{ "id": "aa72c04a-2ccb-4187-b561-ec86a1bfca34", "created_at": "2026-04-06T01:29:02.955946Z", "updated_at": "2026-04-10T13:11:38.751962Z", "deleted_at": null, "sha1_hash": "541031bb1b9e57bfba6214fe8234c712e5e1d29e", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95827, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 01:02:09 UTC\r\nHome \u003e List all groups \u003e Desert Falcons\r\n APT group: Desert Falcons\r\nNames\r\nDesert Falcons (Kaspersky)\r\nAPT-C-23 (Qihoo 360)\r\nTwo-tailed Scorpion (Qihoo 360)\r\nArid Viper (Palo Alto)\r\nATK 66 (Thales)\r\nTAG-CT1 (Recorded Future)\r\nTAG-63 (Recorded Future)\r\nMantis (Symantec)\r\nNiobium (Microsoft)\r\nPinstripe Lightning (Microsoft)\r\nRenegade Jackal (CrowdStrike)\r\nScimitar (?)\r\nCountry [Gaza]\r\nSponsor Hamas\r\nMotivation Information theft and espionage\r\nFirst seen 2011\r\nDescription (Kaspersky) The Global Research and Analysis Team (GReAT) at Kaspersky Lab\r\nhas uncovered new targeted attacks in the Middle East. Native Arabic-speaking\r\ncybercriminals have built advanced methods and tools to deliver, hide and operate\r\nmalware that they have also developed themselves. This malware was originally\r\ndiscovered during an investigation of one of the attacks in the Middle East.\r\nPolitical activities and news are being actively used by the cybercriminals to entice\r\nvictims into opening files and attachments. Content has been created with\r\nprofessionalism, with well-designed visuals and interesting, familiar details for the\r\nvictims, as if the information were long awaited.\r\nThe victims of the attacks to date have been carefully chosen; they are active and\r\ninfluential in their respective cultures, but also attractive to the cybercriminals as a\r\nsource of intelligence and a target for extortion.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\r\nPage 1 of 5\n\nThe attackers have been operating for more than two years now, running different\r\ncampaigns, targeting different types of victims and different types of devices\r\n(including Windows- and Android-based). We suspect that at least 30 people\r\ndistributed across different countries are operating the campaigns.\r\nRecorded Future found possible overlap with Cyber fighters of Izz Ad-Din Al\r\nQassam, Fraternal Jackal.\r\nObserved\r\nSectors: Critical infrastructure, Defense, Education, Government, Media,\r\nTransportation.\r\nCountries: Albania, Algeria, Australia, Belgium, Bosnia and Herzegovina, Canada,\r\nChina, Cyprus, Denmark, Egypt, France, Germany, Greece, Hungary, India, Iran,\r\nIraq, Israel, Italy, Japan, Jordan, Kuwait, Lebanon, Libya, Mali, Mauritania, Mexico,\r\nMorocco, Netherlands, Norway, Pakistan, Palestine, Portugal, Qatar, Romania,\r\nRussia, Saudi Arabia, South Korea, Sudan, Sweden, Syria, Taiwan, Turkey, UAE,\r\nUkraine, USA, Uzbekistan, Yemen, Zimbabwe.\r\nTools used\r\nAridSpy, Barb(ie) Downloader, BarbWire, Desert Scorpion, FrozenCell,\r\nGlanceLove, GnatSpy, KasperAgent, Micropsia, PyMICROPSIA, SpyC23, VAMP,\r\nViperRAT, VolatileVenom.\r\nOperations performed\r\nJan 2015\r\nOperation “Arid Viper”\r\nOperation Arid Viper attacked five Israeli-based organizations in the\r\ngovernment, transport, infrastructure, military, and academic\r\nindustries, and one organization in Kuwait using spear-phishing\r\nemails that dropped a pornographic video on a victim’s computer.\r\n\u003chttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?\r\nlinkId=12425812\u003e\r\n\u003chttps://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf\u003e\r\nSep 2015\r\nProofpoint researchers recently intercepted and analyzed phishing\r\nemails distributing Arid Viper malware payloads with some\r\nnoteworthy updates.\r\nAs with the originally documented examples, these messages were\r\npart of narrow campaigns targeting specific industry verticals:\r\ntelecoms, high tech, and business services, primarily in Israel.\r\n\u003chttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\u003e\r\nJul 2016 Around July last year, more than a 100 Israeli servicemen were hit by\r\na cunning threat actor. The attack compromised their devices and\r\nexfiltrated data to the attackers’ command and control server. In\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\r\nPage 2 of 5\n\naddition, the compromised devices were pushed Trojan updates,\nwhich allowed the attackers to extend their capabilities. The operation\nremains active at the time of writing this post, with attacks reported as\nrecently as February 2017.