analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt-c-23-arid-viper
analyst@nohacky:~/apt-c-23-arid-viper.html
active threat profile
type nation-state
threat_level critical
status active
origin Gaza — Hamas-linked (assessed)
last_updated 2025-03-27
AV
apt-c-23-arid-viper

APT-C-23 / Arid Viper

also known as: Desert Falcon Mantis Two-tailed Scorpion Grey Karkadann TAG-63 Bearded Barbie Big Bang APT G1028

The primary cyber espionage arm assessed to operate on behalf of Hamas, targeting Israeli military and government personnel alongside Palestinian political opponents. Running two concurrent surveillance tracks — external operations against Israeli targets including IDF soldiers lured via social engineering honeytrap personas, and internal operations monitoring Palestinian dissidents, Fatah rivals, and civil society — Arid Viper has maintained a continuous mobile and desktop espionage capability since at least 2013. Kaspersky described it in 2015 as the first exclusively Arabic APT group. Confirmed active through 2024 and into 2025 with maintained and evolving mobile spyware campaigns.

attributed origin Gaza, Palestine
suspected sponsor Hamas — cyber warfare division (assessed; infrastructure overlaps with al-Qassam Brigades)
first observed 2013 (publicly disclosed 2015)
primary motivation Military intelligence collection against Israel; internal Palestinian political surveillance
primary targets IDF personnel, Israeli government, Israeli defense/law enforcement; Palestinian dissidents and Fatah rivals
known campaigns 8+ confirmed
mitre att&ck group G1028
target regions Israel, Palestine, Egypt; secondary: Saudi Arabia, Jordan, Turkey, broader Middle East
threat level CRITICAL

Overview

Arid Viper was first publicly named in February 2015 by Kaspersky, who described it as the first exclusively Arabic APT group — a designation that acknowledged both its linguistic and operational distinctiveness from other state-sponsored actors in the region. Facebook's security team (now Meta) later attributed the group to Gaza, Palestine, assessing with confidence that it has operated targeted intelligence-gathering operations on behalf of Hamas since at least 2011. Infrastructure overlaps between Arid Viper's Android applications and an al-Qassam Brigades Telegram channel — the military wing of Hamas — were documented by Recorded Future, providing a direct technical link between the group's operations and Hamas's military command structure.

The group is part of the broader Gaza Cybergang ecosystem, functioning as the medium-sophistication component (Group 2) alongside Molerats (Group 1) and the higher-sophistication Operation Parliament group. While assessed by Cisco Talos as "not a technically evolved actor," Arid Viper has demonstrated consistent investment in custom tooling and an ability to iterate its mobile malware families across nearly a decade of documented operations — maintaining at least four distinct Android spyware families (GnatSpy, FrozenCell, ViperRAT, SpyC23/AridSpy) and one iOS implant (Phenakite), alongside a Windows malware lineage anchored by Micropsia and Arid Gopher.

The group's dual-track operational model is its defining strategic characteristic. Track one targets Israeli military and government personnel using social engineering honeytrap personas — fake social media profiles of young women used to build romantic trust with IDF soldiers before delivering Android spyware. Track two targets Palestinian political opponents: Fatah officials, journalists, civil society organizations, and Palestinian Authority figures — making Arid Viper one of the clearest documented cases of a non-state armed group using cyber espionage both for external military intelligence and for internal political repression simultaneously.

analyst note

Cyber espionage activities by Arid Viper against IDF and Israeli government personnel are assessed as direct enablers for Hamas's on-the-ground military operations. Location data, communication content, and personnel information acquired via mobile spyware on soldiers' devices has potential kinetic implications that extend far beyond conventional intelligence collection. Organizations supporting Israeli defense and security personnel should treat Arid Viper mobile compromise as a force protection issue, not merely a data security incident.

Target Profile

Arid Viper maintains two distinct targeting tracks that operate simultaneously, each with its own tooling, lures, and delivery infrastructure.

