The hacker group Arid Viper has launched a new operation aimed at Palestinian organizations and activists. The advanced persistent threat (APT) gang, which is said to be based in Gaza, a war zone and a source of friction between Israel and Palestine, attacks organizations worldwide but now appears to be focusing on institutions involved in Palestinian politics.
Arid Viper, aka Two-tailed Scorpion, Desert Falcon, or APT C-23, has been in existence since at least 2015. The organization has been accused of carrying out spear-phishing campaigns against Palestinian law enforcement, the military, educational institutions, and the Israel Security Agency (ISA) in the past.
Malware for Windows and Android has been used earlier, with the latter spreading over the Internet via fake app stores. On the other hand, Delphi malware has been used extensively in prior operations and appears to be Arid Viper’s weapon of choice. On Wednesday, Cisco Talos researchers revealed that the continuing effort targets activists with a Delphi-based Micropsia implant.
“The most recent samples found by Talos lead us to believe this is a campaign linked to the previous campaign we reported on in 2017,” the researchers say, adding that Arid Viper’s major objective is cyberespionage – and targets are chosen by the operators based on the political purpose of “liberation of Palestine.”
The first attack is phishing emails, with content related to the Palestinian political issue and often taken from news organizations. For example, one fake document, released in 2021, was about a Palestinian family reunion, while another was a list of activist queries.
The implant activates when an intended victim opens one of these documents, extracting a variety of Remote Access Trojan (RAT) capabilities. The malware will gather operating system and antivirus data, send it to the operator’s command-and-control (C2) server, steal material from the machine, take screenshots, and conduct more surveillance. A timer embedded in the implant will establish persistence on the target system via the Startup folder.