{ "id": "640bf02e-1615-40b9-affa-ab01f7504025", "created_at": "2026-04-06T01:29:55.418495Z", "updated_at": "2026-04-10T03:29:28.480048Z", "deleted_at": null, "sha1_hash": "918a2a4f90591eb792b4af948bd705b24520eeaf", "title": "Middle Eastern hacking group is using FinFisher malware to conduct international espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41618, "plain_text": "Middle Eastern hacking group is using FinFisher malware to\r\nconduct international espionage\r\nBy Chris Bing\r\nPublished: 2017-10-16 · Archived: 2026-04-06 00:34:17 UTC\r\nA well-funded, highly active group of Middle Eastern hackers was caught, yet again, using a lucrative zero-day\r\nexploit in the wild to break into computers and infect them with powerful spyware developed by an infamous\r\ncyberweapons dealer named Gamma Group.\r\nThe incident, as described by security researchers with Moscow-based cybersecurity firm Kaspersky Lab, shines a\r\nrare light on the opaque although apparently vibrant market for software exploits and spyware, which in this case\r\nappears to have been purchased by a nation-state.\r\nThe Middle Eastern hacker group in this case is codenamed “BlackOasis.” Kaspersky found the group was\r\nexploiting a Adobe Flash Player zero-day vulnerability (CVE-2016-4117) to remotely deliver the latest version of\r\n“FinSpy” malware, according to a new blog post published Monday. Adobe issued a fix Monday to its users in the\r\nform of a software update.\r\nFinSpy, a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who\r\nthey are communicating with, is associated with Gamma Group — which goes by other names,\r\nincluding FinFisher and Lench IT Solutions.\r\nBlackOasis in recent months sent a wave of phishing emails. These emails contained malicious Microsoft Word\r\ndocuments with the aforementioned Flash Player zero-day hidden inside an embedded ActiveX object. In the past,\r\nBlackOasis messages were designed to appear like news articles from 2016 about political relations between\r\nAngola and China.\r\nThe term zero-day is indicative of a software flaw that remains unknown to the software’s creator. Zero-days can\r\nbe highly disruptive because they provide a window of time for an attacker to breach victims before the vendor is\r\nable to apply a software update to address the specific security hole.\r\nU.S. cybersecurity firm FireEye also recently captured BlackOasis activity as part of a similar incident where the\r\ngroup relied on a different zero-day exploit — more specifically, a SOAP WSDL parser code injection\r\nvulnerability — to install FinSpy onto a small number of devices. Again, the attacker’s intention appeared to be\r\nespionage.\r\n“Unlike other FinFisher customers or users who focus mostly on domestic operations, BlackOasis focuses on\r\nexternal operations and go after a wide range of targets around the world,” explained Costin Raiu, director of the\r\nglobal research and analysis team at Kaspersky Lab.\r\nGamma Group has been accused of selling its products to authoritarian regimes that can use the technology to\r\nboth track dissidents and conduct foreign espionage over the internet.\r\nhttps://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/\r\nPage 1 of 2\n\nThe discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security\r\nresearchers since June 2015. It’s unclear whether the hackers are purchasing the exploits and spyware together,\r\ndirectly from Gamma Group, or if they were able to acquire some of the tools through other avenues.\r\n“BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals\r\ndisproportionately relevant to the region. This includes prominent figures in the United Nations, opposition\r\nbloggers and activists, and regional news correspondents,” a blogpost about Kaspersky’s findings reads.\r\nThe post continues, “during 2016, we observed a heavy interest in Angola, exemplified by lure documents\r\nindicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest\r\nin international activists and think tanks … Victims of BlackOasis have been observed in the following countries:\r\nRussia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United\r\nKingdom and Angola.”\r\nBrian Bartholomew, a senior security researcher with Kaspersky, said on Twitter that BlackOasis’ espionage\r\nincluded non-traditional targets — “going outside of that lawful surveillance boundary.”\r\nAn advanced persistent threat group, previously identified by Microsoft and codenamed Neodymium, is closely\r\nassociated with BlackOasis’ operations.\r\nLast year, Microsoft researchers described Neodymium’s behavior as unusual: “unlike many activity groups,\r\nwhich typically gather information for monetary gain or economic espionage, PROMETHIUM and\r\nNEODYMIUM appear to launch campaigns simply to gather information about certain individuals. These activity\r\ngroups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the\r\nsame region. Their targets, however, appear to be individuals that do not share common affiliations.”\r\nA cursory review of BlackOasis’ espionage campaign suggests there is some overlap between the group’s actions\r\nand Saudi Arabia’s geopolitical interests. For example, the targeting of Angolan organizations in mid-2016\r\ncoincidences directly with the rise of Angola’s oil business with China, which displaced Saudi Arabia as the\r\nnumber one exporter of crude oil to China at the time.\r\nAll 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one\r\nof three ways: economically; from a national security perspective; or due to established policy agreements.\r\nIn addition, Saudi Arabia is a known customer of spyware and has used the technology domestically, according to\r\nCitizen Lab, a cybersecurity and human-rights focused research laboratory. Kaspersky’s research notes that\r\nBlackOasis hacked into computers based in Saudi Arabia.\r\nSource: https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/\r\nhttps://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/" ], "report_names": [ "middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage" ], "threat_actors": [ { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "27485543-d2e7-4053-a660-157489732cbb", "created_at": "2022-10-25T16:07:23.895403Z", "updated_at": "2026-04-10T02:00:04.781765Z", "deleted_at": null, "main_name": "Neodymium", "aliases": [ "G0055" ], "source_name": "ETDA:Neodymium", "tools": [ "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "400a3efc-44a1-4d83-a724-cd16818328f9", "created_at": "2023-01-06T13:46:38.516115Z", "updated_at": "2026-04-10T02:00:03.008975Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "G0055" ], "source_name": "MISPGALAXY:NEODYMIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "c11cbeb5-461f-4bd8-a86b-f57e471a664d", "created_at": "2022-10-25T15:50:23.257383Z", "updated_at": "2026-04-10T02:00:05.414047Z", "deleted_at": null, "main_name": "NEODYMIUM", "aliases": [ "NEODYMIUM" ], "source_name": "MITRE:NEODYMIUM", "tools": [ "Wingbird" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438995, "ts_updated_at": 1775791768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/918a2a4f90591eb792b4af948bd705b24520eeaf.pdf", "text": "https://archive.orkl.eu/918a2a4f90591eb792b4af948bd705b24520eeaf.txt", "img": "https://archive.orkl.eu/918a2a4f90591eb792b4af948bd705b24520eeaf.jpg" } }