{
	"id": "64c31dcc-9d76-4f6a-b0a9-0fc7cd00f6ab",
	"created_at": "2026-04-06T00:18:46.101513Z",
	"updated_at": "2026-04-10T13:12:45.590802Z",
	"deleted_at": null,
	"sha1_hash": "a9acd781af1754971fa93253a8d65f4d99c0d45a",
	"title": "ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241297,
	"plain_text": "ESET discovered an undocumented backdoor used by the\r\ninfamous Stealth Falcon group\r\nBy ESET Research\r\nArchived: 2026-04-05 18:08:12 UTC\r\nStealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East.\r\nIt has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which\r\npublished an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative\r\nreport into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types\r\nof targets as Stealth Falcon.\r\nBased on these two reports referring to the same targets and attacks, Amnesty International’s Senior Technologist,\r\nClaudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.\r\nFigure 1.  Claudio Guarnieri has connected Stealth Falcon with Project Raven\r\nSome technical information about Stealth Falcon has already been made public – notably, in the already\r\nmentioned analysis by the Citizen Lab.\r\nThe key component in the attack documented in the Citizen Lab report was a PowerShell-based backdoor,\r\ndelivered via a weaponized document that was included in a malicious email.\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 1 of 9\n\nNow, we have found a previously unreported binary backdoor we have named Win32/StealthFalcon. In this\r\narticle, we disclose similarities between this binary backdoor and the PowerShell script with backdoor capabilities\r\nattributed to the Stealth Falcon group. We consider the similarities to be strong evidence that Win32/StealthFalcon\r\nwas created by this group.\r\nThe Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the\r\ncompromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and\r\nthe Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country. How the\r\nbackdoor was distributed and executed on the target systems is beyond the scope of this investigation; our analysis\r\nfocuses on its capabilities and its C\u0026C communication.\r\nC\u0026C communication\r\nIn its communication with the C\u0026C server, Win32/StealthFalcon uses the standard Windows component\r\nBackground Intelligent Transfer Service (BITS), a rather unusual technique. BITS was designed to transfer large\r\namounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with\r\nthrottled throughput so as not to affect the bandwidth needs of other applications. It is commonly used by\r\nupdaters, messengers, and other applications designed to operate in the background. This means that BITS tasks\r\nare more likely to be permitted by host-based firewalls.\r\nCompared with traditional communication via API functions, the BITS mechanism is exposed through a COM\r\ninterface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy. The\r\ntransfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a\r\nsystem reboot. Moreover, because BITS adjusts the rate at which files are transferred based on the bandwidth\r\navailable, the user has no reason for suspicion.\r\nWin32/StealthFalcon can switch the communication between two C\u0026C servers whose addresses are stored in a\r\nregistry key, along with other configuration values, and can be updated by one of the backdoor commands. In case\r\nthe backdoor fails to reach out to its C\u0026C servers, the backdoor removes itself from the compromised system after\r\na preconfigured number of failed attempts.\r\nCapabilities\r\nWin32/StealthFalcon is a DLL file that, after execution, schedules itself as a task running on each user login. It\r\nonly supports basic commands but displays a systematic approach to data collection, data exfiltration, employing\r\nfurther malicious tools, and updating its configuration.\r\nCommand name Functionality\r\nK Uninstall itself\r\nCFG Update configuration data\r\nRC Execute the specified application\r\nDL Write downloaded data to file\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 2 of 9\n\nCommand name Functionality\r\nCF Prepare a file for exfiltration\r\nCFW Exfiltrate and delete files\r\nCFWD Not implemented/no operation\r\nTable 1. Backdoor commands\r\nFor example, the backdoor’s key capability, downloading and executing files, is achieved via regular checks for\r\nlibraries named “win*.dll” or “std*.dll” in the directory the malware is executed from, and loading these libraries.