  • IDF soldiers and Israeli military personnel: The group's primary external intelligence collection target. Fake social media profiles portraying young women are used to establish romantic relationships with soldiers over weeks or months, building trust before sending a link to a trojanized dating or messaging application. Check Point documented a 2020 campaign in which soldiers were targeted via fake Facebook personas, with malicious apps impersonating military-themed utilities and relationship apps.
  • Israeli government and law enforcement: High-profile Israeli individuals in defense, law enforcement, and emergency services targeted with Windows backdoors (BarbWire, Micropsia). April 2022 campaign documented by Symantec specifically targeted this category with updated implant variants.
  • Palestinian dissidents and Fatah rivals: Track two targets individuals and organizations perceived as threatening to Hamas's political authority — Fatah officials, Palestinian Authority figures, civil society leaders, journalists, and human rights advocates. Cisco Talos documented Micropsia campaigns with politically themed decoy documents in Arabic targeting Palestinian organizations.
  • Palestinian civilians via trojanized civic apps: The Palestinian Civil Registry app was trojanized and distributed via a dedicated fake website, targeting ordinary Palestinian civilians — an unusually broad-based surveillance operation against the general population rather than specific individuals.
  • Egyptian targets: ESET's 2024 AridSpy analysis identified Palestinian and Egyptian users as the primary targets of five concurrent mobile espionage campaigns. Egypt is a significant targeting expansion beyond the core Israel/Palestine focus.
  • Broader Middle East and diaspora communities: Saudi Arabia, Jordan, Turkey, and Palestinian diaspora populations outside the core geographic area have been targeted, consistent with Hamas's interest in monitoring its regional political environment and overseas supporter networks.

Tactics, Techniques & Procedures

Documented TTPs from Kaspersky (2015), Check Point (2020), Facebook/Meta (2021), Cisco Talos (2022), Symantec (2023), SentinelOne (2023), and ESET (2024) reporting.

mitre id technique description
T1566.003 Spearphishing via Service Fake social media personas — primarily young women on Facebook and other platforms — used to build extended romantic trust relationships with IDF soldiers and Israeli government personnel before delivering malicious app links. Profiles are maintained over weeks or months and include plausible social histories. Some accounts were still active years after documented exposure.
T1204.002 User Execution — Malicious File All mobile malware delivery relies entirely on social engineering rather than exploits — victims are persuaded to install applications from attacker-controlled websites rather than official app stores. Successful installation requires the victim to grant requested permissions. Android samples distributed via 41+ dedicated phishing sites (Facebook/Meta documented 2021). No exploits required means delivery success is purely dependent on social engineering quality.
T1436 Commonly Used Port AridSpy uses Firebase domains for C2 communication — blending malicious traffic with legitimate Firebase cloud service usage. The multi-stage architecture downloads additional payloads from C2 after installation, allowing payload updates without requiring reinstallation of the original trojanized app.
T1512 Video Capture Micropsia and SpyC23/AridSpy both support camera access for photo and video capture on compromised devices. Android spyware families also capture audio — Micropsia has audio recording functionality documented across multiple versions, providing real-time environment monitoring capability on infected devices.
T1430 Location Tracking All documented Android spyware families include GPS location tracking. Location data on IDF soldiers is assessed as having direct military intelligence value for Hamas operational planning. The group conditions exfiltration behavior based on whether the device is on mobile data vs. Wi-Fi, reducing detection risk.
T1636.002 Protected User Data — Call Logs Call logs, contact lists, SMS messages, and messaging app content collected across all Android spyware families. Provides Hamas with communication maps of targeted individuals — identifying contacts, patterns, and organizational relationships beyond what direct surveillance of the individual would reveal.
T1406 Obfuscated Files or Information Symantec documented Arid Gopher as receiving "aggressive mutation" between variants — complete code rewrites rather than minor modifications — as a deliberate detection evasion mechanism. AridSpy separates functionality across stages (trojanized app → first-stage payload → second-stage payload) to complicate detection and attribution.
T1059.003 Windows Command Shell Micropsia (Windows Delphi-based RAT) and Arid Gopher (Go-based Windows implant) provide full command execution, file system access, screenshot capture, keylogging, and audio recording on Windows systems. BarbWire backdoor (2022) added to the Windows capability set for high-profile Israeli targets in defense, law enforcement, and emergency services.
T1417 Input Capture — Keylogging (Mobile) SpyC23 monitors device activity for "dangerous" application menus — specifically parsing for the English words "apps" or "applications" and the Arabic word for applications — logging when the victim is in sensitive device management screens. This behavioral targeting reduces the volume of logged data while capturing the highest-value operational security events.
T1404 Exploit OS Vulnerability (Mobile) Phenakite (iOS implant, 2021) incorporated the Osiris jailbreak and Sock Port exploit as a second installation stage, enabling full device access beyond iOS sandbox restrictions on unpatched devices (iOS 10.0 through 12.4). Facebook disrupted this capability by working with Apple to revoke the developer certificates used to sign Phenakite. Arid Viper subsequently attempted to establish its own iOS distribution infrastructure.

