stealth-falcon

Stealth Falcon’s Zero-Day Offensive, OilRig’s Supply Chain Escalation, and the Evolving Middle Eastern APT Landscape

Stealth Falcon, OilRig, Molerats, and Dark Caracal represent the most active and sophisticated Middle Eastern APT groups, each aligned with state or political interests and employing advanced tactics for espionage, surveillance, and disruption. Stealth Falcon’s exploitation of CVE-2025-33053..

Wes

Wes

20 min read
Stealth Falcon’s Zero-Day Offensive, OilRig’s Supply Chain Escalation, and the Evolving Middle Eastern APT Landscape
When your SOC-dad steps out for coffee and the hoodie-falcon spots a giant red button labeled ‘ZERO-DAY’… what could possibly go wrong?

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

  1. what do you know about Stealth Falcon ?
  2. Are there known overlaps or connections between Stealth Falcon and other regional or global threat actors in terms of infrastructure or TTPs?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

Given Stealth Falcon’s recent exploitation of CVE-2025-33053, what are the detailed characteristics of the exploit chain, including delivery mechanisms (e.g., spear-phishing with .url/.lnk files, WebDAV abuse), and how have their TTPs evolved over the past 12 months? Prioritizing this will help technical teams develop targeted detection and mitigation strategies against the most current and sophisticated attack vectors.

TL;DR

Key Points

    • Stealth Falcon is actively exploiting Microsoft zero-day CVE-2025-33053 in targeted spear-phishing campaigns against defense organizations in Turkey and the Middle East.
    • Immediate patching and advanced monitoring for WebDAV and LOLBin activity are critical for defense and government sectors.
    • OilRig (APT34) is expanding supply chain and destructive ransomware operations, leveraging a diverse malware arsenal and long-term persistence techniques.
    • Organizations must enhance credential security, monitor for PowerShell and credential dumping, and implement rigorous supply chain risk management.
    • Molerats and affiliates (APT-C-23/Arid Viper) continue targeted espionage against Israeli and Palestinian entities using geopolitical lures and RATs.
    • Regular spear-phishing simulations and endpoint detection focused on RAT activity are recommended.
    • Dark Caracal persists in fileless malware and phishing campaigns aligned with Lebanese intelligence objectives.
    • Deploy EDR solutions with behavioral analytics to detect fileless and stealthy malware.
    • Overlaps in TTPs, infrastructure, and malware among these APTs suggest possible indirect collaboration or competition, complicating attribution and defense.
    • Enhanced regional and international threat intelligence sharing is essential for timely detection and coordinated response.

Executive Summary

Stealth Falcon, OilRig, Molerats, and Dark Caracal represent the most active and sophisticated Middle Eastern APT groups, each aligned with state or political interests and employing advanced tactics for espionage, surveillance, and disruption. Stealth Falcon’s recent exploitation of CVE-2025-33053 via spear-phishing and multi-stage loaders (Horus Loader/Agent) underscores the urgency of rapid patching and advanced detection, especially in defense and government sectors. OilRig’s evolution toward supply chain compromise, destructive malware, and persistent credential theft (using tools like Mimikatz, LaZagne, and LIONTAIL) highlights the need for robust credential monitoring and supply chain security.

Molerats and affiliates maintain persistent espionage against Israeli and Palestinian targets, leveraging RATs and geopolitical lures, while Dark Caracal continues fileless malware campaigns targeting government and private sectors. The groups’ shared use of spear-phishing, PowerShell, credential dumping, and evasion techniques (code virtualization, LOLBins, fileless malware) demands a multi-layered defense: advanced EDR, user training, and continuous threat intelligence sharing.

Strategically, these APTs exacerbate regional tensions, complicate diplomatic relations, and threaten critical infrastructure. The forecast anticipates further zero-day exploitation, supply chain targeting, and operational shifts driven by geopolitical developments. Technical teams should prioritize patch management, behavioral analytics, and collaborative intelligence frameworks to mitigate these evolving threats.

