Skip to content

G1028 APT-C-23

APT-C-23 is a threat group that has been active since at least 2014.5 APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.4

Item Value
ID G1028
Associated Names Mantis, Arid Viper, Desert Falcon, Grey Karkadann, Big Bang APT, Two-tailed Scorpion
Version 1.0
Created 26 March 2024
Last Modified 17 November 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Mantis 52
Arid Viper 421
Desert Falcon 421
Grey Karkadann 2
Big Bang APT 3
Two-tailed Scorpion 4

Techniques Used

Domain ID Name Use
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location APT-C-23 has masqueraded malware as legitimate applications.467
mobile T1660 Phishing APT-C-23 sends malicious links to victims to download the masqueraded application.76
mobile T1422 System Network Configuration Discovery APT-C-23 can collect the victim’s phone number, device information, IMSI, etc.6

Software

ID Name References Techniques
S0505 Desert Scorpion - Archive Collected Data Audio Capture Data from Local System Download New Code at Runtime File and Directory Discovery Suppress Application Icon:Hide Artifacts File Deletion:Indicator Removal on Host Location Tracking Out of Band Data SMS Messages:Protected User Data Contact List:Protected User Data SMS Control Software Discovery Stored Application Data Code Signing Policy Modification:Subvert Trust Controls System Information Discovery Video Capture
S0577 FrozenCell - Archive Collected Data Audio Capture Data from Local System Download New Code at Runtime File and Directory Discovery Location Tracking Match Legitimate Name or Location:Masquerading SMS Messages:Protected User Data Stored Application Data System Information Discovery System Network Configuration Discovery
S0339 Micropsia - Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Audio Capture Automated Collection Shortcut Modification:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Encrypted/Encoded File:Obfuscated Files or Information Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S1126 Phenakite 21 Audio Capture Data from Local System Exploitation for Privilege Escalation Ingress Tool Transfer Input Capture Match Legitimate Name or Location:Masquerading SMS Messages:Protected User Data Contact List:Protected User Data System Information Discovery Video Capture
S1195 SpyC23 4167 Access Notifications Web Protocols:Application Layer Protocol Audio Capture Call Control Data from Local System Broadcast Receivers:Event Triggered Execution User Evasion:Hide Artifacts Suppress Application Icon:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Location Tracking Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Out of Band Data Contact List:Protected User Data Call Log:Protected User Data SMS Messages:Protected User Data Screen Capture SMS Control Video Capture Virtualization/Sandbox Evasion

References

  1. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. 

  2. Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024. 

  3. Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024. 

  4. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  5. Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024. 

  6. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024. 

  7. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.