Known Campaigns

Confirmed or highly attributed operations linked to APT-C-23 / Arid Viper across its operational history.

Operation Desert Falcons 2013–2015

The founding campaign, documented and named by Kaspersky in February 2015 as the first exclusively Arabic APT group. Targeted over 3,000 victims across 50+ countries, with primary concentration in Israel, Palestine, Egypt, Saudi Arabia, and UAE. Used homemade malware and social engineering via fake social media personas. Kaspersky estimated the group numbered approximately 30 attackers. Windows-based malware delivered via spearphishing with politically themed lures. The disclosure represented the first public attribution of a Hamas-affiliated advanced persistent threat operation.

IDF Soldier Honeytrap Campaign 2017–2020

Check Point documented a sustained campaign in which Arid Viper operators created fake female social media personas to build romantic relationships with IDF soldiers over extended periods. Once trust was established, victims were persuaded to install Android applications (GnatSpy, FrozenCell/VolatileVenom) from attacker-controlled sites. The malware provided full device access including GPS location, communications, photos, and audio on soldiers' personal and potentially operational devices. Check Point published a full technical report in February 2020 titled "Hamas Android Malware On IDF Soldiers."

Operation Bearded Barbie — Israeli High-Profile Targeting 2022

A campaign targeting high-profile Israeli individuals employed in defense, law enforcement, and emergency services organizations, documented in April 2022. Distinguished by the introduction of BarbWire, a novel Windows backdoor, alongside updated Micropsia and Arid Gopher implants. Symantec documented the group deploying three distinct versions of Micropsia and Arid Gopher against three separate sets of workstations within a single target organization between December 2022 and January 2023, maintaining redundant access and compartmentalizing attacks to reduce total detection risk.

Palestinian Target Micropsia Campaign 2017–2022

Cisco Talos documented a sustained multi-year campaign using the Delphi-based Micropsia implant against Palestinian individuals and organizations, using politically themed decoy documents in Arabic. Lures referenced real Palestinian political events — including articles on Palestinian family reunification and development programs — to establish credibility with the intended audience. The campaign confirmed the dual-track model: while Israeli military personnel were targeted via social engineering honeytrap, Palestinian civil society was targeted via politically relevant document lures.

Phenakite iOS Spyware Campaign 2021

Facebook/Meta's April 2021 technical report documented Arid Viper's iOS implant Phenakite — a two-stage spyware tool capable of jailbreaking vulnerable iPhones using the Osiris jailbreak and Sock Port exploit. Distributed via a trojanized chat app called Magic Smile, hosted on third-party development sites and attacker-controlled infrastructure. Facebook found only 81 devices communicating with the exposed Firebase C2 server, suggesting limited targeted deployment. Disrupted after Meta worked with Apple to revoke Arid Viper's developer certificates, disabling Phenakite distribution via signed apps.

