10 malware familiesExploits CVEs in the wild

Stealth Falcon

Also known asDaffodil GustFruity Armorfruityarmorg0038Project RavenStealth Falcon

Stealth Falcon, also tracked here as daffodil_gust and also known as FruityArmor, Fruity Armor, G0038, and Project Raven, is a likely state-sponsored cyberespionage threat actor aligned with UAE interests. Reporting in the provided content describes the group as active since at least 2012 and focused on governments, government-adjacent entities, defense organizations, and dissidents, primarily in the Middle East and surrounding region, including targeting in the UAE, Turkey, Qatar, Egypt, and Yemen. Citizen Lab described Stealth Falcon as a sophisticated and likely state-sponsored group targeting Emirati journalists, activists, and dissidents, with circumstantial evidence aligning its interests with UAE Security Forces. The group has used targeted spyware and spear-phishing operations involving fake Twitter personas, spoofed emails, phony websites, malicious shortened URLs, and macro-enabled documents. In one documented chain, a macro passed a Base64-encoded PowerShell command that gathered system information through WMI and queried the Windows Registry to determine the installed .NET version. Stealth Falcon malware is described as gathering running processes, local system data, and detailed host information via WMI, including system directory, build number, serial number, version, manufacturer, model, and total physical memory. The malware also used PowerShell and WMI for scripted data collection and command execution, communicated with command-and-control over HTTPS, exfiltrated collected data over the existing C2 channel, and established persistence via a scheduled task named "IE Web Cache" executed hourly. Credential theft capabilities described in the content include collection of passwords from Internet Explorer, Firefox, Chrome, Windows Credential Vault, Outlook, and other local sources. The content also describes a 2025 Stealth Falcon campaign against a major Turkish defense company exploiting CVE-2025-33053, a Windows WebDAV zero-day. That operation used a malicious .url file, abused working-directory behavior in legitimate Windows tools to load files from an attacker-controlled WebDAV server, and culminated in deployment of Horus Agent, a custom Mythic implant. Horus Agent is described as an evolution of the group’s customized Apollo implant and uses code virtualization, string encryption, and API hashing for evasion. Additional Stealth Falcon tooling identified in the content includes a domain controller credential dumper that accesses virtual disk copies to bypass file locks, a passive backdoor that listens for shellcode execution requests, and an RC4-encrypted keylogger. The group is also noted for using repurposed legitimate domains, often .net or .com domains purchased through NameCheap, as part of its infrastructure. The provided content further notes that Citizen Lab first encountered NSO infrastructure while investigating Stealth Falcon, and that Pegasus infrastructure overlapped with infrastructure previously fingerprinted as part of Stealth Falcon activity. However, the content distinguishes NSO Group and Pegasus from Stealth Falcon rather than treating them as aliases.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

51 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics75 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1590

Gather Victim Network Information

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1584

Compromise Infrastructure

T1584.008

Network Devices

T1585

Establish Accounts

T1608

Stage Capabilities

TA0001

Initial Access

5 techniques

T1133

External Remote Services

T1189×2

Drive-by Compromise

T1190×2

Exploit Public-Facing Application

T1200

Hardware Additions

T1566×2

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002×5

Spearphishing Link

T1566.003×2

Spearphishing via Service

TA0002

Execution

7 techniques

T1047×3

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1059×5

Command and Scripting Interpreter

T1059.001×7

PowerShell

T1059.005

Visual Basic

T1059.007

JavaScript

T1129×3

Shared Modules

T1203×5

Exploitation for Client Execution

T1204

User Execution

T1204.002

Malicious File

T1574

Hijack Execution Flow

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1133

External Remote Services

TA0004

Privilege Escalation

4 techniques

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1055

Process Injection

T1055.012

Process Hollowing

T1068

Exploitation for Privilege Escalation

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0005

Stealth

5 techniques

T1027×2

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×3

Masquerading

T1055

Process Injection

T1055.012

Process Hollowing

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1574

Hijack Execution Flow

TA0112

Defense Impairment

1 technique

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0006

Credential Access

5 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1555×2

Credentials from Password Stores

T1555.004

Windows Credential Manager

T1555.005

Password Managers

T1557×2

Adversary-in-the-Middle

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

7 techniques

T1012×3

Query Registry

T1016×2

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1057

Process Discovery

T1082×5

System Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518×2

Software Discovery

TA0009

Collection

4 techniques

T1005×3

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1185

Browser Session Hijacking

T1557×2

Adversary-in-the-Middle

TA0011

Command and Control

2 techniques

T1071×2

Application Layer Protocol

T1071.001×2

Web Protocols

T1090

Proxy

T1090.003

Multi-hop Proxy

TA0010

Exfiltration

2 techniques

T1041×3

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

LANDFALLA threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called 'LandFall' using malicious images sent over WhatsApp.7Mar 18, 2026

Horus AgentThe attack delivered a multi-stage infection chain, culminating in the deployment of “Horus Agent,” a custom-built implant for the Mythic command and control framework... Named after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s previously used customized Apollo implant.4May 26, 2026

ApolloNamed after the Egyptian falcon-headed sky god, Horus Agent represents an evolution from the group’s previously used customized Apollo implant.2May 26, 2026

Horus Loader"This causes iediagcmd.exe to run the attacker's fake route.exe program from the remote server, which installs a custom multi-stage loader called 'Horus Loader.'"2Mar 18, 2026

ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2025-33053WebDAV / Internet Shortcut Files Remote Code Execution in Microsoft WindowsIn the wildEvidence7

The attack leveraged CVE-2025-33053, a remote code execution vulnerability that allows threat actors to manipulate the working directory of legitimate Windows tools to execute malicious files from attacker-controlled WebDAV servers. Microsoft released a security patch for this vulnerability as part of its June Patch Tuesday updates, following a responsible disclosure by Check Point Research.

CVE-2025-21042Samsung libimagecodec.quram.so Out-of-Bounds Write RCEIn the wildEvidence3

"Tracked as CVE-2025-21042, the flaw let hackers embed malware into a DNG image file, possibly texted to the victim through WhatsApp. It appears that device infections didn't require user interaction... constituting what's known as a zero-click attack."

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2016-3393Windows Graphics Component RCE VulnerabilityIn the wildEvidence1

...we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as FruityArmor to mount targeted attacks.

IOCS

Observables

42 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

42 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 22, 2026

Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

splunk researchNews

Apr 20, 2026

Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

splunk researchNews

Apr 13, 2026

Detection: Windows Cobalt Strike PowerShell Loader | Splunk Security Content

Listed as a threat actor associated with use of Cobalt Strike PowerShell loader patterns.

splunk researchNews

Apr 13, 2026

Detection: Windows PowerShell Module File Created | Splunk Security Content

Listed as a threat actor associated with PowerShell module DLL creation / shared modules, PowerShell execution, and hijack execution flow techniques in the detection annotations.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping51

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables42

Domains, IPs, and hashes tied to this actor, refreshed continuously.