{ "id": "f5266a68-d458-4275-b33d-3fd455bea60e", "created_at": "2026-04-06T00:22:15.556021Z", "updated_at": "2026-04-10T13:11:22.378005Z", "deleted_at": null, "sha1_hash": "bd304e1edd18b18a7d280ee093ef02f8e5706aca", "title": "Arid Viper disguising mobile spyware as updates for non-malicious Android applications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3802005, "plain_text": "Arid Viper disguising mobile spyware as updates for non-malicious\r\nAndroid applications\r\nBy Cisco Talos\r\nPublished: 2023-10-31 · Archived: 2026-04-05 21:53:16 UTC\r\nTuesday, October 31, 2023 07:00\r\nSince April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid\r\nViper advanced persistent threat (APT) group targeting Arabic-speaking Android users. In this campaign, the\r\nactors leverage custom mobile malware, also known as Android Package files (APKs), to collect sensitive\r\ninformation from targets and deploy additional malware onto infected devices.\r\nAlthough Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that\r\nthis campaign is related in any way to the Israel-Hamas war. Furthermore, the publication of this research was\r\ndelayed while Talos was performing the due diligence with law enforcement.\r\nThe mobile malware used in this campaign shares similarities with a non-malicious online dating application,\r\nreferred to as Skipped. The malware specifically uses a similar name and the same shared project on the\r\napplications’ development platform. This overlap suggests the Arid Viper operators are either linked to Skipped’s\r\ndeveloper or somehow gained illicit access to the shared project’s database. \r\nOur analysis uncovered an array of simulated dating applications that are linked to Skipped, leading us to assess\r\nthat Arid Viper operators may seek to leverage these additional applications in future malicious campaigns.\r\nIn order to coerce users into downloading their mobile malware, Arid Viper operators share malicious links\r\nmasquerading as updates to the dating applications, that instead deliver malware to the user’s device.\r\nArid Viper’s Android malware has a number of features that enable the operators to disable security notifications,\r\ncollect users’ sensitive information, and deploy additional malicious applications on the compromised device.\r\nThe mobile malware deployed by Arid Viper in this campaign shares similarities with the non-malicious dating\r\napplication Skipped, in that it has a similar name and uses the same shared project on the application development\r\nplatform Firebase. These overlaps, explained in further detail below, suggest the Arid Viper operators may be linked to\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 1 of 18\n\nSkipped’s developers, and/or they may have illicitly copied characteristics of the non-malicious application in order to\r\nentice and deceive users into downloading their malware. Of note, the technique of leveraging legitimate application\r\nnames in order to coerce users into downloading malicious software is in line with the “honey trap” tactics used by Arid\r\nViper in the past.\r\nThe name of Arid Viper’s mobile malware, “Skipped_Messenger,” appears to be a reference to Skipped, which is listed\r\non some application stores as “Skipped - Chat, Match \u0026 Dating.” The “Skipped_Messenger” malware uses Google’s\r\nFirebase messaging system as a command and control (C2) channel, while the non-malicious Skipped application uses it\r\nfor pushing out notifications. Google’s Firebase messaging system works via the creation of a named project, along with\r\nother unique identifiers. This project is protected with a set of credentials and API keys. In order for developers to write\r\napplications that use the same project and Firebase databases, they need credentials in the form of API keys, and project\r\nand application IDs that are generated in the Firebase project’s console. \r\nThe Android malware deployed in this malicious campaign extensively uses the same Firebase databases used by\r\nSkipped, however, both the malware and the non-malicious application use their own set of distinct credentials,\r\nincluding API keys and Client Application IDs. This observation indicates that the malware developers had access to the\r\nsame Firebase project and backend database that are used by the non-malicious dating application, and generated their\r\nown