\r\nFurthermore, Win32/StealthFalcon collects files and prepares them for exfiltration by storing an encrypted copy\r\nwith a hardcoded prefix in a temporary folder. It then regularly checks for such files and exfiltrates them\r\nautomatically. After the files have been successfully exfiltrated, the malware safe-deletes all log files and collected\r\nfiles - before deleting the files, it rewrites them with random data - to prevent forensic analysis and recovery of the\r\ndeleted data.\r\nThe configuration values are stored in the\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions registry key. All\r\nvalues are prefixed by the malware’s filename (without extension).\r\nValue name suffix Content\r\n-FontDisposition Randomly generated, 4-byte victim ID\r\n-MRUData RC4-encrypted C\u0026C domain\r\n-MRUList RC4-encrypted C\u0026C domain\r\n-IconPosition Flag determining which of the C\u0026C domains should be used\r\n-IconDisposition Number of seconds to sleep after each iteration of contacting the C\u0026C server\r\n-PopupPosition Counter of failed attempts to reach the C\u0026C servers\r\nTable 2. Configuration data stored in registry\r\nPossible trick to evade detection\r\nOf interest is a function that is executed before any malicious payload is started, and which seems redundant. It\r\nreferences 300+ imports, but does not use them at all. Instead, it always returns and continues with the payload\r\nafterward, without condition checks that would suggest it is an anti-emulation trick.\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 3 of 9\n\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 4 of 9\n\nFigure 2. A function referencing hundreds of unused imports, possibly added to avoid detection of the malware\r\nWe don’t know the precise intention of this function, but we suspect it is either some attempt to evade detection,\r\nor some leftover from a larger framework used by the malware authors.\r\nLinks to Stealth Falcon\r\nBoth Win32/StealthFalcon and the PowerShell-based backdoor described in the Citizen Lab analysis share the\r\nsame C\u0026C server: the address windowsearchcache[.]com was used as a “Stage Two C2 Server Domain” in the\r\nbackdoor analyzed by the Citizen Lab, and also in one of the versions of Win32/StealthFalcon.\r\nBoth backdoors display significant similarities in code – although they are written in different languages, the\r\nunderlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID). In both\r\ncases, all network communication from the compromised host is prefixed with these identifiers and encrypted\r\nwith RC4 using a hardcoded key.\r\nFor their C\u0026C server communication, they both use HTTPS but set specific flags for the connection to ignore the\r\nserver certificate.\r\nConclusion\r\nWe discovered and analyzed a backdoor with an uncommon technique for C\u0026C communication – using Windows\r\nBITS – and some advanced techniques to hinder detection and analysis, and to ensure persistence and complicate\r\nforensic analysis. Similarities in the code and infrastructure with a previously known malware by Stealth Falcon\r\ndrive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.\r\nIndicators of Compromise (IoCs)\r\nESET detection name\r\nWin32/StealthFalcon\r\nSHA-1\r\n31B54AEBDAF5FBC73A66AC41CCB35943CC9B7F72\r\n50973A3FC57D70C7911F7A952356188B9939E56B\r\n244EB62B9AC30934098CA4204447440D6FC4E259\r\n5C8F83CC4FF57E7C67925DF4D9DAABE5D0CC07E2\r\nRC4 keys\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 5 of 9\n\n258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3\r\n2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2\r\n3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6\r\n8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE\r\nNote: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.