>samit_hota
Back to adversary profiles
G1028HighActive

APT-C-23 (Arid Viper): Persistent Cyber Espionage in the Middle East

Samit Hota·
Suspected Origin
Palestinian territories
Motivation
Espionage
Aliases
Mantis, Arid Viper, Desert Falcon, TAG-63, Grey Karkadann, Big Bang APT, Two-tailed Scorpion
Target Sectors
Military, Government, Telecommunications, Law Enforcement, Emergency Services, Journalists, Dissidents, Individuals
Associated Malware
AridSpy, GnatSpy, Micropsia, VAMP, FrozenCell, DesertScorpion, Phenakite, Barb(ie) Downloader, BarbWire Backdoor, ReboundRAT, HoneyRAT, RedFox, BadPatch, PyMicropsia, Android/SpyC23.A
#threat-actor#g1028

Overview

APT-C-23, tracked by MITRE ATT&CK as G1028, is a highly persistent and sophisticated threat actor that has been active since at least 2014. Also known by aliases such as Mantis, Arid Viper, Desert Falcon, TAG-63, Grey Karkadann, Big Bang APT, and Two-tailed Scorpion, this group primarily focuses its operations on the Middle East, with a particular emphasis on Israel and Palestine.

The group is widely believed to be state-sponsored, originating from the Palestinian territories, and has been linked to Hamas-aligned interests. Their primary motivation is cyber espionage, aimed at gathering intelligence and supporting Palestinian national security objectives. APT-C-23 typically targets a range of sectors including military, government, law enforcement, emergency services, telecommunications, and media, as well as high-profile individuals, journalists, and dissidents. They have consistently developed mobile spyware for both Android and iOS devices since at least 2017, demonstrating a long-term commitment to mobile espionage.

Tactics & Techniques

APT-C-23 employs a blend of technical sophistication and psychological manipulation, relying heavily on social engineering to achieve initial access. Spear-phishing emails and malicious links are common delivery mechanisms, often leading targets to download weaponized applications. The group extensively uses fake social media profiles, particularly on platforms like Facebook, to establish trust with targets. These profiles often impersonate attractive young women in “catfishing” schemes to lure victims into engaging and ultimately installing malware.

Their campaigns frequently involve distributing trojanized applications that masquerade as legitimate messaging apps (such as Telegram, Threema, WhatsApp, Signal), dating apps (like “Skipped” and “Skipped Messenger”), job opportunity apps, or even official services like the Palestinian Civil Registry. These malicious apps are typically hosted on attacker-controlled phishing sites or fake Android app stores, rather than official app marketplaces. In some cases, the trojanized applications maintain their legitimate functionality while secretly deploying spyware in the background.

Once installed, the malware often requests a wide array of invasive permissions, using social engineering tricks to convince technically inexperienced users that these permissions are necessary for the app’s purported functionality. To maintain persistence and evade detection, APT-C-23’s malware can hide its icon, disable security notifications from the operating system, and use blank screen overlays to mask malicious activity. More advanced variants demonstrate command-and-control (C2) resilience, capable of switching to different C2 domains if one is taken down. Their malware is designed for comprehensive data exfiltration, including collecting SMS messages, contact lists, call logs (including WhatsApp calls), audio recordings, screen recordings, screenshots, photos/videos, and various file types (e.g., PDF, DOCX, XLSX). They also perform OS reconnaissance, keylogging, and credential theft for popular applications.

Notable Campaigns

APT-C-23 has been linked to several significant campaigns, demonstrating their evolving tactics and persistent focus on regional targets.

One notable campaign, dubbed “Operation Bearded Barbie” in 2022, specifically targeted Israeli individuals, including those working for sensitive defense, law enforcement, and emergency services organizations. This operation prominently featured catfishing tactics through fake Facebook profiles, leading to the deployment of new Windows and Android malware strains: Barb(ie) Downloader and BarbWire Backdoor.

From 2020 through 2023, the group continuously launched campaigns distributing their mobile spyware, often by impersonating popular messaging applications like Telegram, Threema, and WhatsApp, as well as dating apps such as “Skipped.” In these campaigns, malicious links were shared, often masquerading as updates or tutorial videos, leading victims to download the trojanized apps from attacker-controlled domains. Some instances involved a fake Android app store named “DigitalApps” distributing malware disguised as “AndroidUpdate,” “Threema,” and “Telegram.”

Earlier operations include “Operation Arid Viper,” a large-scale intelligence gathering campaign primarily against Israeli organizations, as well as attacks on telecommunications companies and foreign government agencies to steal communications and intelligence data. Recent campaigns tracked since April 2022 and continuing into 2024 involve the distribution of the AridSpy spyware, primarily targeting Arabic-speaking Android users in Palestine and Egypt through weaponized apps mimicking messaging services, job search platforms, and government registry applications.

Associated Malware & Tools

APT-C-23 possesses a diverse and evolving malware arsenal for both mobile and Windows platforms, consistently enhancing their tools for stealth and persistence.

For Android devices, their core spyware family is known as SpyC23, which has several close variants including VAMP, GnatSpy, FrozenCell, and Desert Scorpion. Recent versions are detected as Android/SpyC23.A or Android/SpyC32.A, featuring extended espionage functionality, updated C2 communication, and enhanced stealth features like dismissing notifications from built-in Android security apps. Their latest Android spyware, identified in ongoing campaigns in 2023-2024, is dubbed AridSpy. This is a multistage Trojan that downloads additional payloads from its C2 server and can even use legitimate app servers for data retrieval.

For iOS devices, APT-C-23 has developed custom surveillanceware called Phenakite, observed for the first time in April 2021. Phenakite was trojanized within a fully functional chat application, capable of stealing sensitive user data from iPhones without requiring jailbreaking by tricking users into installing mobile configuration profiles.

On Windows systems, the group uses several malware families, including Micropsia, which has a Python-based variant called PyMicropsia. Micropsia is an info-stealer with capabilities such as keylogging, browser credential theft, and the ability to download and execute additional payloads. Other custom Windows malware includes Barb(ie) Downloader and BarbWire Backdoor, specifically used in operations targeting Israeli individuals, offering persistence, OS reconnaissance, data encryption, keylogging, screen capturing, and audio recording. Other tools include PIVY, KASPERAGENT, and various custom-developed backdoors. Additional attributed mobile malware families include ReboundRAT, HoneyRAT, RedFox, and BadPatch.

Current Status

APT-C-23 remains an active and evolving threat group. Multiple reports from 2023 and 2024 confirm their ongoing operations. Cisco Talos and ESET Research, for instance, have tracked malicious campaigns distributing AridSpy spyware since April 2022, with several of these campaigns still active as of June 2024. These recent activities continue to leverage social engineering and trojanized applications to target individuals in the Middle East, particularly Arabic-speaking Android users in Palestine and Egypt. The group consistently refines its malware, adding new stealth features and improving C2 communication mechanisms to evade detection. This sustained development and deployment of sophisticated, multi-platform spyware underscores APT-C-23’s persistent commitment to cyber espionage in the region.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call