Arid Viper

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyber espionage group that has been active since at least 2013, primarily targeting countries in the Middle East. The group's geographical location remains unknown, but it is associated with Palestinian interests and is believed to be linked to Hamas, based on the quality of its malware and the sophistication of its social engineering tactics. The group was first reported by Meta Threat Investigators in 2020, and it has since been linked to numerous cyber attacks, including an espionage campaign targeting Android devices using the SpyC23 malware, which began in October. The Arid Viper group has demonstrated its ability to adapt and evolve its techniques over time. A notable example was discussed in the VB2023 paper titled "Reinventing the steal: Arid Viper now with a Rusty flavour," which detailed the group's use of a unique, malicious JavaScript file named myScript.js for distributing the AridSpy malware. This method was previously linked to Arid Viper by 360 Beacon Labs and the FOFA network search engine. Furthermore, researchers have discovered a striking resemblance between Arid Viper's mobile malware and a legitimate dating application called Skipped, indicating a sophisticated approach to disguising their malicious activities. Despite the extensive research into Arid Viper's activities, several mysteries remain, including a possible connection between the threat actor and the Israel-Hamas conflict. The group has shown a propensity for targeting organizations in Palestine and Egypt, aligning with some of Arid Viper's typical targets. Additionally, the same IP address used by the DPRK-linked threat actor between January and May 2022 was previously used by Arid Viper/Desert Falcon APT in 2020. This suggests potential collaborations or overlaps among different threat actors, adding another layer of complexity to the understanding of this group's operations and motivations.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Desert Falcons
3
Desert Falcons, also known as APT-C-23, Arid Viper, or Two-tailed Scorpion, is a threat actor group associated with cyber espionage activities that have been ongoing since at least 2013. This group has targeted countries in the Middle East and has shown links to the Gaza Cybergang Group2, which is k
Desert Falcon
2
Desert Falcon, also known as TAG-63, AridViper, or APT-C-23, is a threat actor believed to operate under the guidance of the Hamas terrorist organization. This group has been identified through infrastructure analysis associated with a website, revealing a cluster of domains that mimic their unique
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Android
Malware
Spyware
Beacon
Facebook
Eset
Telegram
Cisco
Ios
Windows
Hamas
Talos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MantisUnspecified
1
Mantis is a recognized threat actor, known for its sophisticated cyber operations. This group has been linked to several high-profile attacks and campaigns, including one that was tracked by Recorded Future as TAG-63, also known as APT-C-23. Mantis has shown connections to other notable threat group
MoleratsUnspecified
1
Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Arid Viper Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine
ESET
a month ago
How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe
ESET
a month ago
Arid Viper poisons Android apps with AridSpy
InfoSecurity-magazine
a month ago
Arid Viper Hackers Spy in Egypt and Palestine Using Android Spyware
CERT-EU
4 months ago
12 Months of Fighting Cybercrime & Defending Enterprises | #cybercrime | #infosec | National Cyber Security Consulting
Checkpoint
5 months ago
19th February – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
InfoSecurity-magazine
9 months ago
Arid Viper Campaign Targets Arabic-Speaking Users
CERT-EU
9 months ago
Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors
CERT-EU
9 months ago
The open source software question, market concentration in AI
CERT-EU
9 months ago
Hamas-linked app offers window into cyber infrastructure, possible links to Iran
CERT-EU
8 months ago
Shadowy hacking group targeting Israel shows outsized capabilities
CERT-EU
9 months ago
You’d be surprised to know what devices are still using Windows CE
CERT-EU
9 months ago
Arid Viper disguising mobile spyware as updates for non-malicious Android applications
CERT-EU
10 months ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
9 months ago
Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App
CERT-EU
9 months ago
Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices
CERT-EU
a year ago
Arid Viper Using Upgraded Malware In Middle East Cyberattacks | IT Security News