{ "id": "4ace074e-3d26-4a13-8cda-fedd6ef2edf1", "created_at": "2026-04-06T00:10:32.343721Z", "updated_at": "2026-04-10T13:11:31.477938Z", "deleted_at": null, "sha1_hash": "e73db1470ec074c7e62fbc4ca4356a1bc83acfd4", "title": "Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 927205, "plain_text": "Arid Viper APT targets Palestine with new wave of politically\r\nthemed phishing attacks, malware\r\nBy Asheer Malhotra\r\nPublished: 2022-02-02 · Archived: 2026-04-05 17:47:26 UTC\r\nCisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid\r\nViper APT group since 2017.\r\nThis campaign targets Palestinian entities and activists using politically themed lures.\r\nThe latest iteration of the implant contains multiple RAT and information-gathering capabilities.\r\nExecutive summary\r\nCisco Talos has identified a new wave of what is believed to be an ongoing campaign using the Delphi malware\r\nsince 2017. Talos believes with high confidence that this is the work of the Arid Viper threat actor. This is a group\r\nbelieved to be based out of Gaza that's known to target organizations all over the world. The actor uses the\r\nMicropsia implant in the most recent wave that started around October 2021.\r\nThis actor uses their Delphi-based Micropsia implant to target Palestinian individuals and organizations, using\r\npolitically themed file names and decoy documents. The most recent wave uses content originally published on\r\nthe Turkish state-run news agency Anadolu and on the Palestinian MA'AN development center to target activists\r\nand Palestinian institutions. The tactics, techniques and procedures (TTPs) used in the most recent samples found\r\nby Talos lead us to believe this is a campaign linked to the previous campaign we reported on in 2017. Meta\r\nexposed this actor in an April 2021 report that focused mainly on mobile targeting operations. However, that did\r\nnot stop the group, as they've continued to target Windows-based systems. Although this group hasn't\r\ntechnologically evolved, it has the motivation and means to operate longstanding campaigns against the same\r\ntargets. This level of motivation makes them particularly dangerous to organizations that may come into their\r\ncrosshairs. An in-depth defense using protections against the several layers of their infection chain is the best\r\nstrategy to defend against this kind of threat. This should include email security to detect and prevent their most\r\ncommon initial attack vector, along with Cisco Secure Endpoint if the implant is successfully delivered using\r\nnovel attack vectors. On the network side, Cisco Secure Firewall and Umbrella can be used to detect command\r\nand control (C2) communications performed with new versions and variants of their implants.\r\nArid Viper threat actor\r\nArid Viper, also known as Desert Falcon or APT C-23, was first exposed in 2015. This threat actor's main\r\nmotivation is espionage and information theft, and has been attributed to malicious operators politically motivated\r\ntowards the liberation of Palestine. Its victimology is dispersed all over the world, including Palestinian\r\norganizations and individuals. Arid Viper is not a technically evolved actor, however, it is known to target mobile\r\nand desktop platforms, including Apple iOS. Their toolkit consists of Delphi packers and compilers around their\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 1 of 13\n\nstaple malware, Micropsia. This implant has also been ported to other platforms with versions based on Python\r\nand an Android version.\r\nCampaign\r\nTalos has identified new waves of this campaign against Palestinian individuals and organizations. It uses the\r\nsame TTPs that we published in our first report on this actor back in 2017. The image below shows an example of\r\na lure used in 2019 — while the file name refers to an annual report from 2018, the contents actually mention\r\n2014 and 2015.\r\nExample of the decoy document from 2019.\r\nThe table below shows a small chronology of malicious implants masquerading as documents of interest being\r\ncreated with the same themes, which we associate with high confidence to the same ongoing campaign.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 2 of 13\n\nThe use of politically themed lures reduced during 2018 and 2019, but we observed a definite increase in their\r\nusage in 2020 and 2021. Talos also observed other themes being used by this group (to deliver Micropsia) during\r\n2018 and 2019 and into 2020/21, but they were not considered as part of this campaign in analysis and are beyond\r\nthe scope of this research.\r\nMost recent decoys\r\nThe politically motivated content in the decoy documents, along with the use of the Arabic language, point to the\r\nvictims being Palestinian individuals and organizations.\r\nThe most recent decoy document from September 2021 contains an article about the reunification of Palestinian\r\nfamilies, originally published by the Anadolu Agency on Sept. 3, 2021.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 3 of 13\n\nDecoy document containing text on Palestinian reunification.\r\nAnother decoy, also from September 2021, consists of an article on social and economically sustainable\r\ndevelopment in Palestine by the MA'AN development center — a Palestinian development and training institution\r\naimed at community development.\r\nDecoy document containing an article on Palestinian sustainable development.\r\nAnother decoy from July 2021 consisted of a patient's report containing affidavits from the State of Palestine's\r\nMinistry of Health. During March and February 2021, we observed the use of politically themed decoys. One of\r\nthese decoys consisted of a list of questions from a Palestinian activist on the Presidential decree issued on Feb.\r\n20, 2021, ordering the respect of freedom of expression ahead of legislative elections in May.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 4 of 13\n\nDecoy containing a list of questions from a Palestinian activist.\r\nDeployment\r\nDuring this investigation, Talos could not find any email or social media posts that were somehow linked to the\r\nMicropsia implants. However, we found the implants and compressed files containing the implants. This follows\r\nthe same pattern that we described in our 2017 post about this actor. It is highly likely that the threat actor has\r\ncontinued to use the email vector to deliver their lures and implants.\r\nImplant analysis\r\nThe implant used to target Palestinian entities consists of Delphi-based versions of Micropsia. This implant\r\nconsists of a Delphi form with four buttons and four timers implemented to carry out different malicious activities\r\ndescribed below.\r\nForm1 containing the four timers.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 5 of 13\n\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 6 of 13\n\nForm1 contents\r\nAll the malicious functionalities are implemented through the timers configured in the implant.\r\nDeploying the decoy document\r\nOne of these timers is responsible for extracting the decoy document and saving it to the %TEMP% folder and\r\nthen displaying it via ShellExecute:\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 7 of 13\n\nDecoy document extracted and displayed to the target.\r\nNow, if the implant is started with the \"-start\" command-line switch, it will skip the process for dropping and\r\ndisplaying the decoy document and jump straight to its RAT functionalities.\r\nEstablishing persistence\r\nAnother timer is used to establish persistence for the implant on the endpoint.\r\nHere, the implant will establish persistence by obtaining its current command line, which is then used to create a\r\nshortcut for itself in the %TEMP% directory. The shortcut to run the implant contains the \"-start\" switch (used to\r\nskip the displaying of the decoy document). This shortcut is then moved over to the currently logged-in user's\r\nStartup folder to complete persistence across reboots and re-logins.\r\nInformation Gathering\r\nThe remaining two timers will gather preliminary system information and activate the RAT capabilities of the\r\nimplant.