Stealth Falcon: A Persistent Espionage Threat
- Suspected Origin
- United Arab Emirates (suspected)
- Motivation
- Espionage, Information Theft
- Aliases
- None documented
- Target Sectors
- Government, Defense, Journalists, Activists, Dissidents, Civil Society Groups
- Associated Malware
- Horus Agent, Apollo (customized Mythic implant), Deadglyph, Win32/StealthFalcon, custom keyloggers, passive backdoors, DC Credential Dumper, PowerShell-based backdoors
Overview
Stealth Falcon (G0038), also known by aliases such as FruityArmor and Project Raven, is a highly sophisticated advanced persistent threat (APT) group that has been active since at least 2012. This group is known for conducting targeted cyber espionage operations, primarily focusing on the Middle East and Africa. While not officially confirmed, strong circumstantial evidence suggests a link between Stealth Falcon and the United Arab Emirates (UAE) government. Their operations are characterized by a persistent and evolving approach to intelligence gathering, consistently employing zero-day exploits and custom-built payloads.
The primary motivation behind Stealth Falcon’s activities appears to be information theft and espionage, rather than criminal or financial gain. They typically target high-profile entities within government and defense sectors, with observed victims in countries like Turkey, Qatar, Egypt, and Yemen. Historically, they have also extensively targeted Emirati journalists, human rights activists, and dissidents, as well as broader civil society groups in regions including the UAE, Saudi Arabia, the Netherlands, Thailand, and the UK. This dual targeting strategy, encompassing both state-level and individual adversaries, underscores their broad intelligence collection mandate.
Tactics & Techniques
Stealth Falcon employs a range of sophisticated tactics, techniques, and procedures (TTPs) that demonstrate a high level of operational security and adaptability. A consistent initial access vector is spear-phishing emails, often containing malicious links or attachments. These emails frequently leverage social engineering to entice targets, sometimes even impersonating fictitious organizations.
Recent campaigns, observed as late as March 2025, show a reliance on exploiting zero-day vulnerabilities. Check Point Research (CPR) identified a campaign where Stealth Falcon exploited CVE-2025-33053, a zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV). This exploit allowed for remote code execution through manipulation of the working directory, silently deploying malware from actor-controlled WebDAV servers. They skillfully abuse legitimate Windows tools, known as Living-off-the-Land Binaries (LOLBins), in conjunction with WebDAV to deploy their payloads and evade detection.
The group is also known for using deceptive internet shortcut (.url) files disguised as benign documents, such as PDFs related to military equipment. These files initiate complex infection chains, manipulating Windows file execution search order to execute malicious programs from remote servers. Once inside, they employ customized implants that introduce anti-analysis and anti-detection measures, validating target systems before delivering more advanced payloads.
Their techniques for data collection and command and control (C2) are equally advanced. Stealth Falcon malware communicates with C2 servers via HTTPS and often utilizes Windows Management Instrumentation (WMI) and PowerShell for system information gathering, task scripting, and command execution. They have been observed gathering a wide array of system information, including details about running processes, .NET versions, ARP tables, and registered user information. Password collection is a key objective, with their malware targeting Windows Credential Vault, Outlook, Internet Explorer, Firefox, and Chrome. Exfiltration of collected data typically occurs over existing C2 channels, often encrypted using RC4 with hard-coded keys.
Notable Campaigns
Stealth Falcon’s operational history stretches back to at least 2012, with consistent activity reported over the years.
One of the earliest documented campaigns, analyzed by Citizen Lab in 2016, detailed targeted spyware attacks against Emirati journalists, activists, and dissidents. These attacks often involved spear-phishing emails and malicious URL shortening services. A notable instance involved a UK-based journalist, Rori Donaghy, who received a spyware-laden email purporting to offer a position on a human rights panel.
More recently, in March 2025, Check Point Research uncovered an attempted cyberattack attributed to Stealth Falcon against a major defense organization in Turkey. This campaign leveraged the aforementioned zero-day vulnerability (CVE-2025-33053) to deliver the Horus Agent, a custom-built implant. The use of Star Trek-themed filenames for their .cpl loaders in this period (e.g., “JeanLucPicardbrownie.cpl”) is a distinctive operational quirk.
In 2023, ESET researchers uncovered “Deadglyph,” a sophisticated backdoor used by Stealth Falcon for espionage in the Middle East. This campaign targeted government agencies and high-profile customers in the region, including a sample uploaded from Qatar.
Associated Malware & Tools
Stealth Falcon utilizes a bespoke and evolving set of malware and tools to achieve its objectives. Their toolset is characterized by customization and the integration of open-source frameworks.
- Horus Agent: This is a custom implant built for the Mythic C2 open-source framework, representing an evolution of the group’s previously used Apollo implant. Written in C++, the Horus Agent focuses on essential functions like victim fingerprinting and subsequent payload delivery, demonstrating anti-analysis and anti-detection measures. Its capabilities include system enumeration, file listing, updating configuration, exiting processes, and injecting shellcode.
- Customized Apollo Implant: Between 2022 and 2023, Stealth Falcon deployed customized versions of Apollo, an open-source .NET agent for the Mythic framework. These were often delivered via multi-stage loaders with a .cpl (Control Panel file) extension.
- Deadglyph: Discovered in 2023 by ESET, Deadglyph is a sophisticated backdoor with an unusual architecture. Its full capabilities are delivered through modular components from its C&C, and it incorporates counter-detection mechanisms like continuous process monitoring and randomized network patterns.
- Win32/StealthFalcon: ESET researchers also discovered an executable backdoor they named Win32/StealthFalcon, which showed strong similarities to earlier PowerShell-based backdoors used by the group. This malware notably uses the Background Intelligent Transfer Service (BITS) for C2 communication, a technique that is harder to detect than traditional API-based methods.
- Custom Post-Exploitation Tools: Beyond their primary implants, Stealth Falcon employs various other custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.
Current Status
Stealth Falcon remains an active and highly capable threat actor. Their exploitation of a zero-day vulnerability (CVE-2025-33053) in March 2025, which Check Point Research documented and led to a Microsoft patch in June 2025, clearly indicates ongoing operations and a continued investment in acquiring sophisticated capabilities. They continue to target high-profile government and defense entities in the Middle East and Africa, alongside their historical focus on journalists and dissidents. The evolution of their custom implants, from customized Apollo to the Horus Agent, demonstrates their continuous development and adaptation of their toolset. Defenders, particularly in targeted sectors and regions, should remain vigilant against this persistent and well-resourced threat.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call