Pierogi
Pierogi is a Windows malware variant in the Micropsia family used by the threat actor Arid Viper, also known as Desert Falcon and APT-C-23. Public reporting cited in the content identifies Pierogi as one of multiple Micropsia variants tracked alongside Primewire, Fgref, Sears, Rahman, PyMicropsia, and Glasswire. The most widely used variant was reported by Cybereason in February 2020 under the name “Pierogi.”
Based on the supporting content, Pierogi is associated with Arid Viper’s long-running cyber-espionage operations in the Middle East. Reporting links the broader actor to campaigns targeting primarily Palestinian individuals and organizations, including government officials, Fatah members, student groups, and security forces; other public reporting in the timeline also connects the group to operations against Israeli targets. Arid Viper relied heavily on social engineering, fake social media personas, phishing, and attacker-controlled infrastructure, including more than 100 websites used for malware hosting, credential theft, and command-and-control. Facebook’s April 2021 report states the group continued using and developing Micropsia Windows malware variants, including Pierogi.
High-confidence details specific to Pierogi in the provided content are limited to its identification as a Micropsia-family Windows malware variant used by Arid Viper/APT-C-23 and its mention in public reporting by Cybereason and SentinelOne. The provided content does not include distinct technical capabilities, infection chain details, or unique indicators of compromise specific to Pierogi itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The most widely used variant we’ve seen was reported on by Cybereason in February 2020, which they called “Pierogi”.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Credential Access
2 techniques
Credential Access
Collection
3 techniques
Collection
Most samples are found to have a combination of the following features: ... Install a keylogger
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Pierogi is listed as a named malware/tool in SentinelOne reporting on Gaza Cybergang activity targeting Hamas opposition.
Widely used Delphi/Free Pascal Micropsia variant used by Arid Viper for Windows espionage, supporting standard Micropsia-style check-ins and in some samples screenshot uploads.
Widely used Delphi/Free Pascal Micropsia variant used by Arid Viper for Windows espionage, supporting standard Micropsia-style check-ins and in some samples screenshot uploads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.