\r\nThe sequence of actions followed for gathering system information from the endpoint are as follows:\r\n1. Generate a pc ID for the infected endpoint. Save this value into a data file, such as:\r\n\"%APPDATA%\\dsfjj45k.tmp\"\r\n2. Gather the Computername and username from ENV. Concatenate the computername, username and pcid\r\ninto format: \u003cCOMPNAME\u003e_\u003cusername\u003e_\u003cpcid\u003e\r\n3. Gather installed AV information from the endpoint via \"winmgmts:\\\\localhost\\root\\SecurityCenter2\" using\r\nquery \"SELECT * FROM AntiVirusProduct\". From the AV information obtained, record the DisplayName.\r\n4. Get OS information specifically the installed product name.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 8 of 13\n\n5. Get the current implant's command line and record it.\r\nAll this data gathered from the system is individually base64-encoded and assigned to HTTP form query variables\r\nwith the following name-value pairs:\r\nvcqmxylcv= base64 encoded \u003cCOMPNAME\u003e_\u003cusername\u003e_\u003cpcid\u003e\r\nvcnwaapcv= base64 encoded AV Name list.\r\nvcllgracv= base64 encoded OS version string.\r\nvcwjlxycv= base64 encoded implant command line.\r\nvccodwfcv= base64 encoded hardcoded flag.\r\nThe data is then sent to the implant's C2 server via an HTTP POST request, which is fairly standard in Micropsia\r\nimplants.\r\nRAT capabilities\r\nOnce the preliminary information has been sent, the implant now begins its remote access trojan (RAT) activity\r\nand waits for command codes from the C2 server.\r\nThe implant now uses two additional HTTP form variables to transmit the output of the commands executed on\r\nthe endpoint:\r\nvcgqjdlrcv = hardcoded value 0.\r\nmugnaq = base64 encoded screenshot or command output.\r\nThe C2 issues distinct command codes to the implant to carry out various actions on the infected endpoint.\r\nThe commands follow the format: ;\u003ccmd_code\u003e;\u003cbase64_encoded_supporting_data\u003e;\r\nField name cmd_code supporting_data\r\nExample cmd aXBjb25maWc\r\nThe above example would run the ipconfig command on the endpoint.\r\nThe command codes accepted by the implant are listed here:\r\nCommand code Description\r\n\"1\" or \"2\" or \"sh\" Capture screenshots to the %TEMP% directory and exfiltrate.\r\n\"log\" Send the current activity log (recorded in an internal Memo) to the C2.\r\n\"cmd\" Execute the command specified and send output to C2.\r\n\"df\" Download file from a specified remote location into a local path specified by the C2.\r\n\"zero\" Exit execution.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 9 of 13\n\nCommand code Description\r\n\"lehar\" Ask for the next command from the C2.\r\nWe have observed implants using two distinct URLs to instrument communications with the C2, one for\r\nexfiltration of screenshots and the other for all the other RAT commands.\r\nFor example one of the implants used a distinct URL for screenshots:\r\nhxxp[s]://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/ZCgbo9EVhYMA8PX\r\nWhile another URL was used for all other commands:\r\nhxxp[s]://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/bu5EmpJE7DUfzZD\r\nConclusion\r\nSince its initial disclosure by Talos in 2017, this campaign from Arid Viper has become a long-standing offensive\r\ncyber attack spanning well into 2021.\r\nState-sponsored actors and privateer groups rely heavily on stealth in their operations. The public disclosures of\r\ncampaigns and targeted attacks are usually followed by the actors taking down their infrastructure and revamping\r\ntheir implants to avoid discovery of their malicious assets.\r\nHowever, in the case of Arid Viper, the continued use of the same TTPs over the past four years indicates that the\r\ngroup doesn't feel affected by the public exposure of its campaigns and implants, and continues to operate\r\nbusiness as usual. This complete lack of deterrence makes them a dangerous group once they decide to target an\r\norganization or individual.