set of credentials. \r\nTalos also considered, though assessed it was unlikely, that Skipped’s Firebase databases were configured in test mode,\r\nmade publicly available, and abused by Arid Viper. Test mode allows a developer to quickly set up a database for testing\r\npurposes, which makes it available to everyone who knows the URL. This mode needs to be set when the database is first\r\ncreated and is only available for 30 days. After this duration, the database is locked and needs to be specifically re-configured to provide public access. The passive DNS data for the Skipped Firebase project’s domain shows that the URL\r\nfor the database was first seen on August 9, 2021, while Arid Viper’s malware started using this infrastructure beginning\r\non November 11, 2022. Given the malware used Skipped’s Firebase project almost a year after the infrastructure was set\r\nup (and well outside the 30 day window of public access), it is unlikely Arid Viper leveraged unintentional public access\r\nto the database.\r\nFurthermore, this mode does not provide any management capabilities for the overall Firebase project, but rather only\r\nprovides data read and write capabilities to the backend database. The generation of API keys and registration of the\r\nAndroid malware for the project would still need to be provisioned on the project’s management console.\r\nFinally, Talos found no public evidence of the Firebase/Google Cloud project being compromised such that it may be\r\nused by any parties except the project’s original creators. This supports our assessment that Skipped developers likely\r\nshared their Firebase project with Arid Viper operators.\r\nAs seen below, the malware used by Arid Viper in this campaign is very similar to remote access trojans (RATs) used by\r\nthe threat actor in previous campaigns. The previous versions of the malware all allude to the Skipped application, either\r\nvia references in Android package names or in the malware’s Graphical User Interface (GUI).\r\nMalicious App Hash Package/Name\r\nee7e5bd5254fff480f2b39bfc9dc17ccdad0b208ba59c010add52aee5187ed7f com[.]dem[.]aitim[.]Skipped_Messenger\r\n9a7b9edddc3cd450aadc7340454465bd02c8619dda25c1ce8df12a87073e4a1f com[.]pen[.]lime[.]Skipped_Messenger\r\n8667482470edd4f7d484857fea5b560abe62553f299f25bb652f4c6baf697964 com[.]apps[.]sklite\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 2 of 18\n\nUser interface for an Arid Viper sample masquerading as the “Skipped” dating App.\r\nOur analysis uncovered an extended web of companies that create dating-themed applications that are similar or identical\r\nto Skipped. Given the aforementioned connections between Arid Viper’s mobile malware and Skipped, we assess that\r\nArid Viper operators may seek to leverage the infrastructure and/or names of these additional applications in future\r\nmalicious campaigns.\r\nThe publisher of Skipped, a company called “Skipped GmbH,” was registered and is headquartered in Germany, and\r\nappears to be linked to a multitude of seemingly non-malicious dating applications published by companies in Singapore\r\nand Dubai. We found that the domains used by these additional companies to distribute their dating applications, which\r\nare available on the Google and Apple application stores, were registered by Skipped GmbH.  Most of these applications\r\nprovide their users with a chatting service, where no face-to-face interaction is possible. During these conversations, the\r\napplication will interrupt and request the user buys “coins” in order to continue the interaction. This feature is notable as,\r\nif there is a current or potential connection between Arid Viper and these applications, it could generate revenue for the\r\nAPT operators. \r\nThe following online dating applications that are connected to Skipped GmbH can be installed from the Google Play\r\nStore or the Apple App Store:\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 3 of 18\n\n“SKIPPED - Chat, Match \u0026 Dating” : 50K downloads on Google Play.\r\n“Joostly - Dating App! Singles,” : 10K downloads on Google Play.\r\n“VIVIO - Chat, flirt \u0026 Dating” : Available on Apple App Store.\r\n“Meeted (previously Joostly) - Flirt, Chat \u0026 Dating” :  Available on Apple App Store.\r\n“Skipped” Application preview as shown in the Google Play store. \r\nCapture of the meeted[.]de website where the verbiage at the end states the nature of the application.\r\nWe were able to connect Skipped GmbH, the central entity in this ecosystem, to individual(s) operating under multiple\r\nmonikers. Pivoting off the individual(s) we were able to identify at least three different yet related companies in Germany\r\nthat author and distribute mobile applications that are usually dating-themed:\r\nCompany Name Established Date\r\nSkipped GmbH Feb 13, 2023\r\nDateed GmbH July 3, 2020\r\nPyramids Media GmbH Jan 28, 2019\r\nThese applications are distributed over both Apple and Google’s application stores and use German in their\r\nadvertisements and content. All of these applications contain romance or dating themes, a common characteristic of\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 4 of 18\n\napplications abused by the Arid Viper group in the past.\r\nTalos discovered multiple domains registered by Skipped GmbH that serve as product home pages and host artifacts like\r\napplication service agreements. The applications that these domains pertain to are all romance and dating themed and are\r\ndistributed on the App Stores using a variety of publisher entities. A high-level timeline of events for the companies,\r\ndomains and applications involved in this ecosystem is shown below: \r\nType Value Creation date Notes\r\nCompany Pyramids Media GmbH January 28, 2019 None\r\nDomain skipped[.]at January 16, 2020 Skipped GmbH\r\nDomain balou[.]app April 8, 2020 Skipped GmbH\r\nDomain meeted[.]de April 11, 2020 Skipped  GmbH\r\nCompany Dateed GmbH July 3, 2020 None\r\nApplication Juola/Skipped App February 11, 2021\r\nPublished by\r\nNYUTAINMENT PTE. LTD\r\nCompany\r\nDream DDF FZ-LLC,Dubai,\r\nUAE\r\nUnknown.Public domain\r\nregistered on July 4, 2021\r\nNone\r\nApplication Meeted App August 25, 2021 Published by Skipped GmbH\r\nDomain lovbedo[.]com September 22, 2021 Unknown\r\nDomain skpd[.]app February 15, 2022 Owned by Skipped GmbH\r\nCompany\r\nNYUTAINMENT PTE.\r\nLTD, Singapore\r\nMarch 31, 2022 None\r\nApplication VIVIO/Lovbedo app April 7, 2022 Published by Adx Consulting\r\nCompany\r\nAdx Consulting DSO-IFZA,\r\nDubai, UAE\r\nUnknown. Public domain\r\nregistered on April 26, 2022\r\nNEW publisher of\r\nVivio/Lovbedo\r\nDomain isingles[.]app April 19, 2022 Owned by Skipped  GmbH\r\nDomain joula[.]app April 28, 2022 Owned by Skipped GmbH\r\nDomain hellovy[.]app October 13, 2022 Owned by Skipped GmbH\r\nDomain meetey[.]app October 14, 2022 Owned by Skipped GmbH\r\nDomain vivio[.]app October 31, 2022 Owned by Skipped GmbH\r\nCompany Skipped GmbH February 13, 2023 None\r\nCompany\r\nQUVY CORE PTE. LTD,\r\nSingapore\r\nMay 26, 2023 None\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 5 of 18\n\nType Value Creation date Notes\r\nDomain  imatched[.]app June 13, 2023 Owned by Skipped  GmbH\r\nDomain skipped[.]us July 7, 2023 Owned by Skipped GmbH\r\nDomain meeted[.]app July 25, 2023 Owned by Skipped GmbH\r\nAll websites listed above use the exact same template to present their content, with minor variations in the content itself,\r\ncaptions and images. The websites provide links to download the application from application stores in the website footer.\r\nThe legal agreement and publisher information on these sites, however, may not refer to Skipped GmbH. In fact, many of\r\nthe websites list companies based out of different countries:\r\nApp Name Developer Name\r\nMeeted/Joostly (iOS)\r\nVIVIO (iOS)\r\nJoostly (Android)\r\nSkipped GmbH, Flensburg, Germany\r\nVAT number: DE328073875\r\nVIVIO (Android)\r\nAdx Consulting DSO-IFZA\r\nDubai Silicon Oasis\r\nMeeted (Android)\r\nQUVY CORE PTE. LTD, Singapore,\r\nVAT ID: 202320706D\r\nBalou (Android)\r\nJoula (Android)\r\nNYUTAINMENT PTE. LTD\r\n(Singapore VAT ID: 202210925E)\r\nMeetey (Android)\r\nDream DDF FZ-LLC\r\n(Dubai, UAE)\r\nAlthough there is a concrete connection between Skipped GmbH and the domains associated with these applications as\r\nevidenced by their domain registration information, it is currently unclear if there is a direct relationship between\r\nSkipped GmbH and the other developers listed above that distribute these applications. \r\nTalos produced a graph to map the connections between the application companies, domains, and websites, which can be\r\nseen below. This graph includes a connection to Arid Viper’s Android malware based on the malware’s