{ "id": "111615a7-c35b-4a90-8b85-25a22654f635", "created_at": "2026-04-06T00:07:24.019319Z", "updated_at": "2026-04-10T13:12:46.75347Z", "deleted_at": null, "sha1_hash": "3435670a303b3fd872bb04c76c58d6951076afeb", "title": "Arid Gopher: Newest Micropsia Malware Variant | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2912977, "plain_text": "Arid Gopher: Newest Micropsia Malware Variant | Deep Instinct\r\nBy Simon KeninThreat Intelligence ResearcherAsaf GilboaSecurity Researcher\r\nPublished: 2022-03-21 · Archived: 2026-04-05 15:06:26 UTC\r\nExecutive Summary\r\nDeep Instinct’s Threat Research team has found a new, undocumented malware developed in Golang\r\nThe malware is attributed to APT-C-23 (Arid Viper)\r\nFurther research revealed additional, previously unseen second-stage payloads\r\nNew Malware Variant Discovery: Arid Gopher\r\nOur Threat Research team maintains a vigilant watch over the cyber threat landscape, hunting for malware as a\r\nnormal course of operations. The team recently encountered an executable file written in the Go programming\r\nlanguage. The identified file was initially submitted to VirusTotal on December 29, 2021 and was detected by only\r\nsix security vendors.\r\nAfter initial inspection, two additional similar files written in Go have been found. During the analysis of these files,\r\nthe team identified a previously unseen variant of Arid Gopher malware; the new unknown malware is a variant of\r\nthe Micropsia malware, written and used exclusively by APT-C-23 (Arid Viper).\r\nMicropsia and Arid Viper\r\nThis strain of malware was first identified in 2017 by “360 Security,” but later re-named to Micropsia. This malware\r\ntargets computers running Windows OS.\r\nThe threat actor behind the Micropsia malware is known by the name APT-C-23 or Arid Viper. This malware has\r\nprimarily been used to target the Middle East region, with specific interest against Palestinian targets.\r\nArid Viper also has a unique Android malware that has been used against Israeli targets. Arid Viper has been\r\npreviously linked to the Hamas organization.\r\nBoth the Windows and Android malware versions are constantly evolving. In April 2021, Facebook (now Meta)\r\npublished a threat report about Arid Viper. In the report they identified a new iOS malware developed by APT-C-23.\r\nFacebook highlighted the specifics of how the threat actor had constantly changed the programming language used\r\nfor developing the Micropsia malware which included Pascal, Delphi, C++, and even Python.\r\nWhat is Arid Gopher?\r\nDuring our investigation of the three files written in Go, we uncovered a novel variant of the Micropsia malware\r\nfamily written in Go, which we named Arid Gopher.\r\nThis new variant is still being developed; all the three files share a common baseline, but each file contains unique\r\ncode which is not present in the other files.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 1 of 19\n\nBeside the main implant, our investigation revealed a “helper” malware, also written in Go, and a second-stage\r\nmalware which was downloaded from the C2 server.\r\nWe provide a brief analysis of all the newly found samples and in-depth analysis of just one of them following.\r\nWhat is Arid Gopher V1?\r\nThis variant is written in Go 1.16.5gs and contains public code from libraries found on GitHub:\r\nArid Gopher variant contains public code from libraries in GitHub\r\nDeveloping the variant in this manner saves the author time by not needing to write some features from scratch. It\r\nalso adds some degree of legitimacy because those libraries are not malicious, but the malware author abuses the\r\nlibraries’ capabilities for malicious purposes.\r\nLibrary Usage\r\nhttps://github.com/zetamatta/go-windows-shortcut\r\nCreate Shortcut for persistence.\r\nhttps://github.com/go-ole/go-ole A dependency of the go-windows-shortcut library.\r\nhttps://github.com/lxn/win\r\nA Windows API wrapper package for the Go Programming\r\nLanguage.\r\nhttps://github.com/kbinani/screenshot Create screenshots of the infected computer\r\nhttps://github.com/gonutz/w32 Windows API wrapper for the Go Programming Language.