Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Stealth Falcon Backdoor Discovered

ESET security researchers have discovered a new backdoor associated with the United Arab Emirates (UAE)-linked Stealth Falcon threat actor

ESET security researchers have discovered a new backdoor associated with the United Arab Emirates (UAE)-linked Stealth Falcon threat actor

Active since 2012, the group is known for targeting of journalists, activists and dissidents, and has been linked to Project Raven, an initiative allegedly employing former NSA operatives. 

Some technical information on Stealth Falcon has been public for several years, including the analysis a PowerShell-based backdoor dropped via a malicious document. 

ESET now says it discovered a previously unreported executable backdoor that has been used in a small number of attacks in UAE, Saudi Arabia, Thailand, and the Netherlands. Dubbed Win32/StealthFalcon, it features similarities with the previously analyzed PowerShell script, linking them to the same actor. 

Win32/StealthFalcon, ESET says, appears to have been created in 2015, to provide attackers with means to control infected systems remotely. 

The malware uses a rather unusual command and control (C&C) communication server, namely the standard Windows component Background Intelligent Transfer Service (BITS), which was designed to transfer large amounts of data without taking up too much network bandwidth.

Commonly used by updaters, messengers, and other background programs, the BITS mechanism is exposed through a COM interface, is more difficult to detect, was designed to be stealthy, and is likely permitted by host-based firewalls.

Advertisement. Scroll to continue reading.

A DLL file, the backdoor schedules itself as a task running at user login and provides attackers with a series of basic capabilities, including data collection, data exfiltration, app execution, and self-removal. Data prepared for exfiltration is stored encrypted. 

The malware also appears to include an evasion detection trick where a function referencing 300+ imports is executed before any malicious payload is started, although no import is actually used. Instead, the function always returns and runs the payload. 

The newly discovered backdoor shares the same C&C server with the PowerShell-based backdoor previously attributed to the Stealth Falcon group, namely the windowsearchcache[.]com. 

Additionally, ESET observed significant similarities in code between the two, despite the fact that they are written in different languages. Both use hardcoded identifiers used to prefix all network communication from the compromised host. 

“We discovered and analyzed a backdoor with an uncommon technique for C&C communication – using Windows BITS – and some advanced techniques to hinder detection and analysis, and to ensure persistence and complicate forensic analysis. Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group,” ESET concludes. 

Related: “Stealth Falcon” Threat Group Targets UAE Dissidents

Related: Attacks Use Windows BITS Notifications to Download Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...