{
	"id": "41deece5-00ab-4529-a0a7-b3cf88494c2b",
	"created_at": "2026-04-06T03:37:10.856083Z",
	"updated_at": "2026-04-10T03:32:04.913722Z",
	"deleted_at": null,
	"sha1_hash": "f65d3ec4fde46a7c0f6d437b27bf223ce32dc246",
	"title": "Hamas Android Malware On IDF Soldiers-This is How it Happened - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1398783,
	"plain_text": "Hamas Android Malware On IDF Soldiers-This is How it\r\nHappened - Check Point Research\r\nBy etal\r\nPublished: 2020-02-16 · Archived: 2026-04-06 03:22:26 UTC\r\nIntroduction:\r\nEarlier today, IDF’s spokesperson revealed that IDF (Israel Defense Force) and ISA (Israel Security Agency AKA\r\n“Shin Bet”) conducted a joint operation to take down a Hamas operation targeting IDF soldiers, dubbed\r\n‘Rebound’.\r\nIn this article, we will describe the capabilities and provide technical analysis of the malware used, along with the\r\nattack’s affiliation to APT-C-23, a hacking group with previously reported attacks in the Middle East\r\nTechnical Analysis:\r\nThis MRAT (Mobile Remote Access Trojan) is disguised as a set of dating apps, “GrixyApp”, “ZatuApp”, and\r\n“Catch\u0026See”, all with dedicated websites, and descriptions of dating applications.\r\nThe victims received a link to download the malicious application from a Hamas operator disguising themselves\r\nas an attractive woman. Once the application is installed and executed, it shows an error message stating that the\r\ndevice is not supported, and the app will uninstall itself – which actually does not happen, and the app only hides\r\nits icon.\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 1 of 7\n\nFigure 1 – Fake error message\r\nWhile hidden, the application communicates with the same server it was downloaded from, using the MQTT\r\nprotocol.\r\nThe main functionality of this malware is to collect data on the victim such as phone number, location, SMS\r\nmessages and more, while having the capability to extend its code via a received command. The command can\r\nprovide the application with a URL to a DEX file, which is then downloaded and executed.\r\nFigure 2 – Code to download an additional DEX file\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 2 of 7\n\nFigure 3 – Communication with the C\u0026C\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 3 of 7\n\nFigure 4 – Collecting device information\r\nFigure 5 – Collecting a list of installed applications\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 4 of 7\n\nFigure 6 – Collecting storage information\r\nVideo Player\r\nFigure 7 – Application hiding demo\r\nAffiliation:\r\nThe tactics, techniques and procedures (TTPs) used in this new wave of attacks are similar to ones used in the past\r\nby previous APT-C-23 campaigns.\r\nFirst, the threat group develops backdoors for Android devices that are usually disguised as chatting applications.\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 5 of 7\n\nFigure 8 – Promotion websites\r\nSecond, dedicated and specially crafted websites are set up by the threat group to promote those backdoors,\r\nexplain their functionality, and offer a direct link to download them. Those domains, and others that are used for\r\nC\u0026C communications by known APT-C-23 samples, are usually registered using NameCheap, and this was also\r\nthe case with the newly discovered websites.\r\nLastly, malicious samples affiliated with APT-C-23 made references to names of actors, TV characters and\r\ncelebrities both in their source code and C\u0026C communication. Although the new backdoors lacked those\r\nreferences, we were able to see name of celebrities and known figures such as Jim Morrison, Eliza Doolittle,\r\nGretchen Bleiler and Dolores Huerta in the backdoor’s website, catchansee[.]com.\r\nFigure 9 – References to celebrities in server code\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 6 of 7\n\nThis campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure\r\nAndroid eco-system. It requires attention and action from system developers, device manufacturers, app\r\ndevelopers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.\r\nIt is also another example for why organizations and consumers alike should have an advanced mobile threat\r\nprevention solution installed on the device to protect themselves against the possibility of unknowingly installing\r\nmalicious apps, even from trusted app stores.\r\nSource: https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-ho\r\nw-it-happened/\r\nhttps://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
	],
	"report_names": [
		"hamas-android-malware-on-idf-soldiers-this-is-how-it-happened"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446630,
	"ts_updated_at": 1775791924,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f65d3ec4fde46a7c0f6d437b27bf223ce32dc246.pdf",
		"text": "https://archive.orkl.eu/f65d3ec4fde46a7c0f6d437b27bf223ce32dc246.txt",
		"img": "https://archive.orkl.eu/f65d3ec4fde46a7c0f6d437b27bf223ce32dc246.jpg"
	}
}