Researchers from ESET have unearthed a highly sophisticated malware aiming at governmental bodies primarily in the Middle East.

This newly identified malware, named Deadglyph, is believed to be the creation of Stealth Falcon APT. This organization, reportedly originating from the United Arab Emirates (UAE), is sometimes referred to by researchers as Project Raven or FruityArmor. BleepingComputer has noted that this group’s interests largely lie in monitoring political activists, journalists, and other such individuals.

Diving into the specifics, ESET’s team has highlighted that Deadglyph boasts modularity. This means it can acquire more modules from its command and control server, contingent on the information the operators wish to extract from the targeted system. Its modules are versatile, compatible with both Windows and custom Executor APIs. This grants the threat agents access to a range of functions. Among these are the abilities to load executable files, utilize Token Impersonation, initiate encryption, hashing processes, and beyond.

During their study, ESET focused on three primary modules – a process initiator, a data gatherer, and a file analyzer. The data gatherer module, as an illustration, can relay to the malicious agents specifics about the victim’s operating system, available network adapters, installed software and drivers, among other details. The study hypothesizes the existence of up to 14 such modules.

While there’s limited disclosure on the potential targets, it has been confirmed that the malware was detected on a device owned by a government-associated agency. Past records indicate that Stealth Falcon, operational since approximately 2012, predominantly set its sights on political activists and journalists, not governmental officials.

Back in 2019, ESET delved into one of StealthFalcon’s pursuits, deducing that though their targets were few, they were geographically diverse. Locations included the UAE, Saudi Arabia, Thailand, and the Netherlands. In the Netherlands, the group had their sights set on a diplomatic mission from a Middle Eastern nation.

Current details on the infiltration methodologies employed by these hackers remain scarce. Presently, IT units are advised to rely on the published indicators of compromise for guidance.