Arid Viper Using Upgraded Malware In Middle East Cyberattacks

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Apr 04, 2023 08:06 am PST

Since September 2022, Palestinian entities have been targeted by Arid Viper, a threat actor observed using updated versions of its malware toolkit. According to Symantec, which monitors the group under the name Mantis, the adversary is taking significant measures to sustain a continual presence on the networks it targets. 

Kaspersky, in a report published in February 2015, suggested that the threat actors are probably native Arabic speakers located in Palestine, Egypt, and Turkey. The group has also been linked in previous public reports to the cyber warfare department of Hamas.

Arid Viper: Who Are They And Their Motives? 

Arid Viper is a hacking group called APT-C-23 and Desert Falcon, which has been conducting operations in the Middle East since at least 2014. However, some third-party reports suggest it may have been active as early as 2011. The group’s targets typically include organizations in Israel and other Middle Eastern countries, with sectors such as government, military, finance, media, education, energy, and think tanks being among those targeted.

The group is known for using spear-phishing emails and fake social media profiles to deceive targets into downloading malware onto their devices. Arid Viper has notably spear-phishing attacks on Palestinian law enforcement, military, educational institutions, and the Israel Security Agency (ISA). Although other vendors have linked the group to Hamas, Symantec cannot definitively attribute it to any Palestinian organization.

The Upgraded Malware Tool 

Mantis, a threat actor also known as Arid Viper, has a range of homemade malware tools at its disposal, including ViperRatFrozenCell (aka VolatileVenom), and Micropsia, which it uses to carry out its campaigns across Windows, Android, and iOS platforms.

In April 2022, high-profile individuals employed in sensitive defense, law enforcement, and emergency services organizations in Israel were targeted with a new Windows backdoor called BarbWire.

The group typically uses spear-phishing emails and fake social credentials to trick targets into downloading malware onto their devices. In its most recent attacks, the group has been observed using updated versions of its Micropsia and Arid Gopher implants to breach targets, steal credentials, and exfiltrate stolen data.

Arid Gopher, a variant of the Micropsia malware, is coded in the Go programming language, which allows the malware to evade detection. It is a variant of the Micropsia malware that Deep Instinct first documented in March 2022. On the other hand, Micropsia can launch secondary payloads and log keystrokes, take screenshots, and save Microsoft Office files within RAR archives for exfiltration using a bespoke Python-based tool.

Deep Instinct said, “Arid Gopher, like its predecessor Micropsia, is an info-stealer malware, whose intent is to establish a foothold, collect sensitive system information, and send it back to a C2 (command-and-control) network,” 

Symantec has evidence showing that Mantis deployed three versions of Micropsia and Arid Gopher on three sets of workstations between December 18, 2022, and January 12, 2023, to maintain access. Arid Gopher has undergone regular updates and complete code rewrites, with the group aggressively mutating the logic between variants to evade detection.

Symantec’s report concludes that Mantis is a determined adversary that puts time and effort into maximizing its chances of success. The group frequently rewrites its malware and compartmentalizes its attacks against single organizations into multiple strands to reduce the chances of being detected.

The Economic Impact Of Arid Viper’s Cyber Attacks In The Middle East

The economic impact of cyber attacks by the Arid Viper hacking group in the Middle East cannot be overstated. The group’s use of upgraded malware and sophisticated techniques has resulted in the loss of millions of dollars for companies and governments alike. The sheer scale of the damage caused by these attacks has left many wondering about the future of the region’s economy.

The energy sector, in particular, has been hit hard by Arid Viper’s cyber attacks. The group has been known to target oil and gas companies, stealing intellectual property and sensitive data related to the industry. This has resulted in disruptions to production, decreased investor confidence, and a decline in revenues for these companies.

Arid Viper has also targeted the financial sector, with banks and other financial institutions falling victim to their attacks. These institutions have lost significant money due to data breaches and theft of sensitive customer information.

The economic impact of Arid Viper’s cyber attacks goes beyond the immediate financial losses. The loss of customer trust and confidence can be difficult to regain, leading to decreased investment and revenue for affected organizations. The reputational damage caused by these attacks can be long-lasting, involving companies and governments for years.

The Role Of Cybersecurity

Advanced malware like Arid Gopher by hacking groups like Arid Viper highlights the importance of cybersecurity in today’s digital world. Organizations and governments must protect their networks and sensitive information from cyber-attacks.

This includes implementing robust security measures like firewalls, antivirus software, and intrusion detection systems. It also requires training employees to recognize and report suspicious activity and conducting regular security audits to identify potential vulnerabilities.

Cybersecurity experts have also stressed the importance of international cooperation in combating cyber threats. Cyber attacks are a global problem and require a coordinated response from governments and organizations worldwide.


The use of upgraded malware by the Arid Viper hacking group in recent cyber attacks in the Middle East is a cause for concern. The Arid Gopher is more sophisticated and difficult to detect than previous tools and could enable the group to carry out more devastating attacks in the future. Governments and businesses in the region must protect their networks and sensitive information, including implementing strong passwords, using multi-factor authentication, and regularly updating antivirus software. Cyber attacks are a global problem and require a coordinated response from governments and organizations worldwide. At the same time, international cooperation is needed to combat cyber threats. We can only defend against cyber attacks and protect our digital infrastructure effectively by working together.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x