Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“Stealth Falcon” Threat Group Targets UAE Dissidents

An advanced persistent threat (APT) group believed to be linked to the government of the United Arab Emirates (UAE) has been observed targeting journalists, activists and dissidents.

An advanced persistent threat (APT) group believed to be linked to the government of the United Arab Emirates (UAE) has been observed targeting journalists, activists and dissidents.

A report published by the Citizen Lab research group shows that the threat actor, dubbed Stealth Falcon, has been around since at least 2012. In the operations analyzed by researchers, the attackers leveraged Twitter, spear phishing emails, a malicious URL shortening service, and spyware.

The UAE is known for its poor human rights record and there is evidence that the government launched malware attacks in the past against dissidents using products provided by the Italian spyware maker Hacking Team.

One of the Stealth Falcon attacks investigated by Citizen Lab was aimed at Rori Donaghy, a British journalist and founder of the Emirates Center for Human Rights. Donaghy was contacted in November 2015 via email by an entity called “The Right to Fight” with a proposal to participate in a human rights panel.

The journalist became suspicious and forwarded the email to Citizen Lab, but the researchers advised him to communicate with the attacker to see where it would lead. The first email sent to Donaghy contained a shortened link pointing to the website of Al Jazeera, while a second email contained a macro-enabled document designed to deliver a custom-built backdoor that gave attackers complete control over the infected computer.

The emails sent by Stealth Falcon informed the journalist that they added “macro enabled security” to protect the content of the attachment. An analysis of the spyware used to target Donaghy revealed a network of 67 active command and control (C&C) servers, which suggests that the spyware has been used in multiple attacks.

A detailed analysis of the URL shortening website, named, revealed that while the site appeared to be a public service, its operators could create links that allowed them to profile users’ systems, most likely in an effort to determine if they are plagued by exploitable vulnerabilities. not only checked for the presence of antivirus products, but it also attempted to deanonymize Tor users via an outdated technique.

Researchers also identified links being sent out in an Instagram attack, and the service was also leveraged to lure users to a fake file sharing website and various fake forums.

Further analysis of Donaghy’s email account revealed that the journalist had been previously contacted in 2013 by an individual who claimed to be a UK journalist named Andrew Dwight. Researchers discovered that a Twitter account associated with this persona had also reached out to three UAE dissidents. They also determined that Stealth Falcon had used the social media platform to contact two dozen Twitter profiles, including ones belonging to individuals who were arrested or convicted by the UAE government for their online activities.

Another clue that allowed researchers to link Stealth Falcon’s activities to the UAE government is a Twitter account that shared a link associated with the threat actor while it was under the government’s control.

While the evidence linking Stealth Falcon to the UAE government is circumstantial, Citizen Lab pointed out that there is nothing to suggest that the group’s attacks have criminal or financial motivation. Furthermore, the attacker’s targets, resources and tactics are consistent with the ones of a state-sponsored actor.

“Stealth Falcon’s technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective. Analyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and unmasking a class of targets,” Citizen Lab said in its report. “Stealth Falcon’s campaign highlights the power of social engineering, once a technical bar has been met, in conducting a large scale campaign.”

Related Reading: Arabic Threat Group Attacking Thousands of Victims Globally

Related Reading: Arabic Threat Group Targets IT, Incident Response Teams

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.