overlapping use of\r\nFirebase with Skipped, as explained above. At the center of the graph lies Skipped GmbH, which is used for registering\r\ndomains and establishing websites for the various dating applications. These applications and their websites are\r\nconnected to additional developers and publishers located globally. For example, the “Joula” application is distributed by\r\na company called “NYUTAINMENT PTE. LTD”, based out of Singapore. However, the domain for Joula, joula[.]app\r\nwas registered by Skipped GmbH. \r\nNotably, although this ecosystem of applications and publishers cannot be explicitly categorized as a scam operation, at\r\nleast one of these companies, NYUTAINMENT PTE. LTD, was issued Cease and Desist orders in January 2022 by the\r\nBerlin Regional Court for operating websites and applications using fake profiles.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 6 of 18\n\nGraph showing the network of companies\r\nMalicious campaign distributes mobile malware disguised as legitimate application\r\nupdates\r\nArid Viper’s latest campaign, which Talos observed occurring since at least April 2022, targets Arabic-speaking Android\r\nusers through mobile malware that masquerades as application updates. Arid Viper has a history of disguising their\r\nmalware as updates, either for dating applications or for popular messaging applications such as WhatsApp, Signal, or\r\nTelegram. The attackers typically send targets a link to a tutorial video for the application, which is posted on a media-sharing website like YouTube. \r\nThe tutorial video will provide a step-by-step account of all features of the application and instructions on how to operate\r\nit in Arabic, suggesting a specific targeting of Arabic-speaking individuals. One such video depicts an individual\r\nnarrating in Arabic in Levantine dialect. A URL is provided in the video’s description, which directs to an attacker-controlled domain that serves a copy of Arid Viper’s APK malware.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 7 of 18\n\nYoutube video with link to download malicious APK (Arabic language).\r\nTalos identified a YouTube account that hosted such a video. The account was created on March 17, 2022 and has\r\nuploaded only one video, suggesting Arid Viper may use such accounts to host a limited number of videos at a time. The\r\nvideo, as shown in the screen capture above, had approximately 50 views at the time of writing.\r\nWe assess that all the domains used by the attackers in this campaign are solely registered, operated and controlled by\r\nArid Viper. These domains follow the same naming schema observed in previous Arid Viper infrastructure and are not\r\nonly used to host malicious APKs, but also act as C2 servers for the implants. The domains are typically administered by\r\nthe attackers by using webshells such as “ALFA TEaM Shell”.\r\nALFA TEaM web shell prompt on Arid Viper’s domain.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 8 of 18\n\nAs previously mentioned, some of the malware deployed in this campaign used Google’s Firebase platform as C2\r\ninfrastructure for the malicious applications. The Firebase platform primarily serves as a C2 channel to issue commands\r\nand to download and upload files. The platform also has the ability to provide a new C2 server address to the malware so\r\nthat it can switch fr,m the Firebase platform to another attacker-controlled C2 host. One of the Firebase projects used by\r\nArid Viper in this campaign dates back to 2021 and has some non-malicious mobile APKs associated with it, indicating\r\noperators have been trying to create, test and popularize other APK software out of the same account for years. \r\nMobile malware enables operators to collect targets’ information and deploy additional\r\nmalware \r\nArid Viper’s Android malware has a number of features that enable the operators to surreptitiously collect sensitive\r\ninformation from victims’ devices and deploy additional executables. The malware uses native code to hide some of its\r\nactivities, meaning it can leverage Android’s capability that allows for the execution of assembly-based shared libraries.\r\nAndroid applications can usually be built from Java code, however, for performance reasons, applications have the ability\r\nto load libraries which are compiled into native code (shared libraries). This native code is also harder to analyze and\r\nreverse engineer.