{ "id": "22bf61bd-8b42-4d77-8e6d-9d1ace8025ca", "created_at": "2026-04-06T00:09:35.136765Z", "updated_at": "2026-04-10T13:11:22.333399Z", "deleted_at": null, "sha1_hash": "5c15f965b9d94ad92fe933ced585f55248393b89", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 239425, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy AlienVault\r\nArchived: 2026-04-05 22:48:41 UTC\r\nAuthor Url\r\nSuspected APT-C-23 (two-tailed scorpion) tissue camouflage Threema communication software\r\nattack analysis\r\nFileHash-MD5: 21 | FileHash-SHA1: 12 | FileHash-SHA256: 12 | URL: 1\r\nAPT-C-23 (two-tailed scorpion) is also known as AridViper, Micropsia, FrozenCell, Desert Falcon, and its attack\r\nrange is mainly in important fields such as educational institutions and military institutions in relevant countries in\r\nthe Middle East, and important fields such as educational institutions and military institutions in Palestine, a\r\nnetwork attack organization that mainly steals sensitive information. It has the ability to attack both Windows and\r\nAndroid platforms. From May 2016, organized, planned and targeted long-term uninterrupted attacks were\r\nlaunched on Palestinian educational institutions, military institutions and other important areas.\r\n374,021 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:FrozenCell\r\nPage 1 of 3\n\nNew GnatSpy Mobile Malware Family Discovered\r\nStay updated to the latest updates on Trend Micro's app, which allows users to search for products on a variety of\r\nsites across the globe, including Facebook, Twitter, Instagram, Google and YouTube.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:FrozenCell\r\nPage 2 of 3\n\n354 Subscribers\r\nAuthor Url\r\nFrozenCell\r\nFrozenCell is the mobile component of a multi-platform attack we’ve seen a threat actor known as “Two-tailed\r\nScorpion / APT-C-23,” use to spy on victims through compromised mobile devices and desktops. The desktop\r\ncomponents of this attack, previously discovered by Palo Alto Network, are known as KasperAgent and\r\nMicropsia. During this investigation we discovered 561MB of exfiltrated data from 24 compromised Android\r\ndevices that was publicly accessible on one of dozens of C2s. More data is appearing daily, and it looks like this\r\nactor is both still active and pretty successful despite not using any exploits in their mobile component.\r\n69 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:FrozenCell\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:FrozenCell\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:FrozenCell" ], "report_names": [ "pulses?q=tag:FrozenCell" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434175, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c15f965b9d94ad92fe933ced585f55248393b89.pdf", "text": "https://archive.orkl.eu/5c15f965b9d94ad92fe933ced585f55248393b89.txt", "img": "https://archive.orkl.eu/5c15f965b9d94ad92fe933ced585f55248393b89.jpg" } }