Research & Attribution

Historical Context

Stealth Falcon is a UAE-linked advanced persistent threat (APT) group active since at least 2012, targeting Emirati journalists, activists, dissidents, and government and defense sectors in the Middle East and Africa. The group is known for sophisticated tactics, including spear-phishing, zero-day exploits, and custom malware such as the Horus Agent built on the Mythic C2 framework. Recent campaigns have leveraged a Microsoft zero-day vulnerability (CVE-2025-33053) to target high-profile defense organizations in Turkey and other Middle Eastern countries.

OilRig (APT34) is an Iranian state-sponsored cyber espionage group active since at least 2014. It targets government, energy, telecommunications, finance, and critical infrastructure sectors primarily in the Middle East but also globally. OilRig is known for spear-phishing, supply chain attacks, and a diverse malware arsenal including BONDUPDATER, Helminth, ISMAgent, and LIONTAIL. The group has conducted destructive ransomware and wiper attacks, notably against Albania in 2022.

Molerats is an Arabic-speaking, politically motivated threat group linked to Hamas and Palestinian interests, active since 2012. It targets Israeli and Middle Eastern government, military, media, and NGO sectors using spear-phishing with geopolitical and military-themed lures. Molerats is closely affiliated with APT-C-23 (Arid Viper), sharing infrastructure and malware.

Dark Caracal is attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. It targets government and private organizations across multiple countries, employing phishing and fileless malware techniques aligned with Lebanese intelligence objectives.

Timeline

  • 2012: Stealth Falcon, Molerats, and Dark Caracal begin operations.
  • 2014: OilRig (APT34) emerges as an Iranian state-sponsored group.
  • 2016: Citizen Lab reports on Stealth Falcon targeting UAE dissidents.
  • 2022-2025: Stealth Falcon uses zero-day exploits (CVE-2025-33053) in espionage campaigns targeting government and defense organizations in the Middle East and Africa.
  • 2022: OilRig conducts destructive ransomware attacks against Albania.
  • 2023: OilRig executes long-term intrusions against Middle Eastern government entities using PowerShell backdoors and custom loaders.
  • 2023-2025: Molerats and affiliates maintain cyber espionage campaigns targeting Israeli and Palestinian entities.
  • 2022-2025: Dark Caracal continues phishing and fileless malware campaigns targeting government and private sectors.

Origin

Stealth Falcon is linked to the UAE government, conducting state-sponsored espionage. OilRig is attributed to Iran’s Ministry of Intelligence and Security (MOIS). Molerats is associated with Hamas and Palestinian interests. Dark Caracal is linked to Lebanese state intelligence.

Countries Targeted

  1. United Arab Emirates – Stealth Falcon targets dissidents, journalists, and government sectors.
  2. Turkey – Recent Stealth Falcon campaigns targeted defense organizations.
  3. Israel – Molerats and affiliates focus on government, military, and civil society.
  4. Lebanon – Dark Caracal targets government and private sectors.
  5. Middle Eastern and African countries – Stealth Falcon and OilRig conduct espionage campaigns.

Sectors Targeted

  1. Government – All groups target government entities for intelligence gathering.
  2. Defense and Military – Stealth Falcon, OilRig, and Molerats focus on defense sectors.
  3. Telecommunications – OilRig targets telecom infrastructure.
  4. Media and Activists – Stealth Falcon targets journalists and activists.
  5. Finance and Energy – OilRig targets financial and energy sectors.

Motivation

Stealth Falcon’s motivation is state-sponsored espionage to monitor dissent, gather intelligence on regional adversaries, and protect UAE national security. OilRig aims to advance Iranian geopolitical influence, destabilize rivals, and collect intelligence. Molerats pursues Palestinian political and military objectives aligned with Hamas. Dark Caracal serves Lebanese intelligence goals.

Attack Types

Stealth Falcon uses spear-phishing, zero-day exploits (notably CVE-2025-33053), custom multi-stage loaders (Horus Loader), and implants (Horus Agent), WebDAV abuse, and living-off-the-land binaries (LOLBins). OilRig employs spear-phishing, supply chain attacks, advanced malware families, DNS and HTTP C2 channels, credential dumping, and destructive ransomware/wiper malware. Molerats relies on spear-phishing with geopolitical lures and custom malware. Dark Caracal uses phishing, fileless malware, and social engineering.

