Skip to content

S0505 Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.1

Item Value
ID S0505
Associated Names
Version 1.1
Created 11 September 2020
Last Modified 19 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1532 Archive Collected Data Desert Scorpion can encrypt exfiltrated data.1
mobile T1429 Audio Capture Desert Scorpion can record audio from phone calls and the device microphone.1
mobile T1533 Data from Local System Desert Scorpion can collect attacker-specified files, including files located on external storage.1
mobile T1407 Download New Code at Runtime Desert Scorpion has been distributed in multiple stages.1
mobile T1420 File and Directory Discovery Desert Scorpion can list files stored on external storage.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Desert Scorpion can hide its icon.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.1
mobile T1430 Location Tracking Desert Scorpion can track the device’s location.1
mobile T1644 Out of Band Data Desert Scorpion can be controlled using SMS messages.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Desert Scorpion can collect the device’s contact list.1
mobile T1636.004 SMS Messages Desert Scorpion can retrieve SMS messages.1
mobile T1582 SMS Control Desert Scorpion can send SMS messages.1
mobile T1418 Software Discovery Desert Scorpion can obtain a list of installed applications.1
mobile T1409 Stored Application Data Desert Scorpion can collect account information stored on the device.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.1
mobile T1426 System Information Discovery Desert Scorpion can collect device metadata and can check if the device is rooted.1
mobile T1512 Video Capture Desert Scorpion can record videos.1