Stealth Falcon

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Stealth Falcon, also known as Project Raven or FruityArmor, is a notable threat actor that has been active since at least 2012. This group is known for its cyber espionage activities primarily in the Middle East, targeting political activists, journalists, and dissidents. The group gained significant attention in May 2016 when a new Stealth Falcon document was released. Their tactics include using unusual backdoors in their attacks on government entities, with one of the most recent examples being the novel sophisticated Deadglyph malware, as reported by The Hacker News in September 2023. There are two main hypotheses regarding the origins and sponsorship of Stealth Falcon. Hypothesis 1 suggests that Stealth Falcon is state-sponsored, with circumstantial evidence pointing towards a link between the group and the UAE government. This hypothesis is further supported by the group's consistent targeting of figures within the UAE. On the other hand, Hypothesis 2 posits that Stealth Falcon is not state-sponsored. Despite these contrasting views, there seems to be an overlapping pattern of targets and tactics between Stealth Falcon and another group called Project Raven, leading some to suggest that they might be the same entity. The connection between Stealth Falcon and Project Raven was made more explicit by Claudio Guarnieri and Amnesty International. They concluded in 2019 that Stealth Falcon and Project Raven are likely the same group, given their similar targeting and attack strategies. This conclusion was based on the observation that both groups targeted similar individuals and used similar methods, raising suspicions about their common origin. Regardless of the exact nature of their affiliation, it is clear that Stealth Falcon represents a significant and ongoing cyber threat, particularly to those in the Middle East.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Project Raven
2
Project Raven, also known as Stealth Falcon or FruityArmor, is a threat actor linked to the United Arab Emirates (UAE), identified by cybersecurity researchers as being active since 2012. This group has been associated with state-sponsored cyber-espionage activities, primarily targeting political ac
Fruityarmor
1
FruityArmor, also known as Stealth Falcon or Project Raven, is a threat actor linked to the United Arab Emirates (UAE) according to MITRE. Active since 2012, this group has been associated with cyberespionage activities targeting political activists, journalists, and dissidents primarily in the Midd
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Espionage
Apt
Spyware
UAE
Fraud
Mitre
exploitation
Malware
Eset
Downloader
Exploit
State Sponso...
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DeadglyphUnspecified
3
Deadglyph is a sophisticated malware, named and detailed by ESET, used in cyberespionage attacks targeted at Middle Eastern governments. The malware is linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as FruityArmor, which has been previously associated with the United
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Stealth Falcon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Cyber Security Week in Review: September 29, 2023
CERT-EU
10 months ago
DHS: US critical infrastructure facing malicious AI threat
CERT-EU
10 months ago
UAE-Linked APT Targets Middle East Government With New 'Deadglyph' Backdoor
CERT-EU
10 months ago
UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
BankInfoSecurity
10 months ago
Deadglyph Backdoor Targeting Middle Eastern Government
CERT-EU
10 months ago
New Deadglyph backdoor detailed
CERT-EU
10 months ago
UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack
CERT-EU
10 months ago
Stealth Falcon cyber spies use unusual backdoor in attacks on government entities in the Middle East
CERT-EU
10 months ago
Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
CERT-EU
10 months ago
Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
InfoSecurity-magazine
10 months ago
Researchers Spot Novel “Deadglyph” Backdoor
Securityaffairs
10 months ago
Deadglyph, a very sophisticated and unknown backdoor targets the Middle East
Securityaffairs
10 months ago
Security Affairs newsletter Round 438 by Pierluigi Paganini
CERT-EU
10 months ago
New stealthy and modular Deadglyph malware used in govt attacks
CERT-EU
10 months ago
Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics – GIXtools
CERT-EU
10 months ago
ESET's cutting-edge threat research at LABScon – Week in security with Tony Anscombe
CERT-EU
10 months ago
Stealth Falcon preying over Middle Eastern skies with Deadglyph
MITRE
a year ago
Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents - The Citizen Lab