Deadglyph

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Deadglyph is a sophisticated malware, named and detailed by ESET, used in cyberespionage attacks targeted at Middle Eastern governments. The malware is linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as FruityArmor, which has been previously associated with the United Arab Emirates (UAE). Deadglyph consists of a native x64 binary that functions as an executor and a .NET assembly that functions as an orchestrator, presenting a unique architecture that separates it from traditional backdoor malware. The discovery and analysis of Deadglyph were made public on September 25, 2023, revealing its deployment in cyberespionage attacks against a government entity in the Middle East. Unlike typical backdoor malware, Deadglyph does not receive commands from the backdoor binary. Instead, it receives its functions dynamically from a command-and-control (C2) server in the form of modules, enhancing its stealth and adaptability. This novel approach to command and control makes the malware particularly difficult to detect and neutralize. During the investigation of Deadglyph, ESET discovered a Control Panel (CPL) file signed with an expired certificate that was uploaded to VirusTotal from Qatar. This file functioned as a multistage shellcode downloader and shared code similarities with Stealth Falcon’s backdoor, further linking the malware to this APT group. The emergence of Deadglyph underscores the escalating sophistication of cyber threats and the ongoing need for robust cybersecurity measures, particularly within sensitive sectors such as government agencies.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Downloader

Espionage

Eset

Loader

Proxy

State Sponso...

Windows

Shellcode

Net

Apt

Encrypt

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Stealth Falcon	Unspecified	3	Stealth Falcon, also known as Project Raven or FruityArmor, is a notable threat actor that has been active since at least 2012. This group is known for its cyber espionage activities primarily in the Middle East, targeting political activists, journalists, and dissidents. The group gained significan
Fruityarmor	Unspecified	1	FruityArmor, also known as Stealth Falcon or Project Raven, is a threat actor linked to the United Arab Emirates (UAE) according to MITRE. Active since 2012, this group has been associated with cyberespionage activities targeting political activists, journalists, and dissidents primarily in the Midd
Project Raven	Unspecified	1	Project Raven, also known as Stealth Falcon or FruityArmor, is a threat actor linked to the United Arab Emirates (UAE), identified by cybersecurity researchers as being active since 2012. This group has been associated with state-sponsored cyber-espionage activities, primarily targeting political ac

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Deadglyph Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	10 months ago	DHS: US critical infrastructure facing malicious AI threat
CERT-EU	10 months ago	UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack
CERT-EU	10 months ago	Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
CERT-EU	10 months ago	ESET's cutting-edge threat research at LABScon – Week in security with Tony Anscombe
Securityaffairs	10 months ago	Security Affairs newsletter Round 438 by Pierluigi Paganini
CERT-EU	10 months ago	New ‘Grayling’ APT Targeting Organizations in Taiwan, US
CERT-EU	10 months ago	UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
CERT-EU	10 months ago	UAE-Linked APT Targets Middle East Government With New 'Deadglyph' Backdoor
BankInfoSecurity	10 months ago	Deadglyph Backdoor Targeting Middle Eastern Government
CERT-EU	10 months ago	New Deadglyph backdoor detailed
CERT-EU	10 months ago	Stealth Falcon cyber spies use unusual backdoor in attacks on government entities in the Middle East
CERT-EU	10 months ago	Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
InfoSecurity-magazine	10 months ago	Researchers Spot Novel “Deadglyph” Backdoor
Securityaffairs	10 months ago	Deadglyph, a very sophisticated and unknown backdoor targets the Middle East
CERT-EU	10 months ago	New stealthy and modular Deadglyph malware used in govt attacks
CERT-EU	10 months ago	Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics – GIXtools
CERT-EU	10 months ago	Stealth Falcon preying over Middle Eastern skies with Deadglyph