Arid Viper

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Arid Viper, also known as APT-C-23 or Desert Falcon, is a threat actor associated with Palestinian interests and has been conducting cyber espionage activities throughout the Middle East. According to a paper titled "Reinventing the steal: Arid Viper now with a Rusty flavour" presented at VB2023, Arid Viper's SpyC23 malware has been involved in an extensive espionage campaign targeting Android devices since October. The group has demonstrated the ability to adapt and evolve, using a variety of techniques including social engineering and leveraging legitimate platforms. For instance, the group used to exploit fake Facebook and Instagram profiles but has recently switched to a dating app from a German developer (Skipped) to target mainly Arabic-speaking Android users. The group's operations have been characterized by the deployment of customized mobile malware in the Android Package (APK) format. The C2 server IP address 192.169.7[.]197 was used by Arid Viper in 2020, and then later in January to May 2022 by the DPRK linked threat actor. One notable feature of Arid Viper’s operation is the striking resemblance between their mobile malware and a legitimate dating application called Skipped. Their spyware collects sensitive personal information off targeted devices and disables security notifications, allowing for further malware installation. The link between Arid Viper and the Israel-Hamas conflict remains a key mystery in understanding the group's motivations and potential targets. The low-grade malware quality and elaborate social engineering tactics suggest that Arid Viper may be linked to Hamas. Cybersecurity experts at Cisco Talos have exposed the latest operations of this espionage-driven advanced persistent threat (APT) group, which continues to pose significant threats due to its persistent and evolving strategies.
What's your take? (Question 1 of 3)
2a189375-2e9e-4521-8014-a6a4065d4541 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Desert Falcon
2
Desert Falcon, also known as TAG-63, AridViper, or APT-C-23, is a threat actor believed to operate under the guidance of the Hamas terrorist organization. This group has been identified through infrastructure analysis associated with a website, revealing a cluster of domains that mimic their unique
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Android
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Arid Viper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Arid Viper disguising mobile spyware as updates for non-malicious Android applications
Checkpoint
3 months ago
19th February – Threat Intelligence Report - Check Point Research
CERT-EU
7 months ago
Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App
CERT-EU
6 months ago
Shadowy hacking group targeting Israel shows outsized capabilities
CERT-EU
8 months ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
2 months ago
12 Months of Fighting Cybercrime & Defending Enterprises | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
10 months ago
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
CERT-EU
7 months ago
Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors
CERT-EU
7 months ago
Hamas-linked app offers window into cyber infrastructure, possible links to Iran
InfoSecurity-magazine
7 months ago
Arid Viper Campaign Targets Arabic-Speaking Users
CERT-EU
a year ago
Arid Viper Using Upgraded Malware In Middle East Cyberattacks | IT Security News
CERT-EU
7 months ago
The open source software question, market concentration in AI
CERT-EU
7 months ago
You’d be surprised to know what devices are still using Windows CE
CERT-EU
7 months ago
Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices