Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Seven ‘Creepy’ Backdoors Used by Lebanese Cyberspy Group in Israel Attacks

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage.

Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information technology, law, marketing, media, and social services entities in Israel.

An active threat that constantly updates its toolset, Polonium has been using seven different backdoors and custom tools slightly modified between attacks, and has been abusing cloud services for command and control (C&C) communications.

“We have seen more than 10 different malicious modules since we started tracking the group, most of them with various versions or with minor changes for a given version,” ESET explains.

The group relies on small modules with limited functionality and even divide the code in their seven backdoors – namely CreepyDrive, CreepySnail, DeepCreep, MegaCreep, FlipCreep, TechnoCreep, and PapaCreep – to hide the full infection chain.

In use since February 2022, CreepyDrive and CreepySnail are PowerShell backdoors that support command execution and which have been detailed by Microsoft in June. The five remaining backdoors in Polonium’s arsenal are previously undocumented.

DeepCreep is a C# backdoor in use since October 2021, which can retrieve commands from text files on Dropbox, can upload and download files to and from the cloud service, and achieves persistence by placing a shortcut file in the Startup folder and by creating a scheduled task.

Polonium Creep backdoors

MegaCreep, which Polonium has been using since April 2022, retrieves commands from text files stored in Mega cloud storage. The backdoor appears to be a newer version of DeepCreep, reusing some of its code.

FlipCreep, a C# backdoor that reads commands from a text file on an FTP server, and TechnoCreep, which relies on TCP sockets for C&C communication, support similar file transfer capabilities as the other malware families and have been in use since September 2021.

Written in C++, PapaCreep is the most recent backdoor in Polonium’s arsenal, first seen in September 2022. Featuring a modular design, it uses different components to read commands from a file, to communicate with the C&C server, to upload files to the C&C, and to download files from the server.

The cyberespionage group uses additional modules on top of these backdoors, including reverse shells and a tunneling module, as well as custom and open source keyloggers.

Related: Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: New Cyberespionage Group ‘Worok’ Targeting Entities in Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...