{
	"id": "476c982e-c6a8-4c3e-992c-a87c7679ea38",
	"created_at": "2026-04-06T00:22:28.28537Z",
	"updated_at": "2026-04-10T03:25:36.511004Z",
	"deleted_at": null,
	"sha1_hash": "62a20ed01648ec5a644894b87643d6265571f94b",
	"title": "Stealth Falcon, FruityArmor - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58784,
	"plain_text": "Stealth Falcon, FruityArmor - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 23:04:19 UTC\r\nHome \u003e List all groups \u003e Stealth Falcon, FruityArmor\r\n APT group: Stealth Falcon, FruityArmor\r\nNames\r\nStealth Falcon (Citizen Lab)\r\nFruityArmor (Kaspersky)\r\nProject Raven (Reuters)\r\nG0038 (MITRE)\r\nCountry UAE\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6d2ff349-ad5d-4237-9cb3-3d8891c35fbf\r\nPage 1 of 3\n\nDescription\n(Citizen Lab) This report describes a campaign of targeted spyware attacks carried\nout by a sophisticated operator, which we call Stealth Falcon. The attacks have been\nconducted from 2012 until the present, against Emirati journalists, activists, and\ndissidents. We discovered this campaign when an individual purporting to be from\nan apparently fictitious organization called “The Right to Fight” contacted Rori\nDonaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for\nHuman Rights, received a spyware-laden email in November 2015, purporting to\noffer him a position on a human rights panel. Donaghy has written critically of the\nUnited Arab Emirates (UAE) government in the past, and had recently published a\nseries of articles based on leaked emails involving members of the UAE\ngovernment.\nCircumstantial evidence suggests a link between Stealth Falcon and the UAE\ngovernment. We traced digital artifacts used in this campaign to links sent from an\nactivist’s Twitter account in December 2012, a period when it appears to have been\nunder government control. We also identified other bait content employed by this\nthreat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were\ndirectly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to\nthe UAE, based on their profile information (e.g., photos, “UAE” in account name,\nlocation), and at least six targets appeared to be operated by people who were\narrested, sought for arrest, or convicted in absentia by the UAE government, in\nrelation to their Twitter activity.\nObserved\nSectors: Civil society groups and Emirati journalists, activists and dissidents.\nCountries: Netherlands, Saudi Arabia, Thailand, UAE, UK.\nTools used Deadglyph, StealthFalcon and 0-day exploits.\nOperations performed\n2014\nEx-NSA operatives reveal how they helped spy on targets for the Arab\nmonarchy — dissidents, rival leaders and journalists.\nOct 2016\nWindows zero-day exploit used in targeted attacks by FruityArmor\nAPT\nOct 2018\nZero-day exploit (CVE-2018-8453) used in targeted attacks\nOct 2018 Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)\n\nmanager-cve-2018-8611/89253/\u003e\nSep 2019\nESET researchers discovered a backdoor linked to malware used by\nthe Stealth Falcon group, an operator of targeted spyware attacks\nagainst journalists, activists and dissidents in the Middle East.\n2023\nStealth Falcon preying over Middle Eastern skies with Deadglyph\nMar 2025\nInside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6d2ff349-ad5d-4237-9cb3-3d8891c35fbf\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6d2ff349-ad5d-4237-9cb3-3d8891c35fbf\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6d2ff349-ad5d-4237-9cb3-3d8891c35fbf"
	],
	"report_names": [
		"showcard.cgi?u=6d2ff349-ad5d-4237-9cb3-3d8891c35fbf"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bd084d2f-4233-49b1-b0e6-c7011178dae0",
			"created_at": "2022-10-25T15:50:23.544316Z",
			"updated_at": "2026-04-10T02:00:05.325921Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"Stealth Falcon"
			],
			"source_name": "MITRE:Stealth Falcon",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434948,
	"ts_updated_at": 1775791536,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62a20ed01648ec5a644894b87643d6265571f94b.pdf",
		"text": "https://archive.orkl.eu/62a20ed01648ec5a644894b87643d6265571f94b.txt",
		"img": "https://archive.orkl.eu/62a20ed01648ec5a644894b87643d6265571f94b.jpg"
	}
}