\r\nAll of the above libraries also exist in Arid Gopher V2 alongside additional libraries, except for the “go-windows-shortcut” library which has been replaced by another library with similar functionality.\r\nThe function names in V1 have unique and innocent names such as\r\n“infoSchoolManagerAboutRecievingHomeworksDone” and “wakeUpWhatIsInMyBag,” function names have been\r\nrenamed in V2 to be more generic.\r\nThis variant is using the domain “grace-fraser[.]site” as a C2.\r\nGrace Fraser is the name of a character from HBO TV show “The Undoing.” Arid Viper is known to use many\r\nreferences to TV shows; similar behavior was observed with Arid Gopher V2.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 2 of 19\n\nThe C2 is using the “Laravel” framework which was used by Arid Viper in previous campaigns.\r\nThis variant was uploaded to VirusTotal at the end of August 2021 inside a RAR archive named “ودوافع وأهداف تعريف\r\nاالستثمار.xz” from the UAE, which might indicate the region in which the target is located.\r\nThe practice of sending variants of Micropsia inside archives with the extension “.xz” has been observed several\r\ntimes in Arid Viper campaigns.\r\nThe filename roughly translates to “definition, objectives, and motives for investment.”\r\nIn order to trick the user into thinking they are opening an innocent Word document the threat actor uses two\r\nmasquerading techniques:\r\nFirst, it uses the Microsoft Word Office document icon.\r\nSecond, it uses a very long file name (see image below), preventing the user from seeing the ‘.exe’ file\r\nextension.\r\nArid Gopher File Name\r\nLastly, upon execution of the file, the malware will write a benign decoy office document to the folder\r\n“C:\\ProgramData\\NotificationControllerPS” and will present It to the victim:\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 3 of 19\n\nArid Gopher Benign Decoy Office Document\r\nThe combination of those three social engineering elements is intended to fool unsuspecting victims to run the\r\nmalware and present them with decoy documents as they would expect from opening a Word document. This\r\nbehavior is consistent in Arid Viper attacks utilizing Micropsia.\r\nThe decoy document contains sections from an academic publication regarding financial investments. The original\r\narticle can be found in this link.\r\nThe malware creates a LNK file and copies it to the startup folder for persistence using the name of the malware\r\nexecutable.\r\nSystem info collection:\r\n1. The malware writes a base64 blob containing \u003ccurrent_user\u003e_\u003crandom_ID\u003e to\r\n“C:\\ProgramData\\NotificationControllerPS\\MSAProfileNotificationHandler.txt”\r\n2. The malware checks for installed Antivirus products by running the following command: cmd /c WMIC\r\n/Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List\r\n3. The function “app_myLib_student_GetFatherName” returns a string containing the OS version, which uses\r\nRtlGetVersion() and returns a string such as “Microsoft Windows [version 6.1.7601]”\r\nThe malware uses the custom User-Agent “aimxxhwpcc” while sending data to the C2 server.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 4 of 19\n\nThe malware creates a mutex named “ABCMedia”.\r\nWhat is Arid Gopher V2?\r\nWe found two versions of this variant that had been used in the beginning of 2022.\r\nThe main difference between the two samples is the decoy content. We will first show the similarities and later will\r\nshow the difference between the two V2 samples.\r\nThose samples are written in Go 1.17.4 and contain some of the public libraries found at V1 and the following\r\nlibraries:\r\nArid Gopher V2 Libraries\r\nLibrary Usage\r\nhttps://github.com/bi-zone/wmi Windows Management Instrumentation (WMI) for Go.\r\nhttps://github.com/bi-zone/go-ole Dependency for the above WMI library.\r\nhttps://github.com/hashicorp/go-multierror Error handling.\r\nhttps://github.com/hashicorp/errwrap Error handling.\r\nhttps://github.com/scjalliance/comshim\r\nEnsures that at least one thread within a Go process maintains\r\nan initialized connection to the component object model\r\nruntime in Windows.