\nApr 2017\nThreatConnect has identified a KASPERAGENT malware campaign\nleveraging decoy Palestinian Authority documents. The samples date\nfrom April – May 2017, coinciding with the run up to the May 2017\nPalestinian Authority elections.\nApr 2017\nWe identified one specific spear phishing campaign launched against\ntargets within Palestine, and specifically against Palestinian law\nenforcement agencies. This campaign started in April 2017, using a\nspear phishing campaign to deliver the MICROPSIA payload in order\nto remotely control infected systems.\nSep 2017\nFrozenCell is the mobile component of a multi-platform attack we’ve\nseen a threat actor known as “Two-tailed Scorpion/APT-C-23,” use to\nspy on victims through compromised mobile devices and desktops.\nDec 2017\nRecently, Trend Micro researchers came across a new mobile\nmalware family which we have called GnatSpy. We believe that this\nis a new variant of VAMP, indicating that the threat actors behind\nAPT-C-23 are still active and continuously improving their product.\nSome C\u0026C domains from VAMP were reused in newer GnatSpy\nvariants, indicating that these attacks are connected. We detect this\nnew family as ANDROIDOS_GNATSPY.\nEarly 2018\nLookout researchers have identified a new, highly targeted\nsurveillanceware family known as Desert Scorpion in the Google Play\nStore. Lookout notified Google of the finding and Google removed\nthe app immediately while also taking action on it in Google Play\nProtect.\nApr 2020 We have discovered a previously unreported version of Android\nspyware used by APT-C-23, a threat group also known as Two-tailed\nScorpion and mainly targeting the Middle East. ESET products detect\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\nPage 3 of 5\n\nthe malware as Android/SpyC23.A.\nApr 2020\nOperation “Bearded Barbie”\nAPT-C-23 Campaign Targeting Israeli Officials\nDec 2020\nPyMICROPSIA: New Information-Stealing Trojan from AridViper\nSep 2021\nArid Viper APT targets Palestine with new wave of politically themed\nphishing attacks, malware\nNov 2021\nNew Variants of Android Spyware Linked to APT C-23 Enhanced for\nStealth and Persistence, Sophos Research Reveals\n2022\nArid Viper | APT’s Nest of SpyC23 Malware Continues to Target\nAndroid Devices\n2022\nArid Viper poisons Android apps with AridSpy\nApr 2022\nArid Viper disguising mobile spyware as updates for non-malicious\nAndroid applications\nSep 2022\nMantis: New Tooling Used in Attacks Against Palestinian Targets\nOct 2023\nHamas Application Infrastructure Reveals Possible Overlap with\nTAG-63 and Iranian Threat Activity\nCounter operations Feb 2020 Operation “Rebound”\nIDF (Israel Defense Force) and ISA (Israel Security Agency AKA\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\nPage 4 of 5\n\n“Shin Bet”) conducted a joint operation to take down a Hamas\noperation targeting IDF soldiers.\nApr 2021\nTaking Action Against Hackers in Palestine\nInformation\nLast change to this card: 28 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972" ], "report_names": [ "showcard.cgi?u=d337940e-7ef9-4b4e-8c04-c6472d6b8972" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "bb08058c-a744-4129-aa80-10aa34ed8766", "created_at": "2022-10-25T16:07:24.474826Z", "updated_at": "2026-04-10T02:00:05.003307Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Cyber fighters of Izz Ad-Din Al Qassam", "Fraternal Jackal", "QCF", "Qassam Cyber Fighters" ], "source_name": "ETDA:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "d63af7da-1b27-4f7e-a006-e7398c38f436", "created_at": "2023-01-06T13:46:38.702633Z", "updated_at": "2026-04-10T02:00:03.073096Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Fraternal Jackal" ], "source_name": "MISPGALAXY:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438942, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/541031bb1b9e57bfba6214fe8234c712e5e1d29e.pdf", "text": "https://archive.orkl.eu/541031bb1b9e57bfba6214fe8234c712e5e1d29e.txt", "img": "https://archive.orkl.eu/541031bb1b9e57bfba6214fe8234c712e5e1d29e.jpg" } }