Arid Viper

Threat Actor updated 4 months ago (2024-06-13T16:17:32.022Z)

Download STIX

Preview STIX

Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyber espionage group that has been active since at least 2013, primarily targeting countries in the Middle East. The group's geographical location remains unknown, but it is associated with Palestinian interests and is believed to be linked to Hamas, based on the quality of its malware and the sophistication of its social engineering tactics. The group was first reported by Meta Threat Investigators in 2020, and it has since been linked to numerous cyber attacks, including an espionage campaign targeting Android devices using the SpyC23 malware, which began in October. The Arid Viper group has demonstrated its ability to adapt and evolve its techniques over time. A notable example was discussed in the VB2023 paper titled "Reinventing the steal: Arid Viper now with a Rusty flavour," which detailed the group's use of a unique, malicious JavaScript file named myScript.js for distributing the AridSpy malware. This method was previously linked to Arid Viper by 360 Beacon Labs and the FOFA network search engine. Furthermore, researchers have discovered a striking resemblance between Arid Viper's mobile malware and a legitimate dating application called Skipped, indicating a sophisticated approach to disguising their malicious activities. Despite the extensive research into Arid Viper's activities, several mysteries remain, including a possible connection between the threat actor and the Israel-Hamas conflict. The group has shown a propensity for targeting organizations in Palestine and Egypt, aligning with some of Arid Viper's typical targets. Additionally, the same IP address used by the DPRK-linked threat actor between January and May 2022 was previously used by Arid Viper/Desert Falcon APT in 2020. This suggests potential collaborations or overlaps among different threat actors, adding another layer of complexity to the understanding of this group's operations and motivations.

Description last updated: 2024-06-13T16:16:21.334Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Desert Falcons is a possible alias for Arid Viper. Desert Falcons, also known as APT-C-23, Arid Viper, or Two-tailed Scorpion, is a threat actor group associated with cyber espionage activities that have been ongoing since at least 2013. This group has targeted countries in the Middle East and has shown links to the Gaza Cybergang Group2, which is k	3
Desert Falcon is a possible alias for Arid Viper. Desert Falcon, also known as TAG-63, AridViper, or APT-C-23, is a threat actor believed to operate under the guidance of the Hamas terrorist organization. This group has been identified through infrastructure analysis associated with a website, revealing a cluster of domains that mimic their unique	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Android

Malware

Spyware

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Arid Viper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 months ago	Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine
ESET	4 months ago	How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe
ESET	4 months ago	Arid Viper poisons Android apps with AridSpy
InfoSecurity-magazine	4 months ago	Arid Viper Hackers Spy in Egypt and Palestine Using Android Spyware
CERT-EU	7 months ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
Checkpoint	8 months ago	19th February – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Comrades in Arms? \| North Korea Compromises Sanctioned Russian Missile Engineering Company
InfoSecurity-magazine	a year ago	Arid Viper Campaign Targets Arabic-Speaking Users
CERT-EU	a year ago	Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors
CERT-EU	a year ago	The open source software question, market concentration in AI
CERT-EU	a year ago	Hamas-linked app offers window into cyber infrastructure, possible links to Iran
CERT-EU	a year ago	Shadowy hacking group targeting Israel shows outsized capabilities
CERT-EU	a year ago	You’d be surprised to know what devices are still using Windows CE
CERT-EU	a year ago	Arid Viper disguising mobile spyware as updates for non-malicious Android applications
CERT-EU	a year ago	Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU	a year ago	Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App
CERT-EU	a year ago	Arid Viper \| APT’s Nest of SpyC23 Malware Continues to Target Android Devices
CERT-EU	2 years ago	Arid Viper Using Upgraded Malware In Middle East Cyberattacks \| IT Security News