\r\nHost-based indicators\r\nMalware file names\r\nImageIndexer.dll\r\nWindowsBackup.dll\r\nWindowsSearchCache.dll\r\nJavaUserUpdater.dll\r\nLog file name patterns\r\n%TEMP%\\dsc*\r\n%TEMP%\\sld*\r\n%TEMP%\\plx*\r\nRegistry keys/values\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\r\nX-MRUList\r\nX-MRUData\r\nX-FontDisposition\r\nX-IconDisposition\r\nX-IconPosition\r\nX-PopupPosition\r\nX is the malware’s filename (without extension).\r\nNetwork indicators\r\nBITS job names\r\nWindowsImages-WindowsBackup-WindowsSearchCache-ElectricWeb\r\nC\u0026C servers\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 6 of 9\n\nfootballtimes[.]info\r\nvegetableportfolio[.]com\r\nwindowsearchcache[.]com\r\nelectricalweb[.]org\r\nupnpdiscover[.]org\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1059 Command-Line Interface\r\nMalware uses cmd.exe to execute\r\nsome commands.\r\nT1106 Execution through API\r\nMalware uses CreateProcessW API\r\nfor execution.\r\nT1085 Rundll32\r\nMalware uses rundll32.exe to load\r\nthe backdoor DLL.\r\nT1053 Scheduled Task\r\nMalware schedules rundll32.exe to\r\nbe executed on each login, and\r\nsubsequently to load the backdoor\r\nDLL.\r\nPersistence T1053 Scheduled Task\r\nMalware establishes persistence by\r\nscheduling a task that loads the\r\nbackdoor on each user login.\r\nDefense\r\nEvasion\r\nT1197 BITS Jobs\r\nMalware uses BITS file transfer\r\nmechanism for network\r\ncommunication, in an attempt to\r\navoid detection.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nStrings are encrypted with a custom\r\nXOR cipher.\r\n#rowspan# #rowspan#\r\nConfiguration data and log files are\r\nencrypted with RC4, using a\r\nhardcoded key.\r\nT1107 File Deletion\r\nMalware overwrites files with\r\nrandom data, and deletes them after\r\nexfiltration.\r\nT1036 Masquerading Malware attempts to disguise itself\r\nby using seemingly-legitimate file\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 7 of 9\n\nTactic ID Name Description\r\nnames.\r\nT1112 Modify Registry\r\nMalware stores its configuration in\r\na registry key.\r\nT1027 Obfuscated Files or Information\r\nStrings are encrypted with a custom\r\nXOR cipher.\r\n#rowspan# #rowspan#\r\nConfiguration data and log files are\r\nencrypted with RC4, using a\r\nhardcoded key.\r\nDiscovery T1063 Security Software Discovery\r\nMalware terminates itself if\r\nMcAfee Agent binary\r\n(cmdagent.exe) is detected.\r\nCollection\r\nT1074 Data Staged\r\nMalware stores collected data in a\r\ntemporary folder in files named\r\nwith a hardcoded prefix.\r\nT1005 Data from Local System\r\nMalware has a command to\r\ncollect/steal a file from the\r\ncompromised system.\r\nCommand\r\nand Control\r\nT1008 Fallback Channels\r\nMalware is able to communicate\r\nwith two C\u0026C servers; it also\r\nsupports switching to a different\r\nC\u0026C server using a backdoor\r\ncommand.\r\nT1105 Remote File Copy\r\nMalware uses BITS Jobs for C\u0026C\r\ncommunication.\r\nT1005\r\nStandard Cryptographic\r\nProtocol\r\nMalware encrypts C\u0026C\r\ncommunication using RC4 with a\r\nhardcoded key.\r\nExfiltration T1020 Automated Exfiltration\r\nMalware automatically exfiltrates\r\nfiles in a temporary folder in files\r\nnamed with a hardcoded prefix.\r\nT1022 Data Encrypted\r\nMalware encrypts the collected\r\ndata using RC4 with a\r\nhardcoded key, prior to\r\nexfiltration.\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 8 of 9\n\nTactic ID Name Description\r\nT1041\r\nExfiltration Over\r\nCommand and\r\nControl Channel\r\nMalware exfiltrates data over\r\nthe C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nhttps://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/"
	],
	"report_names": [
		"backdoor-stealth-falcon-group"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bd084d2f-4233-49b1-b0e6-c7011178dae0",
			"created_at": "2022-10-25T15:50:23.544316Z",
			"updated_at": "2026-04-10T02:00:05.325921Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"Stealth Falcon"
			],
			"source_name": "MITRE:Stealth Falcon",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9acd781af1754971fa93253a8d65f4d99c0d45a.pdf",
		"text": "https://archive.orkl.eu/a9acd781af1754971fa93253a8d65f4d99c0d45a.txt",
		"img": "https://archive.orkl.eu/a9acd781af1754971fa93253a8d65f4d99c0d45a.jpg"
	}
}