{
	"id": "da52852e-e7c2-4984-a945-1bf81a9e76a2",
	"created_at": "2026-04-06T00:10:57.810916Z",
	"updated_at": "2026-04-10T13:11:41.277Z",
	"deleted_at": null,
	"sha1_hash": "643a87ff78ac84112c75d12b9c4464c03c9a25c0",
	"title": "The Desert Falcons targeted attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2643693,
	"plain_text": "The Desert Falcons targeted attacks\r\nBy Ghareeb Saad\r\nPublished: 2015-02-17 · Archived: 2026-04-05 13:51:28 UTC\r\nDownload Full Report PDF\r\nThe Desert Falcons are a new group of Cyber Mercenaries operating in the Middle East and carrying out Cyber\r\nEspionage across that region. The group uses an arsenal of homemade malware tools and techniques to execute\r\nand conceal its campaigns on PC and Mobile OS.\r\n#FalconsAPT is the 1st known campaign to be fully developed by Arabic #hackers to target the Middle\r\nEast #TheSAS2015\r\nTweet\r\nThe first Desert Falcons operations were seen in 2011 and the group made its first infections in 2013. By the end\r\nof 2014 and beginning of 2015 the group was very active.\r\nFull report\r\nThe full report can be found here.\r\nFAQ\r\nWhere are the Victims Located?\r\nThere are more than 3,000 victims in 50+ countries. Most of them are found in Palestine, Egypt, Israel and Jordan,\r\nbut others have been discovered in Saudi Arabia, the UAE, the US, South Korea, Morocco, Qatar and others.\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 1 of 7\n\nWho are the Victims?\r\nThe attacks targeted several classes of victim, including Military and Government organizations, employees\r\nresponsible for health organizations, combating money laundering, economic and financial institutions, leading\r\nmedia entities, research and educational institutions, energy and utilities providers, activists and political leaders,\r\nphysical security companies and other targets that have access to important geopolitical information.\r\nHow are the victims infected?\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 2 of 7\n\nMalware writers use a variety of technical and social engineering methods to deliver their files and encourage\r\nvictims to run them, creating an effective infection vector. Examples include a fake website that promises to\r\npublish censored political information and asks users to download a plugin to view a video (the plugin contains\r\nthe malware). Another example involves the use of spear phishing emails or social network messages to deliver\r\nmalicious files using an extension override (e.g. malicious files ending with .fdp.scr would appear .rcs.pdf).\r\nSample of documents and videos used in spear phishing\r\nWhat are the goals of the operations?\r\nThe attackers are looking for sensitive intelligence information that could help them in further operations or even\r\nextortion. The victims are targeted for the secrets in their possession or intelligence information relating to their\r\npositions in governments or important organizations.\r\nMore than 1 million files were stolen from victims. Stolen files include diplomatic communications from\r\nembassies, military plans and documents, financial documents, VIP and Media contact lists and files.\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 3 of 7\n\nWho are the attackers and what do we know about them?\r\nThe Desert Falcons operators are native Arabic speakers. There are about 30 of them working in three teams.\r\nSome of their identities are already known. The attackers are running three campaigns to target different types of\r\nvictim.\r\nWhere are the attackers based?\r\nThe attackers are based in Palestine, Egypt and Turkey.\r\nWhich malware do they use to infect their victims?\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 4 of 7\n\nThere are three main backdoors used to infect victim devices:\r\nComputer backdoors\r\nThe Main Falcons Trojan\r\nThe DHS* Spyware Trojan\r\nComputer Backdoors give the attackers full scope to use keyloggers and screenshotters, access files and even\r\nmake audio recordings. DHS naming is used by the attackers to describe the nickname initials of one of the\r\ndevelopers (D** H*** Spyware).\r\nMobile Backdoor\r\nA mobile backdoor targeting Android devices.\r\nMobile Backdoors give attackers access to Call and SMS logs\r\nHow did you become aware of this threat? Who reported it?\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 5 of 7\n\nWe became aware of the threat during an incident investigation in the Middle East.\r\nIs it still active?\r\nThe operation is very active and is currently in peak condition. We are continuously identifying new samples and\r\nvictims for all related campaigns.\r\nHow is this different from any other Cyber espionage attacks?\r\nDesert Falcons are the first known Cyber espionage attacks to be fully developed and operated by Arabic speakers\r\nto target the Middle East. It has affected a stunning range of victims, stealing more than 1 million special files.\r\nThe profiles of the targeted victims and the apparent political motives behind the attacks make it possible that\r\nDesert Falcons operations could be nation state sponsored. At present, though, this cannot be confirmed.\r\nWhy this name?\r\nThe falcon is a rare bird that has been highly prized for a centuries in desert countries in the Arab world.  It is a\r\nsymbol of hunting and sharp vision. The Desert Falcons are proficient cyberhunters with carefully chosen targets,\r\nall of whom are thoroughly investigated before the attack and closely watched after being infected.\r\nHow can users protect themselves?\r\nKaspersky Lab products detect and block all variants of the malware used in this campaign:\r\n     Trojan.Win32.DesertFalcons\r\n     Trojan-Spy.Win32.Agent.cncc\r\n     Trojan-Spy.Win32.Agent.ctcr\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 6 of 7\n\nTrojan-Spy.Win32.Agent.ctcv\r\n     Trojan-Spy.Win32.Agent.ctcx\r\n     Trojan-Spy.Win32.Agent.cree\r\n     Trojan-Spy.Win32.Agent.ctbz\r\n     Trojan-Spy.Win32.Agent.comn\r\n     Trojan.Win32.Bazon.a\r\nSource: https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nhttps://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/"
	],
	"report_names": [
		"the-desert-falcons-targeted-attacks"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434257,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/643a87ff78ac84112c75d12b9c4464c03c9a25c0.pdf",
		"text": "https://archive.orkl.eu/643a87ff78ac84112c75d12b9c4464c03c9a25c0.txt",
		"img": "https://archive.orkl.eu/643a87ff78ac84112c75d12b9c4464c03c9a25c0.jpg"
	}
}