APT-C-23 is the name assigned to an Advanced Persistent Threat (APT) group of hackers. The same group also is known as Two-Tailed Scorpion or Desert Scorpion. The hackers have been observed to carry out several threatening campaigns targeted against users located in the Middle East. APT-C-23 use both Windows and Android tools in their operations.

The activities of the group were first detailed by the researchers at Qihoo 360 Technology back in March 2017. The same year various infosec research teams began catching different info-stealer Trojan tools that have been attributed to APT-C-23:

  • Palo Alto Networks described a threat they called VAMP
  • Lookout analyzed a Trojan they named FrozenCell
  • TrendMicro uncovered the GnatSpy threat

In 2018 Lookout managed to detect one of the signature Trojan tools in APT-C-23's arsenal that they named Desert Scorpion. The campaign involving Desert Scorpion is reported to have targeted over 100 targets from Palestine. The hackers had managed to sneak their malware threat on the official Google Play Store but relied on numerous social-engineering tactics to lure their victims into downloading it. The criminals created a Facebook profile for a fake woman that was used to promote the links leading to the threatening messaging application called Dardesh. The Desert Scorpion campaign involved one of the characteristic procedures associated with APT-C-23 - the separation of the attack's threatening functionality into several stages as the Dardesh application acted simply as a first-stage dropper that delivered the actual second-stage payload.

ATP-23-C resumed their activity with the start of 2020 as they were associated with an attack campaign against IDF (Israel Defense Force) soldiers. The hackers didn't deviate from their standard operations and once again used messaging applications to deliver info-stealer Trojan threats. The threatening applications were promoted by specifically crafted websites that were designed to advertise the fake functionalities of the applications and provide direct download links that the targeted victims could use.

The latest operation attributed to ATP-23-C involves the use of a vastly improved version of their Trojan tool that was named Android/SpyC23.A by the researchers at ESET. The hackers are still focused on the same region with their threatening tool posing as the WeMessage application being detected on devices of users located in Israel. In addition to the normal array of functions expected from a modern info-stealer Trojan, Android/SpyC23.A has been equipped with several new powerful abilities. It can initiate calls while hiding its activity behind a black screen displayed on the compromised device. In addition, the Trojan is capable of dismissing various notifications from different Android security applications that depend on the specific model or manufacturer of the infiltrated device. A unique feature of Android/SpyC23.A is its ability to dismiss its OWN notifications. According to the researchers, such a function could be useful to hide certain error alerts that might appear during the background activities of the Trojan.

ATP-23-C is a rather prolific sophisticated hacker group that shows the tendency of constantly evolving their malware tools as well as employing social-engineering strategies designed to target specific user groups.


Most Viewed