Stealth Falcon

Threat Actor updated 8 months ago (2024-11-29T13:58:48.203Z)

Download STIX

Preview STIX

Stealth Falcon, also known as Project Raven or FruityArmor, is a notable threat actor that has been active since at least 2012. This group is known for its cyber espionage activities primarily in the Middle East, targeting political activists, journalists, and dissidents. The group gained significant attention in May 2016 when a new Stealth Falcon document was released. Their tactics include using unusual backdoors in their attacks on government entities, with one of the most recent examples being the novel sophisticated Deadglyph malware, as reported by The Hacker News in September 2023. There are two main hypotheses regarding the origins and sponsorship of Stealth Falcon. Hypothesis 1 suggests that Stealth Falcon is state-sponsored, with circumstantial evidence pointing towards a link between the group and the UAE government. This hypothesis is further supported by the group's consistent targeting of figures within the UAE. On the other hand, Hypothesis 2 posits that Stealth Falcon is not state-sponsored. Despite these contrasting views, there seems to be an overlapping pattern of targets and tactics between Stealth Falcon and another group called Project Raven, leading some to suggest that they might be the same entity. The connection between Stealth Falcon and Project Raven was made more explicit by Claudio Guarnieri and Amnesty International. They concluded in 2019 that Stealth Falcon and Project Raven are likely the same group, given their similar targeting and attack strategies. This conclusion was based on the observation that both groups targeted similar individuals and used similar methods, raising suspicions about their common origin. Regardless of the exact nature of their affiliation, it is clear that Stealth Falcon represents a significant and ongoing cyber threat, particularly to those in the Middle East.

Description last updated: 2024-05-04T17:12:30.458Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Fruityarmor is a possible alias for Stealth Falcon. FruityArmor, also known as Stealth Falcon or Project Raven, is a threat actor linked to the United Arab Emirates (UAE), according to MITRE. Active since 2012, this state-sponsored hacking group is known for targeting political activists, journalists, and dissidents in the Middle East. The cybersecur	2
Project Raven is a possible alias for Stealth Falcon. Project Raven, also known as Stealth Falcon or FruityArmor, is a threat actor linked to the United Arab Emirates (UAE), identified by cybersecurity researchers as being active since 2012. This group has been associated with state-sponsored cyber-espionage activities, primarily targeting political ac	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Apt

Espionage

Malware

UAE

Spyware

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Deadglyph Malware is associated with Stealth Falcon. Deadglyph is a sophisticated malware, or malicious software, discovered in September 2023 by ESET researchers. It was identified as a new backdoor used by the FruityArmor threat actor, also known as Stealth Falcon, primarily targeting Middle Eastern governments. The malware consists of a native x64	Unspecified	4

Source Document References

Information about the Stealth Falcon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	a month ago	16th June – Threat Intelligence Report - Check Point Research
Checkpoint	2 months ago	Stealth Falcon's Exploit of Microsoft Zero Day Vulnerability - Check Point Research
CERT-EU	2 years ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	2 years ago	DHS: US critical infrastructure facing malicious AI threat
CERT-EU	2 years ago	UAE-Linked APT Targets Middle East Government With New 'Deadglyph' Backdoor
CERT-EU	2 years ago	UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
BankInfoSecurity	2 years ago	Deadglyph Backdoor Targeting Middle Eastern Government
CERT-EU	2 years ago	New Deadglyph backdoor detailed
CERT-EU	2 years ago	UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack
CERT-EU	2 years ago	Stealth Falcon cyber spies use unusual backdoor in attacks on government entities in the Middle East
CERT-EU	2 years ago	Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
CERT-EU	2 years ago	Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East
InfoSecurity-magazine	2 years ago	Researchers Spot Novel “Deadglyph” Backdoor
Securityaffairs	2 years ago	Deadglyph, a very sophisticated and unknown backdoor targets the Middle East
Securityaffairs	2 years ago	Security Affairs newsletter Round 438 by Pierluigi Paganini
CERT-EU	2 years ago	New stealthy and modular Deadglyph malware used in govt attacks
CERT-EU	2 years ago	Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics – GIXtools
CERT-EU	2 years ago	ESET's cutting-edge threat research at LABScon – Week in security with Tony Anscombe
CERT-EU	2 years ago	Stealth Falcon preying over Middle Eastern skies with Deadglyph
MITRE	2 years ago	Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents - The Citizen Lab