\r\nOnce deployed, the malware attempts to hide itself on a victim machine by disabling system or security notifications from\r\nthe operating system. The malware completely disables notifications on Samsung mobile devices and on any device with\r\nan Android package that contains the word “security”. The malware makes notifications less visible on Huawei, Google,\r\nOppo and Xiaomi mobile devices.\r\nThis malware loads a library typically called “libuoil.so” or “libdalia.so”, which exports four main functions. Each of\r\nthese functions will return the name of an administration package installed by vendors on their version of the Android\r\nOpen Source Project (AOSP). \r\nExample of an exported function\r\nThese names will then be used to hide notifications from the security packages from the four vendors mentioned above. It\r\nis unclear why these vendors require a different obfuscation procedure since the code strings are not obfuscated in the\r\nnative code library.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 9 of 18\n\nArid Viper has been using native code libraries since at least 2021 with the intent of obfuscating C2 hostnames. However,\r\nin this campaign, the strings are not obfuscated at all and are used just to nullify the notifications from built-in security\r\npackages, a notable development in the way in which the threat actor is developing and packaging their Android malware.\r\nThe malware is configured to obtain a number of permissions from the infected device, including the ability to:\r\nRecord audio\r\nRead contacts\r\nDisable Keyguard, which disables keylocks and associated password security measures\r\nRead call logs\r\nSend, receive and read SMS messages\r\nView and change Wi-Fi settings\r\nKill background apps\r\nRead contents of external storage\r\nAccess the camera to take pictures and record video\r\nRetrieve information on currently running tasks on the device\r\nDownload files without notifications to users\r\nCreate system alerts\r\nThese capabilities and the code used to implement them are explored in greater detail below.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 10 of 18\n\nFrom the capability point of view, this RAT exhibits all the classic functionalities of an Android-based RAT including\r\nsystem fingerprinting, data exfiltration and payload deployment, to name a few.\r\nExecutes trojanized apps\r\nThe malware has the capability to download additional malware, which is typically masquerading as updates for\r\nlegitimate applications. It can also display notifications that specific applications have updates available, potentially\r\nprompting users to install the malicious updates. The malware has the capability to download, rename, and run the\r\nfollowing applications:\r\n“.whatsapp-update.apk” to “whatsapp-update.apk”\r\n“.messenger-update.apk” to “messenger-update.apk”\r\n“.google-play-update.apk” to “google-play-update.apk”\r\n“.instagram-update.apk” to “instagram-update.apk”\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 11 of 18\n\nApp name construction.\r\nRetrieves system information\r\nThe implant has the ability to get system information from locations such as “/proc/cpuinfo“, and from systems services\r\nsuch as “activity”. It will also get memory information from the device using the StatFs API which is a wrapper for\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 12 of 18\n\nstatvfs() Unix call.\r\nThe malware can retrieve the following SIM information for dual SIM devices for each SIM:\r\nNumber of SIM slots\r\nSIM state\r\nSIM Service Provider Name (SPN)\r\nSIM serial number\r\nSIM Device ID (IMEI or MEID)\r\nSIM subscriber ID (IMSI)\r\nIt can also retrieve the following battery information for the device:\r\nBattery health\r\nBattery status\r\nAverage battery level\r\nThe malware can identify the manufacturer of the device if it is one of the following: \r\nHuawei\r\nXaomi\r\nVivo\r\nOppo\r\nIt can get the following network information:\r\nPublic IPv4 and IPv6 address using https://api.ipify.org\r\nMAC address\r\nWIFI network name\r\nFinally, the malware is able to retrieve additional information, including:\r\nWhether the phone supports 2G, 3G, or 4G\r\nDevice ID\r\nEmail address of account associated with the phone\r\nDevice brand and model.