AridSpy — Egypt and Palestine Mobile Campaigns 2022–2024

ESET's June 2024 report documented five concurrent AridSpy campaigns targeting Android users across Palestine and Egypt via trojanized messaging apps (NortirChat, LapizaChat, ReblyChat, PariberyChat, RenatChat), a fake Palestinian Civil Registry app, and a fake job opportunity application. Three of the five campaigns were still active at publication. AridSpy evolved into a multi-stage trojan — the initial trojanized app downloads additional payloads from Firebase-hosted C2 servers, allowing payload updates without reinstallation. ESET attributed the campaigns to Arid Viper with medium confidence. SentinelOne's parallel analysis confirmed SpyC23 family continuity dating back to 2017 code.

Tools & Malware

Arid Viper maintains one of the most extensive cross-platform mobile and desktop espionage toolkits attributed to a non-state armed group, with continuous development documented across nearly a decade.

  • Micropsia (Windows): The group's primary Windows Delphi-based RAT, used since at least 2017 and maintained through 2023. Capabilities include audio recording, screenshot capture, keylogging, file collection and upload, GPS location (where available), and process enumeration. Politically themed decoy documents extracted and displayed to victims post-infection. Multiple concurrent versions deployed against single targets for redundancy.
  • Arid Gopher (Windows): A Go-based Windows implant used alongside Micropsia. Received "aggressive mutations" — complete code rewrites between versions — as a deliberate EDR evasion strategy documented by Symantec. Maintains similar RAT functionality to Micropsia with a different technical implementation.
  • BarbWire (Windows): A novel Windows backdoor introduced in the 2022 Bearded Barbie campaign targeting high-profile Israeli targets in defense and law enforcement. Represents a capability expansion beyond the Micropsia/Arid Gopher pair.
  • SpyC23 / AridSpy (Android): The current primary Android spyware family, maintained and updated across documented campaigns since at least 2019. Distributed as trojanized versions of legitimate messaging and civic apps. Multi-stage architecture downloads second-stage payloads from Firebase C2. Monitors device for "dangerous" menu access. Conditions exfiltration on network type (mobile vs. Wi-Fi). Shared code elements trace to GnatSpy variants from 2017, confirming continuous development lineage.
  • GnatSpy (Android): Earlier Android spyware family with documented use from 2017. Collects call logs, SMS, contacts, location, and device data. Shared upload functionality code with SpyC23 confirms lineage connection.
  • FrozenCell / VolatileVenom (Android): Android spyware variant distributed in the IDF soldier honeytrap campaigns. Disguised as legitimate regional applications including dating apps and banking utilities.
  • ViperRAT (Android): Earlier Android RAT in the Arid Viper toolkit, with documented use in early mobile campaigns targeting Israeli personnel.
  • Phenakite (iOS): The group's only confirmed iOS implant, documented in 2021. Distributed via a trojanized chat app (Magic Smile) requiring social engineering for installation. Two-stage: iOS configuration profile installs the signed app; Osiris jailbreak + Sock Port exploit then provides full device access. Capable of extensive data collection beyond iOS sandbox restrictions. Operations disrupted after Apple revoked developer certificates.
  • Trojanized civic and social apps: Palestinian Civil Registry app, fake job opportunity apps, fake messaging apps (NortirChat, LapizaChat, ReblyChat), and fake dating apps (Skipped clone) — all used as delivery vehicles for Android spyware via dedicated phishing distribution websites.

Indicators of Compromise

Behavioral indicators from documented Arid Viper campaigns. Specific infrastructure IOCs from ESET's 2024 AridSpy report and Facebook's 2021 Phenakite report are the most current public sources for technical indicators.

warning

Arid Viper uses Firebase domains for AridSpy C2 — a legitimate Google cloud service. Firebase-based C2 traffic cannot be blocked without disrupting legitimate Firebase usage. Focus detection on the behavioral indicators below and on device-level telemetry rather than network-layer blocking. The group also maintains active campaigns with updated payload versions; previously published hashes should be treated as indicative rather than exhaustive.

