Stealth Falcon is an advanced persistent threat (APT) actor with ties to the United Arab Emirates (UAE). The APT group has previously targeted journalists, activists, and dissidents on behalf of the UAE government.
ESET observed the group using a new backdoor, Deadglyph, against other governments in the Middle East. Deadglyph functions as both an executor and a .NET assembly orchestrator. After the malware is delivered as a dynamic link library (DLL), the DLL decrypts and executes shellcode to run the executor component of Deadglyph. The executor then loads configurations and initiates the .NET component, which establishes command-and-control communications. Deadglyph employs a timer and network module to communicate with the C&C server at random intervals to avoid pattern recognition detection. The executor can run additional modules capable of encryption and hashing, compression, PE loading, and access token impersonation.
Read More:
Support the originator by clicking the read the rest link below.
