APT-C-23
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 21 attack patterns (mitre), 8 malware, 3 countries, 51 indicators
Aliases
Mantis Desert Falcon TAG-63 Grey Karkadann Big Bang APT Two-tailed Scorpion Arid Viper
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
1 Malware 3 Observables 1 APT
Attack patterns (MITRE) (21)
-
T1192 uses
-
T1566 usesPhishing MITRE
-
T1114.002 usesRemote Email Collection MITRE
-
Phishing uses
-
T1055.001 usesDynamic-link Library Injection MITRE
-
T1036 usesMasquerading MITRE
-
T1007 usesSystem Service Discovery MITRE
-
T1113 usesScreen Capture MITRE
-
T1204 usesUser Execution MITRE
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1010 usesApplication Window Discovery MITRE
-
T1422 MITRE
Malware (8)
-
Desert Scorpion usesFamily The MITRE Corporation Confidence 100
[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor [APT-C-23](https://attack.mitre.org/groups/G1028).(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SpyC23 usesFamily The MITRE Corporation Confidence 100
[SpyC23](https://attack.mitre.org/software/S1195) is a mobile malware that has been used by [APT-C-23](https://attack.mitre.org/groups/G1028) since at least 2017. [SpyC23](https://attack.mitre.org/software/S1195) has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AridSpy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Phenakite usesFamily The MITRE Corporation Confidence 100
[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Micropsia usesFamily The MITRE Corporation Confidence 100
[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
FrozenCell usesFamily The MITRE Corporation Confidence 100
[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell) There are multiple close variants of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
QuasarRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RedAlert.apk usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (3)
-
Egypt targets
-
Israel targets
-
Palestine targets
Indicators (51)
-
368a722b81f3974a8b8233d29949df5024bdc8e8f4b4a4ab754dc4fb07ec4c93indicates -
stix 100/100 Revoked
Backdoor:MSIL/Bladabindi SHA256 of 7e0430ef032fef57fb55dd805853a35b
· Valid until 10/10/2023 · Source: AlienVault -
74f209e3f0f70872814d4fad7121e066e70ce4046e341a695326cad7b023a3fcindicates -
stix 100/100· Valid until 27/02/2027 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of 8ff57dc85a7732e4a9d144f20b68e5bc9e581300
· Valid until 17/09/2025 · Source: AlienVault -
stix 100/100 Revoked
SHA256 of b806b89b8c44f46748888c1f8c3f05df2387df19
· Valid until 17/09/2025 · Source: AlienVault -
52d72a873e26d53f51ca8c39fc3814ddf23c60e372e858de96e90bd7d6a1d113indicates