\r\nhttps://github.com/btcsuite/winsvc Windows service library written in Go.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 5 of 19\n\nhttps://github.com/danieloliveira085/autostarter\r\nGo library that creates a shortcut to run automatically at\r\nstartup and supports cross-compilation between Windows and\r\nLinux.\r\nhttps://github.com/GeertJohan/go.rice\r\n(only in PDF sample)\r\nGo package that makes working with resources such as html,\r\njs, css, images, templates, etc. very easy.\r\nThose samples don’t have the Student/School functions name theme, however, using BinDiff we identified an exact\r\nmatch between functions in V1 \u0026 V2:\r\nV1 function name V2 function name Functionality\r\napp_myLib_student_GetFatherName DSA2_DSA2PKG_Properties_OS\r\nRetrieves OS version\r\nusing RtlGetVersion()\r\napp_myLib_student_GetStudentName DSA2_DSA2PKG_Properties_Name\r\nV1: Generates an\r\nidentifier based on the\r\n%USERNAME%,\r\ncurrent time, and\r\nrandom seed\r\nV2: The identifier is\r\nmade from the\r\nhostname and\r\n%USERNAME%\r\napp_myLib_driver_DoWhatIsTheDriverWants DSA2_DSA2PKG_Proc_StartCMD\r\nRuns “cmd /c\r\n\u003cargument\u003e” and\r\nretrieves the output\r\nmain_CreateMutex DSA2_DSA2PKG_Mutex_CreateMutex\r\nCalls\r\nkernel!CreateMutexW\r\nwith the given string\r\nThose samples are using the domain “pam-beesly[.]site” as a C2.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 6 of 19\n\nPam Beesly is a yet another name of a character from TV show (The Office) and the same motive has been observed\r\nin V1 and older Micropsia variants.\r\nThe following functions exist in V2 version:\r\nArid Gopher V2 Functions\r\nIf the process command line doesn’t contain “-st”, then the “main_ExResAndRun” function is called, which extracts\r\nthe decoy document from the assets of the file using the library bindata.\r\nThe “SoftTookkitPSA” mutex is attempted to be created and if it fails then os.Exit() is called, terminating the process:\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 7 of 19\n\nArid Gopher V2 Mutex code\r\nAs can be seen in the image above the author most likely made a typo: “Tookkit” instead of Toolkit.\r\nThis mutex ensures there’s only one instance of the malware running.\r\nThe malware queries WMI for installed AV products. If “360 Total Security” is present, the malware will call the\r\nfunction “main_Reg360” to download and execute a second-stage malware we called “Arid Helper.” A description of\r\n“Arid Helper” is provided in a later section of this article.\r\nIf the computer does not have “360 Total Security” antivirus installed, “main_addST” is called:\r\nAridHelper’s AV check\r\nThe function “main_addST” creates a LNK shortcut named “NetworkBoosterUtilities.lnk” in the Startup folder,\r\nwhich links to the malware full-file path.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 8 of 19\n\nArid Gopher V2 LNK persistence code\r\nThe LNK contains the argument “-st” which is used to start the malware without displaying the decoy document:\r\nArid Gopher: -st argument to start the malware\r\n“-st” is most likely a prefix for the word start. In the Delphi variants of Micropsia, the LNK contained the argument\r\n“-start” for the same purpose.\r\nThe function “DSA2_DSA2PKG_STRun_AddSTShortcut” uses the autostarter library to set up the malware\r\npersistence in the Startup directory of the running user.\r\nAfterwards, the function “main_createMainDir” is called which creates the\r\nC:\\ProgramData\\NotificationControllerPSK directory that will store screenshots and other information collected by\r\nthe malware.\r\nSystem info collection:\r\n1. Similar to V1, the malware writes a base64 blob, this time also containing the computer name, in the format\r\n\u003ccomputer_name\u003e_\u003ccurrent_user\u003e_\u003crandom_ID\u003e to\r\n“C:\\ProgramData\\NotificationControllerPSK\\MSAProfileNotificationHandler.txt”\r\n2. The malware takes a screenshot and saves it as a PNG file to the same folder mentioned above\r\n“C:\\ProgramData\\NotificationControllerPSK”\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 9 of 19\n\n3. The malware (only 3d7d75d66428c55dc81563c3bde5477977fadb3325d0224ef9313da133940077) is\r\nexecuting the following commands:\r\ncmd /c ipconfig /release\r\ncmd /c ipconfig /renew\r\nThis is done by calling “cmd.exe,” similar to the WMI query in V1.