Connect with us

Hi, what are you looking for?



UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor

UAE-linked APT group Stealth Falcon has used the new Deadglyph backdoor in an attack targeting a governmental entity in the Middle East.

The advanced persistent threat (APT) actor Stealth Falcon has been observed deploying a new backdoor on the systems of a governmental entity in the Middle East, for espionage purposes, ESET reports.

The new backdoor, which ESET has named Deadglyph, consists of a native x64 binary that functions as an executor, and a .NET assembly that functions as an orchestrator.

The malware is delivered on the system in the form of a DLL that abuses Windows Management Instrumentation (WMI) event subscription for persistence, and which functions as a registry shellcode loader.

Once executed, the DLL loads, decrypts, and executes encrypted shellcode stored in the Windows registry, which leads to decrypting and running the executor component of Deadglyph.

The component is responsible for loading configurations and initializing the .NET runtime, and loading embedded .NET code (the orchestrator).

Deadglyph’s .NET component establishes command-and-control (C&C) communication and executes commands. It uses a timer and a network module to communicate with the C&C server periodically, at random intervals, to prevent detectable patterns.

The C&C server sends commands to the backdoor’s components in the form of tasks. The orchestrator can be tasked to modify network and timer modules’ configurations, while the executor tasks are meant to manage the backdoor and run additional modules.

ESET estimates that the executor can fetch up to fourteen different modules that function as backdoor commands, and which are served as DLLs with one unnamed export.

Advertisement. Scroll to continue reading.

At execution, the modules are provided with an API resolution function that can resolve Windows APIs and custom Executor APIs – ESET has identified 39 functions related to Executor APIs, including for file operations, encryption and hashing, compression, PE loading, utility, and access token impersonation.

One of the modules is responsible for collecting information about the operating system, network adapters, installed applications, drivers, services, drives, processes, users, security software, and environment variables.

While investigating Deadglyph, ESET discovered a CPL file signed with an expired certificate that was uploaded to VirusTotal from Qatar, which functioned as a multistage shellcode downloader, and which shared code similarities with Stealth Falcon’s backdoor.

Active since at least 2012 and believed to be linked to the United Arab Emirates (UAE) government, Stealth Falcon is known for the targeting of journalists, activists, and dissidents.

Based on similar targeting and attacks, Amnesty International in 2019 concluded that Stealth Falcon is the same group as Project Raven, an initiative allegedly composed of former NSA operatives.

Related: New Stealth Falcon Backdoor Discovered

Related: “Stealth Falcon” Threat Group Targets UAE Dissidents

Related: UAE Denies Developing Popular Mideast App as Spy Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.