A powerful new malware backdoor is targeting governments across the world

StealthFalcon is back with brand new modular malware.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from ESET have discovered a new, sophisticated piece ofmalwaretargeting government organizations in the Middle East.

The malware is dubbed Deadglyph, and apparently is the work of Stealth Falcon APT, a state-sponsored threat actor allegedly from the United Arab Emirates (UAE). This group is also known among some researchers as Project Raven, or FruityArmor,BleepingComputerreports, and targets political activists, journalists, dissidents, and similar individuals.

In itstechnical writeup, ESET’s researchers explained that Deadglyph is a modular piece of malware, capable of receiving additional modules from its command & control (C2) server, depending on what the operators look to grab from the target endpoint. The modules can use both Windows and custom Executor APIs, meaning the threat actors can use at least a dozen functions. Some of them include loading executable files, accessing Token Impersonation, running encryption, hashing, and more.

Multiple modules

ESET analyzed three modules - a process creator, an information collector, and a file reader. The collector, for example, can tell the threat actors whichoperating systemthe victim is using, which network adapters the endpoint has, which software and drivers it has installed, and more. The researchers believe up to 14 modules are available.

There is no word on potential targets, other than the malware was found on a device belonging to a government firm. Earlier reports, however, describe Stealth Falcon as a decade-old threat actor (in operation since at least 2012) that targets political activists and journalists - not government employees.

In 2019, ESET analyzed one of StealthFalcon’s campaigns, concluding that the targets, although small in number, were scattered around the world - in UAE, Saudi Arabia, Thailand, and the Netherlands. In the latter, though, the group targeted a diplomatic mission of a Middle Eastern country.

At the moment there is no information on how the hackers managed to infiltrate the target devices. For now, IT teams can only use indicators of compromise publishedhere.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I fell in love with the cute and compact Hyundai Inster, but it has one major drawback