Security Experts:

Connect with us

Hi, what are you looking for?



Arabic Threat Group Attacking Thousands of Victims Globally

Dmitry Bestuzhev Presents Research at SAS 2015

Kaspersky Lab security expert Dmitry Bestuzhev presents research on “Desert Falcons” at the Kaspersky Lab Security Analyst Summit on Feb. 17.

Dmitry Bestuzhev Presents Research at SAS 2015

Kaspersky Lab security expert Dmitry Bestuzhev presents research on “Desert Falcons” at the Kaspersky Lab Security Analyst Summit on Feb. 17.

CANCUN, Mexico  – Kaspersky Lab Security Analyst Summit – Threat actors with Arabic roots are targeting multiple high profile organizations and individuals from Middle Eastern countries, according to a new report from Kaspersky Lab.

The attack group, dubbed “Desert Falcons” by the security firm, appears to be the first known Arabic cyber-espionage group to develop and run full-scale cyber-espionage operations, researchers said.

Details of the campaign, which has been active for at least two years, were unveiled at Kaspersky Lab’s Security Analyst Summit in Cancun, Mexico on Tuesday.

According to Kaspersky researchers, the peak of their activity occurred at the beginning of 2015, and so far, the attackers have been able to steal more than one million files from more than 3,000 victims in over 50 countries.

Kaspersky Lab began its investigation of the group in August 2014, and has so far been able to identify a total of more than 100 malware samples used by the group in their attacks.

While the vast majority of targets based in Egypt, Palestine, Israel and Jordan, victims were also found in Qatar, KSA, UAE, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries, Kaspersky said.

Targeted victims include Military and Government organizations, media outlets, research and education institutions, energy and utilities providers, activists and political leaders; physical security companies; and other targets holding geopolitical information.

According to Kaspersky Lab, attackers have primarily used malware-laden spear phishing e-mails, along with social engineering techniques through social networking sites and chat messages to infect victims.

After infecting the system of a victim, the attackers used one of two different Backdoors: the main Desert Falcons’ Trojan or the DHS Backdoor, both which appear to have been developed from scratch and are in continuous development, Kaspersky said.

Malware tools used by the group, were made from scratch and target both Windows PCs and Android-based devices. The tools used have full Backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s Hard Disk or connected USB devices, steal passwords stored in the system registry and make audio recordings.

The Android malware appears to be a backdoor capable of stealing mobile calls and SMS logs, the firm said.

“The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. Using only phishing emails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data,” said Kaspersky Lab security expert Dmitry Bestuzhev.

“We expect this operation to carry on developing more Trojans and using more advanced techniques. With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks,” he said.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.