\r\nThe lack of change also points to a certain level of success with their current TTPs. The new campaign and\r\naccompanying versions of Arid Viper's Micropsia implant disclosed in this research by Talos brings the spotlight\r\nback to their politically themed campaign to remind potential victims that the group is still very active.\r\nArid Viper is a prime example of groups that aren't very advanced technologically, however, with specific\r\nmotivations, are becoming more dangerous as they evolve over time and test their tools and procedures on their\r\ntargets. Implants such as Micropsia come in various forms such as Delphi, Python and Android. Such RATs\r\nproliferated and operated by a highly motivated threat actor who refuses to back down, consist of a variety of\r\nfunctionalities and are constantly evolving. These RATs can be used to establish long-term access into victim\r\nenvironments and additionally deploy more malware purposed for espionage and stealing information and\r\ncredentials.\r\nIn-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention.\r\nHowever, this should always be complemented by a good incident response plan which has been not only tested\r\nwith tabletop exercises, but also reviewed and improved every time it is put to the test on real-world engagements.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 10 of 13\n\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 11 of 13\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCS\r\nHashes\r\nd4e56e3a9dec89cc32df78aa4ba8b079aa5e697ed99a1e21e9bd31e85d5d1370\r\n1d4e54529feef53850f97f39029a906d53f3d4b2aea8373e27c413324a55681c\r\nbc03948ce4d88f32017d4a1725a05341d3ff72a616645d9893b8f5d11068217f\r\n8a730266c62fa79435497b1d7db38011e63b6c53b48593d65c24c36044d92dba\r\nf2f36a72cfb25cef74ff0ea8e3ad1c49c6dc3e128fd60a2717f4c5a225e20df2\r\n895adb54a13d9ebf3f7215f1bad77c0c548e7dd4c58c3a338d440520efcb8fc9\r\n27eaeb7f0195230e22d5beacc05b7d944aaec4894fbc02824f59b172e360713f\r\n7b9087d91a31d03dd2c235d8debf8ed10f4b82c430a236d159e06e7fb47464a9\r\naa507bbe5d2a32f6e1e3f311c1baf93fd4707def8596083f26683e85972f5ac0\r\nc9d7b5d06cd8ab1a01bf0c5bf41ef2a388e41b4c66b1728494f86ed255a95d48\r\n0a55551ade55705d4be6e946ab58a26d7cf8087558894af8799931b09d38f3bc\r\nc7e74330440fcf8f6b112f5493769de6cdbdea5944ab78697ab115c927cbd0a1\r\n2d03ff4e5d4d72afffd9bde9225fe03d6dc941982d6f3a0bbd14076a6c890247\r\ne288d7e42c8cdbf0156f008ff7d663f8c8e68faa2e902d51f3287f1bceae79b2\r\n5463b3573451d23f09cb3f6f3c210de182ed0dd8a89459381a7f69aa7f8ac9b4\r\nHostnames\r\ndeangelomcnay[.]news\r\njuliansturgill[.]info\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 12 of 13\n\nearlahenry[.]com\r\nnicholasuhl[.]website\r\ncooperron[.]me\r\ndorothymambrose[.]live\r\nruthgreenrtg[.]live\r\nURLs\r\nhxxp://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/ZCgbo9EVhYMA8PX\r\nhxxp://deangelomcnay[.]news/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/bu5EmpJE7DUfzZD\r\nhxxps://cooperron[.]me/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/\r\nhxxps://cooperron[.]me/qWIlIdKf2buIH0k/GbrHoIfRqtE69hH/\r\nhxxps://dorothymambrose[.]live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/\r\nhxxp://dorothymambrose[.]live/hx3FByTR5o3zNZYD/sYkaiHz0Mse13C79dy1I/\r\nhxxps://nicholasuhl[.]website/X2EYSWlzSZgSUME210Zv/YPPV6kFl2PwwF0TEVHMy/\r\nhxxp://nicholasuhl[.]website/X2EYSWlzSZgSUME210Zv/YPPV6kFl2PwwF0TEVHMy/\r\nhxxps://earlahenry[.]com/Ct2azbEP57LtWgmK/lWaPwemAJ3LPFmDH/\r\nhxxp://earlahenry[.]com/Ct2azbEP57LtWgmK/lWaPwemAJ3LPFmDH/\r\nhxxp://juliansturgill[.]info/um2NxySaF4L5mSYE/KY1hNeVvrE1XCrKP/\r\nSource: https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nhttps://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html" ], "report_names": [ "arid-viper-targets-palestine.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434232, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e73db1470ec074c7e62fbc4ca4356a1bc83acfd4.pdf", "text": "https://archive.orkl.eu/e73db1470ec074c7e62fbc4ca4356a1bc83acfd4.txt", "img": "https://archive.orkl.eu/e73db1470ec074c7e62fbc4ca4356a1bc83acfd4.jpg" } }