Hackers linked to Hamas have been implicated in five cyberespionage campaigns targeting Palestine and Egypt.
The evidence emerged in new research from ESET, a cybersecurity company based in Slovakia. Analysts at the firm detected five campaigns spreading trojanized apps to Android users. The attacks focus on user data espionage in Palestine and Egypt.
The campaigns deploy multistage Android spyware, which ESET calls “AridSpy.”
To distribute the spyware, the hackers used dedicated websites that impersonate real apps. In Palestine, they primarily harnessed a malicious Palestinian Civil Registry app.
“In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app,” said Lukáš Štefanko, the ESET researcher who discovered AridSpy.
“Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file.”
ESET attributed the campaigns — with “medium confidence” — to the notorious Arid Viper APT group.
Who is Arid Viper?
Arid Viper is also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion. Active since at least 2013, the cyberespionage group is notorious for targeting countries in the Middle East. It’s also known for deploying a vast arsenal of malware for Android, iOS, and Windows platforms.
Cybersecurity vendors have previously linked the group to Hamas. It primarily targets entities in Israel and Palestine, but its reach extends beyond these borders. Analysts have said this hints at a broader geopolitical agenda.
ESET’s new research, however, makes no accusations of political connections. The company has instead focused on the cyberespionage techniques.
These techniques enable the hackers to spy on messaging apps and exfiltrate content from devices. ESET said their campaigns began in 2022. Three of them remain active today.