\r\n4. The malware checks for installed Antivirus products by running a WMI query. Unlike V1 that used cmd.exe to\r\nquery WMI, the malware uses the bi-zone WMI imported library by calling a function named\r\n“DSA2_DSA2PKG_Properties_AV\":\r\nArid Gopher malware checks for installed antivirus products by running a WMI query\r\n5. The function “app_myLib_student_GetFatherName” that was present in V1 was renamed to\r\n“DSA2_DSA2PKG_Properties_OS”\r\nThe function “main_sendBasicInfo” collects the following information about the computer and sends it to the C\u0026C\r\nserver:\r\nField Name Field Value\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 10 of 19\n\nename The asset name containing the name of the decoy .pdf to be opened\r\nen Set to 2\r\ndevice_name\r\nBase64 encoded unique string ID made up of the computer name, running username, and a\r\nrandom string\r\nav Result of the WMI query of the running antivirus product\r\nos OS version, e.g., “Microsoft Windows [Version 10.0.0.1836]\r\nC2 Communication\r\nThe malware calls “main_sendSH” to save a screenshot using kbinani’s library and sends it to the server.\r\nThen, “main_getRequestsAndDoIt” is responsible for a loop which sends GET requests to the C2.\r\nThe response is a JSON, unmarshalled into a struct named “main.REQ,\" which has the following definition:\r\nArid Gopher V2: main.REQ definition\r\nThe C\u0026C server needs to send a response with the following JSON object:\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 11 of 19\n\nArid Gopher V2 server response with JSON object\r\nID: A number that is used later for C\u0026C commands to build a URL\r\nType: The name of the command to run\r\nValue: The value of the command\r\nStatus: Unused\r\nencoded_file_url: Used in the \"d\" command as the resource file to download\r\nMost of the time an empty array will be sent by the server, which will make the sample wait a random number of\r\nseconds until it sends another GET request.\r\nHere are the following supported commands (i.e., for the possible “type” field):\r\nType Details\r\ns Takes a screenshot and sends it to the server\r\nc Runs the command in the “value” field in CMD\r\nd\r\nIf the field “encoded_file_url” is present, download and execute a 2nd-stage payload from\r\n“\u003cC2_address\u003e/\u003cid\u003e/download_app_download-by-id/\u003cencoded_file_url\u003e to the\r\n“NotificationControllerPSK” directory\r\ncwr Same as type “c” command, but don’t wait for exit.\r\nra Run a process with the path supplied in the “value” field\r\nal Uploads the SoftTookkitPSA.txt log file\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 12 of 19\n\nDifferences Between V2 Samples:\r\n3d7d75d66428c55dc81563c3bde5477977fadb3325d0224ef9313da133940077\r\nThis variant was uploaded on December 19, 2021 to VirusTotal from Palestine, which might indicate the country in\r\nwhich the target is located, since Arid Viper is known to focus on attacking Palestinian targets.\r\nThe icon of the malware is the exact same Word Icon that was used in V1.\r\nIf a victim opens the file, the malware will write a benign decoy office document to the folder\r\n“%AppData%\\Local\\Temp\\\u003crandom_number\u003e\\” and will present It to the victim:\r\nArid Gopher V2: decoy office document opens in %AppData%\\Local\\Temp\\\\ folder\r\nThis document contains content from a Saudi blog named “Almrsal” with information on how to write a formal letter.\r\n5588f6fab387133c21b06f6248259c64260435898edd61866fad50312c2d3b25\r\nThis variant was uploaded on January 31, 2022 to VirusTotal inside a RAR archive named “The modified opening\r\nsession program 29-1-2022_ page -0001.xz” from Palestine, which likely indicates which country the target is\r\nlocated.\r\nThe practice of sending variants of Micropsia inside archives with the extension “.xz” has been observed with V1, as\r\nwell as in several others Arid Viper campaigns.