Notable Recent Campaigns and Technical Details

Stealth Falcon

  • In March 2025, Stealth Falcon exploited a zero-day Windows vulnerability (CVE-2025-33053) to target a major defense organization in Turkey. The attack used a deceptive .url file that triggered malware hosted on a WebDAV server, abusing legitimate Windows tools to execute code silently.
  • The infection chain involved a multi-stage loader called Horus Loader, which uses code virtualization and anti-analysis techniques to evade detection.
  • The final payload was Horus Agent, a custom-built implant for the Mythic C2 framework, designed for stealth, anti-analysis, and selective payload deployment.
  • The group also uses custom post-exploitation tools including a credential dumper that extracts Active Directory credentials from virtual disk copies, a passive backdoor, and a keylogger.
  • Infection vectors include spear-phishing emails with archive attachments containing .url or .lnk files that leverage WebDAV and LOLBins for payload delivery.
  • Domains used in campaigns are often older, legitimate domains repurposed to evade detection.

OilRig (APT34)

  • OilRig has conducted extensive spear-phishing campaigns with tailored lures, including LinkedIn phishing masquerading as trusted entities.
  • The group exploits vulnerabilities such as CVE-2017-11882 (Microsoft Office) and CVE-2019-0604 (Microsoft SharePoint).
  • OilRig uses a diverse malware arsenal including BONDUPDATER, Helminth backdoor, ISMAgent, ISMDoor, LaZagne, Mimikatz, PICKPOCKET credential stealer, and ZeroCleare destructive malware.
  • The group employs DNS tunneling, HTTP communications, scheduled tasks, macros, and PowerShell scripts for persistence and stealth.
  • In 2023, OilRig conducted an eight-month-long intrusion against undisclosed Middle Eastern government entities, deploying PowerShell backdoors and keyloggers, and using the LIONTAIL framework for custom loaders and memory-resident shellcode.
  • OilRig has also been linked to destructive ransomware and wiper attacks, notably against Albania in 2022.

Molerats and Affiliates (APT-C-23 / Arid Viper)

  • Molerats uses spear-phishing with political and military-themed lures targeting Israeli and Palestinian entities.
  • The group deploys a range of malware including BlackShades, BrowserPasswordDump10, DarkComet, SPARK RAT, and Quasar RAT.
  • Affiliates like Arid Viper have targeted Israeli government offices, military organizations, and academic institutions since at least 2012.
  • Recent campaigns include surveillance of Israeli officials and Palestinian political opposition, with infrastructure actively maintained as of late 2023.

Dark Caracal

  • Dark Caracal employs phishing emails with malicious PDF attachments and fileless malware techniques.
  • The group targets government and private organizations across multiple countries, focusing on intelligence gathering aligned with Lebanese state interests.
  • Operations have been ongoing since at least 2012, with continued activity reported through 2024.
  • No confirmed direct links between Stealth Falcon and other regional APT groups exist in open-source reporting.
  • Some overlaps in TTPs, infrastructure reuse, and malware families suggest possible indirect relationships or shared operational methods, especially among Middle Eastern espionage groups.
  • OilRig is linked to subgroups such as Greenbug and has operational overlaps with other Iranian-aligned groups like APT33 and FOX Kitten.
  • Molerats is closely affiliated with APT-C-23 (Arid Viper), sharing infrastructure and malware.
  • Speculative discussions exist about coordination or rivalry among these groups, but concrete evidence remains limited.

