{ "id": "49704556-488f-4350-ad36-978d9a4399b3", "created_at": "2026-04-06T00:19:37.401917Z", "updated_at": "2026-04-10T03:32:04.94267Z", "deleted_at": null, "sha1_hash": "1ba81ad9c00172b90da3d24cdcd5d8a8b45a9432", "title": "IoCs/APT/micropsia_apt_c_23.md at master · jeFF0Falltrades/IoCs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43282, "plain_text": "IoCs/APT/micropsia_apt_c_23.md at master ·\r\njeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-06 00:05:14 UTC\r\nMICROPSIA (APT-C-23)\r\nReporting\r\nhttps://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/\r\nhttps://research.checkpoint.com/apt-map/\r\nhttps://www.clearskysec.com/micro-kasper/\r\nYARA\r\nrule micropsia_2018 {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n hash = \"4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76\"\r\n strings:\r\n $gen_app_id = { 53 31 DB 69 93 08 D0 68 00 05 84 08 08 42 89 93 08 D0 68 00 F7 E2 89 D0 5B C3 } /\r\n $get_temp_dir = { 68 00 04 00 00 8d 44 24 04 50 8b c7 e8 [4] 8b e8 55 e8 [2] fe ff } // 0x0042C68\r\n $str_install_appid = \"ApppID.txt\" wide ascii nocase\r\n condition:\r\n 2 of them\r\n}\r\nSample Hashes\r\neffa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd\r\n26594039f3e5e1f3d592cb4b0f274891397c94b4ca63c7d3b43c1853c48e7281\r\nc96138fd93b18e5a1682f6d4405e724b88058e4d57a4e9566ff96a87a560bc18\r\n33e901018808514def3c2d71ae54c1f38ea25675243a815937af3ada0de25808\r\n4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76\r\n0732672e4274ba03e58cadceadf18c8ccb4ee6b7b643b96aff1675e708f1c514\r\ne36c51f19362447881e3953271fe1da835f2919a50e9e761f4ccffe3d52b23a7\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md\r\nPage 1 of 2\n\nfe90cb8d549481833bf72ff7f9e1fdad72e5b886cfa52033771bbb0034b23c32\r\nae254ab021632cb583071079b2be8af62ccfc232c687a515a716ea17bfa0db9b\r\nDelivery URLs\r\nhttps[:]//tinyurl[.]com/7412593655 --\u003e https[:]//uc4688d6b7cd62aec5fe2018c3d1[.]dl[.]dropboxusercontent[.]com/c\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md" ], "report_names": [ "micropsia_apt_c_23.md" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434777, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ba81ad9c00172b90da3d24cdcd5d8a8b45a9432.pdf", "text": "https://archive.orkl.eu/1ba81ad9c00172b90da3d24cdcd5d8a8b45a9432.txt", "img": "https://archive.orkl.eu/1ba81ad9c00172b90da3d24cdcd5d8a8b45a9432.jpg" } }