A new threat actor, identified as Starry Addax, has emerged, targeting human rights activists in Morocco and Western Sahara through sophisticated phishing attacks. Utilizing infrastructure such as ondroid[.]site and ondroid[.]store, the hackers deploy deceptive tactics to trick victims into installing malicious Android apps or divulging their credentials on fake login pages. While the specific websites targeted by credential harvesting attacks remain undisclosed, the threat actor is known to impersonate popular social media platforms and email services.
Starry Addax’s operations, believed to have commenced in January 2024, involve spear-phishing emails urging recipients to install deceptive mobile apps or access relevant content related to the region. Upon interaction, victims are either served malicious Android applications, such as the FlexStarling malware, or redirected to counterfeit login pages designed to steal their credentials. The malware exhibits advanced capabilities, including the ability to fetch commands from a Firebase-based command-and-control server, indicating a strategic focus on remaining undetected for prolonged periods.
The emergence of Starry Addax highlights a concerning trend in cyber espionage targeting high-value individuals, with the threat actor demonstrating a significant level of sophistication in its operations. By building custom-made malware and infrastructure tailored to its objectives, Starry Addax poses a formidable challenge to human rights activists in North Africa. As cybersecurity experts continue to monitor the situation, vigilance and proactive security measures are essential to mitigate the risks posed by such targeted attacks.