MITRE ATT&CK Techniques (Selected Examples)

Stealth Falcon (G0038)

  • Spearphishing Attachment (T1566.001)
  • Spearphishing Link (T1566.002)
  • User Execution (T1204)
  • Exploitation of Remote Services (T1210)
  • Command and Scripting Interpreter: PowerShell (T1059.001)
  • Credential Dumping (T1003)
  • Process Injection (T1055)
  • File and Directory Discovery (T1083)
  • Data from Local System (T1005)
  • Exfiltration Over C2 Channel (T1041)
  • Obfuscated Files or Information (T1027)
  • Scheduled Task/Job (T1053.005)

OilRig (G0049)

  • Spearphishing Attachment (T1566.001)
  • Spearphishing Link (T1566.002)
  • User Execution (T1204)
  • Scheduled Task/Job (T1053.005)
  • Exfiltration Over Alternative Protocol (T1048)
  • Data from Local System (T1005)
  • Credential Dumping (T1003)
  • Command and Scripting Interpreter: PowerShell (T1059.001)
  • Remote Services: Remote Desktop Protocol (T1021.001)
  • Masquerading (T1036)
  • Network Service Scanning (T1046)
  • Supply Chain Compromise (T1195)

Molerats (G0021)

  • Spearphishing Attachment (T1566.001)
  • Command and Scripting Interpreter: PowerShell (T1059.001)
  • Credential Dumping (T1003)
  • Data Staged (T1074)
  • Exfiltration Over C2 Channel (T1041)

Dark Caracal (G0070)

  • Spearphishing Attachment (T1566.001)
  • Phishing (T1566)
  • Fileless Malware (T1055)
  • Command and Scripting Interpreter (T1059)
  • Data from Local System (T1005)
  • Exfiltration Over C2 Channel (T1041)

Breaches Involving This Threat Actor

  • No publicly confirmed major breaches attributed to Stealth Falcon in the past 2-3 years were found in open-source news.
  • Stealth Falcon’s recent campaigns focus on espionage and targeted surveillance rather than disruptive breaches.
  • OilRig has been linked to destructive ransomware and wiper attacks, including a notable campaign against the Albanian government in 2022.
  • Molerats and Dark Caracal primarily conduct espionage and surveillance with no publicly disclosed major breaches.

Strategic Implications

The activities of Stealth Falcon, OilRig, Molerats, and Dark Caracal have significant implications for regional stability, diplomatic relations, and national security in the Middle East and beyond.

  • Regional Stability: These groups contribute to ongoing cyber espionage and influence operations that exacerbate tensions among Middle Eastern states. Stealth Falcon’s targeting of dissidents and regional adversaries supports UAE’s strategic interests but raises concerns about repression and surveillance. OilRig’s operations align with Iran’s efforts to assert regional dominance and destabilize rivals, including through destructive cyberattacks. Molerats and Dark Caracal’s activities reflect the cyber dimension of the Israeli-Palestinian conflict and Lebanese state interests, respectively.

  • Diplomatic Relations: Cyber operations by these groups complicate diplomatic engagements, as states accuse each other of sponsoring or harboring cyber espionage actors. The use of cyber tools for political repression and intelligence gathering undermines trust and fuels geopolitical rivalries. For example, Stealth Falcon’s targeting of activists and journalists has drawn international criticism, while OilRig’s destructive campaigns have heightened tensions with Gulf states and Western allies.

  • National Security Interests: The targeting of government, defense, telecommunications, and critical infrastructure sectors by these groups poses direct threats to national security. The use of zero-day exploits and advanced malware by Stealth Falcon and OilRig demonstrates their capability to penetrate high-value networks, potentially enabling espionage, sabotage, or influence operations. The persistence and sophistication of these actors require robust cybersecurity defenses and intelligence sharing among affected nations.

  • Geopolitical Developments: Recent normalization agreements and shifting alliances in the Middle East may influence the operational focus of these groups. For instance, Stealth Falcon’s campaigns may intensify against perceived adversaries as regional alignments evolve. Similarly, Iran-aligned groups like OilRig may adjust targeting in response to diplomatic pressures or conflicts. The cyber domain remains a critical front in the broader geopolitical contest for influence and security.

  • Recommendations for Decision-Makers: Strategic decision-makers should prioritize enhanced cyber threat intelligence sharing, invest in advanced detection and response capabilities, and engage in diplomatic efforts to establish norms and deterrence mechanisms in cyberspace. Understanding the evolving tactics and motivations of these regional threat actors is essential for mitigating risks and safeguarding national interests.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps..

(Subscribers Only)

Read more