en.wikipedia.org/wiki/Emirates_Discussion_Forum\r\n93\r\n http://www.echr.org.uk/?p=1104\r\n94\r\n https://twitter.com/Ahmed_Mansoor/status/256142870896054273 and\r\nhttps://twitter.com/Ahmed_Mansoor/status/256144504116109312\r\n95\r\n https://metrics.torproject.org/\r\n96\r\n http://www.bbc.com/news/world-middle-east-20768205\r\n97\r\n e.g., local portscanning from webpages with JS-Recon, determining web browser versions by testing JavaScript\r\nfunctionality, Tor Browser profiling bug, macro infection.\r\n98\r\n e.g., Powershell remote shell.\r\n99\r\n https://citizenlab.ca/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/\r\n100\r\n https://citizenlab.ca/2015/12/packrat-report/\r\n101\r\n https://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\n102\r\n https://targetedthreats.net/\r\n103\r\n http://www.latimes.com/nation/la-na-associated-press-lawsuit-20150827-story.html\r\nSource: https://citizenlab.org/2016/05/stealth-falcon/\r\nhttps://citizenlab.org/2016/05/stealth-falcon/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://citizenlab.org/2016/05/stealth-falcon/" ], "report_names": [ "stealth-falcon" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd084d2f-4233-49b1-b0e6-c7011178dae0", "created_at": "2022-10-25T15:50:23.544316Z", "updated_at": "2026-04-10T02:00:05.325921Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "Stealth Falcon" ], "source_name": "MITRE:Stealth Falcon", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d001e298-8608-4ee6-96c7-e5afb62d718d", "created_at": "2022-10-25T16:07:24.035765Z", "updated_at": "2026-04-10T02:00:04.847015Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "ETDA:Packrat", "tools": [ "Adwind", "Adwind RAT", "Adzok", "Alien Spy", "AlienSpy", "CyberGate", "CyberGate RAT", "ExtRat", "Frutas", "Invisible Remote Administrator", "JBifrost RAT", "JSocket", "Rebhip", "Sockrat", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Xtreme RAT", "XtremeRAT", "jBiFrost", "jConnectPro RAT", "jFrutas" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "02a7064e-447b-433e-ac14-6f10d476f517", "created_at": "2023-01-06T13:46:38.520097Z", "updated_at": "2026-04-10T02:00:03.010392Z", "deleted_at": null, "main_name": "Packrat", "aliases": [], "source_name": "MISPGALAXY:Packrat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434930, "ts_updated_at": 1775792220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a19f18f1318931bce9d649307030e643ea25e68.pdf", "text": "https://archive.orkl.eu/1a19f18f1318931bce9d649307030e643ea25e68.txt", "img": "https://archive.orkl.eu/1a19f18f1318931bce9d649307030e643ea25e68.jpg" } }