MalwareUsed by 2 actors

KasperAgent

KasperAgent is a custom malware family publicly reported in 2017 in targeted attacks in the Middle East. It was documented by Palo Alto Networks Unit 42 in reporting on attacks using KASPERAGENT and MICROPSIA, and ThreatConnect linked a KasperAgent campaign to the Arid Viper threat actor. Broader reporting places Arid Viper, also known as Desert Falcon and APT-C-23, in long-running cyber-espionage operations focused largely on Israeli and Palestinian targets. The provided content does not include high-confidence technical details on KasperAgent’s internal capabilities, persistence, or command-and-control behavior. High-confidence context from the reporting indicates it was part of Arid Viper’s custom malware toolkit used in targeted regional campaigns in the Middle East alongside other malware families such as Micropsia.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Arid Viper

In 2017, Palo Alto Networks Unit 42 reported on two malware families: KasperAgent and Micropsia, and today we still see variants of Micropsia in use.

via about fbabout.fb.com

Molerats

"...to creating custom developed ones such as KASPERAGENT and MICROPSIA."

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

malpediaNews

Dec 14, 2023

AridViper (Threat Actor)

KasperAgent is a named malware family/tool used in targeted attacks in the Middle East and associated in the content with Arid Viper activity.

palo alto networks unit 42 blogNews

Mar 3, 2020

Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations

Custom-developed backdoor/tool referenced as part of Molerats' historical toolset.

web archiveNews

Feb 3, 2026

Windows malware family previously reported alongside Micropsia in Arid Viper operations.

about fbNews

Jun 5, 2026

Windows malware family previously reported alongside Micropsia in Arid Viper operations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.