ETDA ThaiCERT
Report
Search
Home > List all groups > Stealth Falcon, FruityArmor

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Stealth Falcon, FruityArmor

NamesStealth Falcon (Citizen Lab)
FruityArmor (Kaspersky)
Project Raven (Reuters)
CountryUAE UAE
MotivationInformation theft and espionage
First seen2012
Description(Citizen Lab) This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The Right to Fight” contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past, and had recently published a series of articles based on leaked emails involving members of the UAE government.

Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.
ObservedSectors: Civil society groups and Emirati journalists, activists and dissidents.
Countries: Netherlands, Saudi Arabia, Thailand, UAE, UK.
Tools usedStealthFalcon and 0-day exploits.
Operations performed2014Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists.
<https://www.reuters.com/investigates/special-report/usa-spying-raven/>
Oct 2016Windows zero-day exploit used in targeted attacks by FruityArmor APT
<https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/>
Oct 2018Zero-day exploit (CVE-2018-8453) used in targeted attacks
<https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/>
Oct 2018Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
<https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/>
Sep 2019ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East.
<https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/>
Information<https://citizenlab.ca/2016/05/stealth-falcon/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0038/>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Sphinx
Next: Stone Panda, APT 10, menuPass

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key