2 malware families

NilePhish

Also known asNilePhish

NilePhish is an attacker group identified by Amnesty International in connection with phishing attacks targeting Egyptian human rights defenders, media, and civil society organization staff. Amnesty reported on these operations in March 2019. In September 2019, Amnesty linked NilePhish to a campaign distributing a FinSpy Windows dropper via a fake Adobe Flash Player update site, flash.browserupdate[.]download. Additional NilePhish-linked delivery mechanisms included malicious macro-enabled Word documents and a .NET downloader, clean.downloader.exe. Amnesty tied this infrastructure to NilePhish through shared developer artifacts, including the username "shenno," related phishing domains, and overlapping hosting patterns. Amnesty observed the group using Offshore Servers for much of its phishing infrastructure since 2018, and Check Point independently confirmed links among NilePhish, Offshore Servers infrastructure, and the operator nickname "shenno" in October 2019. In February 2020, the subdomain files.browserupdate[.]download acted as a reverse proxy to Cobalt Strike infrastructure. Amnesty noted it did not confirm how NilePhish obtained FinSpy. The content does not attribute NilePhish to a specific nation state, but its activity is described in the context of targeting Egyptian civil society.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Commercial & Professional Services
Media & Entertainment

Where they target

Geographies tied to known operations.

🇪🇬 Egypt

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics10 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.005

Visual Basic

T1204

User Execution

T1204.002

Malicious File

TA0005

Stealth

1 technique

T1620

Reflective Code Loading

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1090

Proxy

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Cobalt StrikeCobalt Strike is a commercial penetration testing suite, that is sold for legitimate security audits of organizations. Since 2016, Cobalt Strike has been identified as being abused by many attack groups... An obfuscated VBS script located at https://files.browserupdate[.]download/a downloads a Cobalt Strike payload from the same server on port 443 and launches it.1Apr 3, 2026

FinFisherFinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh... FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio and video, from the computer or mobile devices it is silently installed on.1Apr 3, 2026

IOCS

Observables

15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

15 IOCsView more in app

Domains

7 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com

ip.v4

3 total

•••••••••••••••••••••••••••

uri

3 total

•••••••••••••••••••••••••••

hash.sha256

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

amnesty internationalNews

Sep 25, 2020

German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed - Amnesty International

Phishing and spyware delivery campaigns targeting Egyptian civil society, human rights defenders, media, and NGOs; linked here to fake Adobe Flash update lures delivering FinSpy and later testing Cobalt Strike infrastructure.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables15

Domains, IPs, and hashes tied to this actor, refreshed continuously.