Arid Viper

Arid Viper is a long-running cyber espionage threat actor also tracked as APT-C-23, Desert Falcon, Desert Falcons, Grey Karkadann, Two-tailed Scorpion, Big Bang APT, Scimitar, TAG-63, Renegade Jackal, Pinstripe Lightning, Niobium, and Mantis. Multiple sources in the provided content describe it as an Arabic-speaking group active since at least 2013 or 2014 and focused on the Middle East, especially Palestinian and Israeli-related targets. Some reporting in the content describes the group as Hamas-aligned or Hamas-linked, while Facebook explicitly stated it could not conclusively confirm that connection based on its evidence. The group’s targeting in the provided content is centered on individuals and organizations in Palestine, including government officials, members of Fatah, student groups, security forces, activists, and other Palestinian entities. Additional reporting in the content describes targeting of Israeli military personnel, Israeli individuals, and Arabic-speaking Android users, as well as government- or diplomatic-linked targets in the Middle East. Arid Viper relies heavily on phishing and social engineering. Reported delivery methods include fake Facebook and Instagram personas, phishing pages, politically themed Arabic-language lure documents, SMS messages impersonating emergency alert services, trojanized mobile applications, and links to attacker-controlled APK-hosting sites, including via YouTube tutorial videos. The content also notes broad supporting infrastructure, including more than 100 websites used for malware hosting, credential theft, and command-and-control. The malware and tooling directly associated with Arid Viper in the content span Windows, Android, and iOS. On Windows, the group is linked to the Micropsia malware family and variants including Primewire, Fgref, Sears, Rahman, Pierogi, PyMicropsia, Glasswire, and later Pierogi++. Reported capabilities include persistence via Startup-folder shortcuts, host profiling, screenshot capture, command execution, file download, and HTTP POST-based C2 communications. On Android, the group has used surveillance malware and RAT-like implants associated with FrozenCell, VAMP, ViperRAT, Desert Scorpion, GnatSpy, and dating-app-themed APKs such as Skipped_Messenger. Reported Android capabilities include collection of phone numbers, IMSI and device information, GPS tracking, SMS and OTP interception, contact theft, account extraction, app inventorying, data exfiltration, deployment of additional malware, and suppression of security notifications on some devices. On iOS, Facebook reported a custom implant named Phenakite embedded in the trojanized Magic Smile chat app. Phenakite could be installed on non-jailbroken iPhones through malicious configuration profiles and signed apps, then use bundled public jailbreak/exploit code for privilege escalation. Reported capabilities include retrieving photos, contacts, SMS, device metadata, WhatsApp media, selected files, silent audio recording, taking photos, and redirecting victims to phishing pages for iCloud and Facebook credentials. The content also links Arid Viper to campaigns using politically themed lures related to Palestinian issues, patient reports, freedom of expression, and regional current events, as well as honey-trap-style dating app themes. MITRE ATT&CK content in the provided material notes expanded profiling of APT-C-23 to reflect targeting of both Android and iOS devices. The provided content further places Arid Viper within the broader Gaza Cybergang ecosystem, with SentinelLABS describing it as Group 2 under that umbrella alongside overlaps in victims, malware, and infrastructure with Molerats and Operation Parliament-related activity.