\r\nOS release and API versions\r\nReceives additional C2 domains from the current C2\r\nThe Android implant can ask the current C2 for an updated C2 domain and store it in its configuration, as shown below:\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 13 of 18\n\nExfiltrates collected credentials\r\nIt can also exfiltrate credentials collected from Facebook and relay them to the C2 server:\r\nRecord, send and receive calls and SMS messages\r\nThe implant has the ability to record telephone calls made on the compromised device. This is done by recording the MIC\r\naudio source, capturing the recording to a specified location on disk, and subsequently uploading all files in the directory\r\nto the C2 server.\r\nThe malware can also capture SMS messages received by the device, send new SMS messages, and make calls to phone\r\nnumbers specified by the C2:\r\nSend SMS\r\nMake calls\r\nFinally, the implant records the following information for all SMS messages stored on the compromised device:\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 14 of 18\n\nSender ID and address \r\nBody/content \r\nRead status \r\nDate received \r\nType\r\nRecord contacts\r\nThe malware can record contact information from the device and save it in a file in a folder specified by the implant:\r\nContact ID\r\nDisplay name\r\nPhone number\r\nRecord call history\r\nThe implant has the ability to record the call history information on the compromised device and save it in a specific file\r\nand folder. This information can include: \r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 15 of 18\n\nPhone number and name of caller\r\nCall type, either incoming or outgoing\r\nCall date and time\r\nCall duration in seconds\r\nExfiltrate files\r\nFinally, Arid Viper’s malware has the ability to copy all files with the following extensions in a specified directory to\r\nanother directory for exfiltration to C2: jpg, jpeg, png, pdf, doc, docx, ppt, pptx, xls, mpp, accdb, xlsx, mdb\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these\r\nattacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 16 of 18\n\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and\r\ntests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found in our GitHub repository here.\r\nHashes\r\nd5e59be8ad9418bebca786b3a0a681f7e97ea6374f379b0c4352fee1219b3c29\r\n8667482470edd4f7d484857fea5b560abe62553f299f25bb652f4c6baf697964\r\nD69cf49f703409bc01ff188902d88858a6237a2b4b0124d553a9fc490e8df68a\r\n1b6113f2faf070d078a643d77f09d4ca65410cf944a89530549fc1bebdb88c8c\r\n57fb9daf70417c3cbe390ac44979437c33802a049f7ab2d0e9b69f53763028c5\r\nf91e88dadc38e48215c81200920f0ac517da068ef00a75b1b67e3a0cd27a6552\r\na8ca778c5852ae05344ac60b01ad7f43bb21bd8aa709ea1bb03d23bde3146885\r\nfb9306f6a0cacce21afd67d0887d7254172f61c7390fc06612c2ca9b55d28f80\r\n682b58cad9e815196b7d7ccf04ab7383a9bbf1f74e65679e6c708f2219b8692b\r\ne0e2a101ede6ccc266d2f7b7068b813d65afa4a3f65cb0c19eb73716f67983f7\r\nf15a22d2bdfa42d2297bd03c43413b36849f78b55360f2ad013493912b13378a\r\nee7e5bd5254fff480f2b39bfc9dc17ccdad0b208ba59c010add52aee5187ed7f\r\nee98fd4db0b153832b1d64d4fea1af86aff152758fe6b19d01438bc9940f2516\r\n9a7b9edddc3cd450aadc7340454465bd02c8619dda25c1ce8df12a87073e4a1f\r\n33ae5c96f8589cc8bcd2f5152ba360ca61f93ef406369966e69428989583a14e\r\nNetwork IOCs\r\nluis-dubuque[.]in\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 17 of 18\n\nharoldramsey[.]icu\r\ndanny-cartwright[.]firm[.]in\r\nconner-margie[.]com\r\njunius-cassin[.]com\r\njunius-cassin[.]com\r\nhxxps[://]orin-weimann[.]com/abc/Update%20Services[.]apk\r\nhxxps[://]jack-keys[.]site/download/okOqphD\r\nhxxps[://]elizabeth-steiner[.]tech/download/HwIFlqt\r\nhxxps[://]orin-weimann[.]com/abc/signal[.]apk\r\nhxxps[://]lightroom-61eb2[.]firebaseio[.]com/ \r\nhxxps[://]skippedtestinapp[.]firebaseio[.]com/\r\nSource: https://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nhttps://blog.talosintelligence.com/arid-viper-mobile-spyware/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/arid-viper-mobile-spyware/" ], "report_names": [ "arid-viper-mobile-spyware" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434935, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd304e1edd18b18a7d280ee093ef02f8e5706aca.pdf", "text": "https://archive.orkl.eu/bd304e1edd18b18a7d280ee093ef02f8e5706aca.txt", "img": "https://archive.orkl.eu/bd304e1edd18b18a7d280ee093ef02f8e5706aca.jpg" } }