Micropsia
Micropsia is a Windows malware family, including Delphi-based variants, that has been developed and operated by the Arid Viper threat actor, also known as Desert Falcon or APT-C-23, since at least 2017. Public reporting ties it to repeated cyber-espionage campaigns primarily targeting Palestinian individuals, activists, and organizations, with broader reporting also linking Arid Viper activity to Palestinian entities and related regional targets. Delivery in the documented campaigns relied on politically themed Arabic-language phishing and decoy documents, and reporting notes continued development of multiple Micropsia variants including Primewire, Fgref, Sears, Rahman, Pierogi, PyMicropsia, and Glasswire.
Documented Micropsia capabilities include persistence via a shortcut placed in the logged-in user’s Startup folder, host profiling, collection of the victim username and computer information, and discovery of installed antivirus and firewall products via WMI, including queries to the SecurityCenter2 namespace. It can create a command-line shell using cmd.exe, execute arbitrary commands, download files, poll for commands, and terminate processes. Collection functions described in the reporting include keylogging, screenshot capture every 90 seconds via the Gdi32.BitBlt API, microphone recording, and recursive archiving of files matching predefined extensions using a RAR tool or WinRAR in preparation for exfiltration. Cisco Talos reported that collected host data and other outputs were base64-encoded and sent to command-and-control infrastructure via HTTP POST form variables, with screenshots or command output sent in a form variable named mugnaq. Reported campaign infrastructure included hostnames such as deangelomcnay[.]news, juliansturgill[.]info, earlahenry[.]com, nicholasuhl[.]website, cooperron[.]me, dorothymambrose[.]live, and ruthgreenrtg[.]live.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
2023-12-14 ⋅ SentinelOne ... Gaza Cybergang | Unified Front Targeting Hamas Opposition ... Micropsia ... ; 2022-02-02 ⋅ Cisco ... Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware Micropsia
Tools… “NimbleMamba, BrittleBush, LastConn, Micropsia”
"...to creating custom developed ones such as KASPERAGENT and MICROPSIA."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesArid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware
This actor uses their Delphi-based Micropsia implant to target Palestinian individuals and organizations, using politically themed file names and decoy documents... It is highly likely that the threat actor has continued to use the email vector to deliver their lures and implants.
Many of the associated C2 domain names, such as bruce-ess[.]com and wayne-lashley[.]com, reference public figures, which aligns with the known domain naming conventions of the group.
Execution
5 techniquesGather installed AV information from the endpoint via "winmgmts:\\localhost\root\SecurityCenter2" using query "SELECT * FROM AntiVirusProduct".
Allow an attacker to run arbitrary commands
The commands follow the format: ;<cmd_code>;<base64_encoded_supporting_data>; ... The above example would run the ipconfig command on the endpoint... 'cmd' Execute the command specified and send output to C2.
In all cases the successful installation of these tools did not require any exploits. This suggests that Arid Viper operators continue to heavily rely on social engineering to distribute their malware.
Android malware was typically hosted on convincing looking attacker-controlled phishing sites.
Persistence
2 techniquessome of the samples had the capability to also establish persistence via the Windows registry (Microsoft\Windows\CurrentVersion\Run).
Privilege Escalation
2 techniquessome of the samples had the capability to also establish persistence via the Windows registry (Microsoft\Windows\CurrentVersion\Run).
Stealth
2 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Facebook found recent variants pretending to be popular Android applications for dating, networking, and regional banking in the Middle East.
Credential Access
2 techniquesMost samples are found to have a combination of the following features: ... Install a keylogger
Most samples are found to have a combination of the following features: ... Extract and upload stored credentials
Discovery
4 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The sequence of actions followed for gathering system information from the endpoint are as follows: Generate a pc ID... Gather the Computername and username... Get OS information specifically the installed product name... Get the current implant's command line and record it.
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Gather installed AV information from the endpoint via "winmgmts:\\localhost\root\SecurityCenter2" using query "SELECT * FROM AntiVirusProduct". From the AV information obtained, record the DisplayName.
Collection
4 techniquesRetrieve photos from the camera roll ... Retrieve contacts ... Retrieve text messages ... Search for and return the path of files with a doc or PDF extension
Most samples are found to have a combination of the following features: ... Install a keylogger
The analyzed Arid Viper Android malware contained the following functionality: • Take screenshots or record video
Search for files of specific types and add them to RAR archives for exfiltration
Command and Control
5 techniquesUse Base64 to obfuscate command and control communications
Some Primewire samples utilize “multipart/form-data” for command and control check-ins... other samples combine the C2 parameters into a single “application/x-www-form-urlencoded” POST body.
The data is then sent to the implant's C2 server via an HTTP POST request, which is fairly standard in Micropsia implants.
"df" Download file from a specified remote location into a local path specified by the C2.
All this data gathered from the system is individually base64-encoded and assigned to HTTP form query variables... mugnaq = base64 encoded screenshot or command output.
Exfiltration
1 techniqueuploading any files present before recursively uploading any files in subdirectories.
IOCs tracked for this family
66 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom backdoor used by Mantis that can take screenshots, keylog, and archive files for exfiltration, while also serving to run secondary payloads.
A staple Gaza Cybergang malware family with Delphi- and Python-based variants used against Palestinian entities. It deploys decoy documents focused on Palestinian cultural and political matters and is part of the group's long-running espionage toolkit.
Micropsia is a recurring malware family associated with Arid Viper/APT-C-23 campaigns targeting Palestinian and Israeli victims through phishing and espionage operations.
A Delphi-based implant used by Arid Viper for espionage against Palestinian individuals and organizations. It deploys decoy documents, establishes persistence via Startup-folder shortcut creation, gathers host and antivirus information, communicates with C2 over HTTP POST, captures screenshots, executes commands, downloads files, and exfiltrates command output.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.