behavioral indicators of compromise
mobile Android app installed from outside Google Play Store — particularly messaging, dating, civic, or job opportunity apps distributed via dedicated websites rather than official channels
mobile App requesting excessive permissions on install — camera, microphone, contacts, call logs, SMS, location simultaneously — without clear functional justification
network Firebase domain C2 communication from installed apps not recognized as legitimate Firebase-dependent services — AridSpy stages payloads via Firebase infrastructure
windows Delphi-compiled executable dropping decoy document to %TEMP% and displaying via ShellExecute immediately after launch — Micropsia infection chain indicator
windows Go-based executable with aggressive obfuscation and code-level differences between samples from same timeframe — Arid Gopher variant fingerprint
social Unsolicited contact from unknown social media profile (often female, Arabic-speaking, with limited history) leading to requests to install alternative messaging or dating applications outside app stores
ios Prompt to install iOS configuration profile from non-enterprise source — Phenakite installation method; legitimate apps do not require configuration profile installation from unknown websites

Mitigation & Defense

Recommended defensive measures for organizations and individuals in APT-C-23's target profile — primarily Israeli military and government personnel, and Palestinian civil society organizations.

  • Enforce mobile device management and app source restrictions: Arid Viper's entire mobile delivery chain depends on users installing apps from outside official app stores. MDM policies that restrict app installation to Google Play and Apple App Store, or to an approved enterprise catalog, eliminate the primary delivery vector. Enable Google Play Protect on all Android devices in the target population.
  • Train military and government personnel on honeytrap social engineering: The IDF soldier targeting model — fake romantic personas building trust over weeks before delivering malware — is a well-documented pattern. Security awareness training for military personnel should specifically address unsolicited social media contact from unknown individuals and the risk of installing apps at the suggestion of online contacts not verified through official channels.
  • Enforce iOS updates and disable jailbreaking: Phenakite's iOS capability was entirely dependent on unpatched Osiris jailbreak and Sock Port exploit vulnerabilities (iOS 10.0–12.4). Maintaining current iOS versions eliminates this attack surface. Organizations issuing devices to high-risk personnel should enforce automatic iOS updates via MDM.
  • Reject iOS configuration profile prompts from untrusted sources: Phenakite's installation required victims to accept an iOS configuration profile from an attacker-controlled website. Users should be explicitly trained that legitimate apps do not require configuration profile installation from websites. iOS profiles should only be accepted from verified enterprise MDM systems.
  • Monitor for suspicious permission requests: AridSpy and related families request broad permissions — camera, microphone, contacts, SMS, location — simultaneously. Implement mobile threat defense (MTD) solutions that alert on apps requesting atypical permission combinations relative to their stated function.
  • Protect Windows endpoints against Delphi and Go-based implants: Micropsia (Delphi) and Arid Gopher (Go) are the primary Windows threats. Behavioral detection rules for Delphi-compiled executables dropping decoy documents and Go-compiled executables with obfuscated function names provide coverage against known variants. Apply aggressive mutation-aware detection rather than hash-based matching.
  • Restrict and monitor access to Palestinian Civil Registry and civic apps: The trojanized Palestinian Civil Registry app represents an unusually broad civilian surveillance vector. Organizations supporting Palestinian civil society should explicitly warn staff against installing government or civic apps from unofficial websites, and should verify app authenticity through official Palestinian Authority channels.
  • Apply threat-informed hunting for Firebase-based C2: AridSpy C2 over Firebase cannot be blocked without disrupting legitimate usage. Instead, implement behavioral analytics that identify anomalous outbound data patterns — particularly large transfers of contacts, SMS, or call log data to Firebase endpoints — from devices not known to use Firebase-dependent applications legitimately.
note

Cisco Talos' characterization — "Arid Viper is a prime example of groups that aren't very advanced technologically, however, with specific motivations, are becoming more dangerous as they evolve over time" — remains the most accurate summary of this group's threat trajectory. Each successive campaign has introduced new malware families or updated existing ones. Organizations should not assess this group's future threat based solely on its past technical ceiling.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile