{ "id": "54c4dc50-ab02-407d-ab9f-705a0a349d23", "created_at": "2026-04-06T00:08:48.254022Z", "updated_at": "2026-04-10T13:12:04.748274Z", "deleted_at": null, "sha1_hash": "42b3862774ed49a00ecfba3050b6d2ea5156d9eb", "title": "Desert Scorpion - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48116, "plain_text": "Desert Scorpion - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:40:06 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Desert Scorpion\r\n Tool: Desert Scorpion\r\nNames Desert Scorpion\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(Lookout) The malicious capabilities observed in the second stage include the\r\nfollowing:\r\n• Upload attacker-specified files to C2 servers\r\n• Get list of installed applications\r\n• Get device metadata\r\n• Inspect itself to get a list of launchable activities\r\n• Retrieves PDF, txt, doc, xls, xlsx, ppt, pptx files found on external storage\r\n• Send SMS\r\n• Retrieve text messages\r\n• Track device location\r\n• Handle limited attacker commands via out of band text messages\r\n• Record surrounding audio\r\n• Record calls\r\n• Record video\r\n• Retrieve account information such as email addresses\r\n• Retrieve contacts\r\n• Removes copies of itself if any additional APKs are downloaded to external storage.\r\n• Call an attacker-specified number\r\n• Uninstall apps\r\n• Check if a device is rooted\r\n• Hide its icon\r\n• Retrieve list of files on external storage\r\n• If running on a Huawei device it will attempt to add itself to the protected list of apps\r\nable to run with the screen off\r\n• Encrypts some exfiltrated data\r\nInformation \u003chttps://blog.lookout.com/desert-scorpion-google-play\u003e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98d061ee-cea8-4987-9ae5-554d09404413\r\nPage 1 of 2\n\nMITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Desert Scorpion\nChanged Name Country Observed\nAPT groups\n Desert Falcons [Gaza] 2011-Oct 2023\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98d061ee-cea8-4987-9ae5-554d09404413\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98d061ee-cea8-4987-9ae5-554d09404413\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=98d061ee-cea8-4987-9ae5-554d09404413" ], "report_names": [ "listgroups.cgi?u=98d061ee-cea8-4987-9ae5-554d09404413" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434128, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/42b3862774ed49a00ecfba3050b6d2ea5156d9eb.pdf", "text": "https://archive.orkl.eu/42b3862774ed49a00ecfba3050b6d2ea5156d9eb.txt", "img": "https://archive.orkl.eu/42b3862774ed49a00ecfba3050b6d2ea5156d9eb.jpg" } }