\r\nThe archive was downloaded from the URL “https://filetransfer[.]io/data-package/NDqgYm80/download,” a free file\r\nupload service, however it is unknown how the victim(s) receive this URL.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 13 of 19\n\n”In the wild” URL containing archive with Arid Gopher V2 variant\r\nThis file has been observed by security expert “MalwareHunterTeam” as suspicious, but no formal attribution has\r\nbeen made.\r\nUnlike V1 and the previous V2 sample, this variant has a PDF icon.\r\nThe malware executable inside the archive contains a double extension “The modified opening session program 29-1-\r\n2022_page-0001 98656456363546 4565546454645 98984938493854 pdf .exe”\r\nThe usage of double extensions, specifically “pdf.exe” with a combination of a long filename, has been observed in\r\nprevious Arid Viper campaigns.\r\nIf the victim is opening the file, the malware will write a benign decoy PDF document named “The modified opening\r\nsession program 29-1-2022_page-0001 98656456363546 4565546454645 98984938493854.pdf” to the folder\r\n“%TEMP%\\\u003ccurrent_date_and_time\u003e” and will present It to the victim:\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 14 of 19\n\nArid Gopher V2: document meeting summary of Palestinian National Council\r\nThe document contains an official meeting summary of the Palestinian National Council.\r\nAdditional 2\r\nnd\r\n Stage Payloads\r\nArid Helper:\r\nDuring the analysis of the V2 sample we noticed that if the WMI query for installed security products returns “360\r\ntotal security” then the malware will call an additional function instead of “main_addST” as can be seen in Figure 10.\r\nThe function “main_addST” is responsible for creating the LNK shortcut as we described in V2 analysis.\r\nHowever, if “360 total security” is found to be installed, the malware calls a function named “main_Reg360.” This\r\nfunction then calls another function named “main_DownReqApp” which downloads additional payload from the C2\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 15 of 19\n\nserver from the following URL: “http[:]//pam-beesly[.]site/J2FWAHfmgH573SUB/download_app/download-by-name/SystemNetworkEventsNotification”\r\nThe file is saved as “C:\\ProgramData\\NotificationControllerPSK\\SystemNetworkEventsNotification.txt”.\r\nAfterwards, a function named “DSA_DSA2PKG_FileByte_DecodeByte” is called to convert the downloaded file\r\ninto an executable named “C:\\ProgramData\\NotificationControllerPSK\\SystemNetworkEventsNotification.exe” and\r\nthe text file is being deleted.\r\nThe final executable is also written in Go language and its’ sole purpose appears to be to create an alternative\r\npersistence mechanism in case “360 total security” is installed.\r\nAs a side note, 360 Total Security were the first to publish about the Windows malware which was later named\r\nMicropsia that Arid Viper continues to develop and improve.\r\nThis “helper” executable can receive the following parameters:\r\nv=\u003cPersistenceName\u003e - Creates a registry run key with the given value name.\r\nd=\u003cPathToExecutable\u003e - Sets the registry value to the path provided\r\n-st - Unused\r\n-old - Unused\r\nThe executable will use the Golang App Shutdown Hooks library, and set a shutdown hook that will add a run key\r\nwith the parameters used to set persistence.\r\nA shutdown hook function is called when the process receives an event for termination. Since the console for the\r\nprocess is hidden, it is in high likelihood that the intention of this executable is to add a registry run key when the\r\ncomputer shuts down.\r\nAdditional Second Stage Payload:\r\nWhile analyzing the traffic from the V2 variant, we noticed that at some point a URL that was returning an empty\r\nJSON response started to respond with data.\r\nThe URL was called from the “main_getRequestsAndDoIt” function.\r\nAt one point, the URL returned a base64 blob, which when decoded, revealed another executable file:\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 16 of 19\n\nPE information for the second stage malware\r\nThis sample is not written in Go, but in Visual C++ and was compiled on February 14, 2021. It uses\r\nmozelllittel[.]com as a C2.\r\nThe C2 uses the Laravel framework, which is also used in other Arid Viper C2 servers.\r\nThe sample also creates an LNK in startup for persistence, like the Gopher variants.\r\nThis sample doesn’t display any decoy documents.\r\nWe will provide a further analysis of this sample in another blog post.\r\nConclusion\r\nMost current cybersecurity products fail to detect new malware and APTs (Advanced Persistent Threats) because they\r\nrely on manually tuned heuristics. More advanced solutions use manually selected features, which are then fed into\r\nclassical machine learning modules to classify the file as malicious or legitimate (and even then, the malware\r\ndetection rates are quite poor). Several methods rely on running the malware in a sandbox environment to obtain\r\nmore information. While this allows for more accurate detection, it comes at the cost of protection because it’s a very\r\ntime-intensive process and will not prevent threats from executing.\r\nThe Deep Instinct Prevention Platform stops known, unknown, and zero-day threats with the highest accuracy and\r\nlowest false-positive rate in the industry. We stop attacks before they happen, identifying malicious files in \u003c20ms,\r\nbefore execution. Deep Instinct prevents \u003e99% of unknown threats faster and with greater efficacy than existing EPP\r\nand EDR solutions, ensuring malware never enters your environment.\r\nDeep Instinct is built on a first-of-its-kind deep learning cybersecurity framework inspired by the brain’s ability to\r\nlearn. Once a brain learns to identify an object, its identification becomes second nature. When applied to\r\ncybersecurity, deep learning facilitates new predictive capabilities of detecting, with unmatched accuracy, any type of\r\ncyber threat, including never-before-seen malware as described in this blog.\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 17 of 19\n\nDeep Instinct customers are protected against the variants of Micropsia described in this blog, as well as other\r\nunknown, never-before-seen malicious threats. If you’d like to see the platform in action for yourself, we’d be\r\nhonored to show you what true prevention looks like. Please request a demo.\r\nIndicators of Compromise\r\nSHA256 Description\r\nf01c07f88071c8f71514db19f68c966f17ac8af0d3288913141714037352c99c\r\nArchive containing AridGopher\r\nV1\r\n99544057a5215e756b67aa47815e27dc157eb850792e5eacda6796922bb9a50b AridGopher V1\r\n42492efa48785ca118d4b05f28570e7b6be4677a962cb7825a859ad5e3045710\r\nArchive containing AridGopher\r\nV2 (PDF)\r\n5588f6fab387133c21b06f6248259c64260435898edd61866fad50312c2d3b25 AridGopher V2 (PDF)\r\n3d7d75d66428c55dc81563c3bde5477977fadb3325d0224ef9313da133940077 AridGopher V2 (Word)\r\nfa257cca88522e76a7dc4a10311f739d17587f25fe447ae2b4c84027f2246705 AridHelper\r\n57674d0ed1e03807ad9d53a9087388b1b9bf6e9e5d120dbe834730affebe2675 2\r\nnd\r\n stage malware\r\nDomain Description\r\ngrace-fraser[.]site AridGopher V1 C2\r\npam-beesly[.]site AridGopher V2 C2\r\nmozelllittel[.]com 2\r\nnd\r\n stage C2\r\nIndicators of Attack\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 18 of 19\n\nFolders:\r\nC:\\ProgramData\\NotificationControllerPS\r\nC:\\ProgramData\\NotificationControllerPSK\r\nUser-Agent:\r\naimxxhwpcc\r\nMutex:\r\nABCMedia\r\nSoftTookkitPSA\r\nCommands:\r\ncmd /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName\r\n/Format:List\r\nSource: https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nhttps://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant" ], "report_names": [ "arid-gopher-the-newest-micropsia-malware-variant" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775826766, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3435670a303b3fd872bb04c76c58d6951076afeb.pdf", "text": "https://archive.orkl.eu/3435670a303b3fd872bb04c76c58d6951076afeb.txt", "img": "https://archive.orkl.eu/3435670a303b3fd872bb04c76c58d6951076afeb.jpg" } }