ESET researchers have uncovered a sophisticated and previously unknown backdoor named “Deadglyph,” which has been utilized by the nation-state actor known as Stealth Falcon for espionage campaigns in the Middle East.
Stealth Falcon has a history of targeting political activists and journalists in the region, with documented attacks dating back to 2012. This revelation sheds light on the group’s advanced cyber capabilities and underscores the ongoing threat to individuals and organizations in the Middle East.
Deadglyph’s distinctive architecture sets it apart from typical malware, with cooperating components that include a native x64 binary and .NET assembly. One of its key features is its dynamic receipt of commands from the command-and-control (C2) server, delivered in the form of additional modules. This flexible approach allows the backdoor to adapt and execute various tasks as directed by the threat actors, enhancing its covert capabilities.
Moreover, Deadglyph employs multiple evasion techniques to avoid detection, and it stands out due to its ability to uninstall itself in certain scenarios to reduce the risk of discovery.
Additionally, ESET researchers discovered a control panel (CPL) file related to the malware, signed with an expired certificate, suggesting a multistage shellcode downloader that further aids in the deployment of Deadglyph. The exact method of delivering the backdoor remains under investigation, highlighting the complex nature of this cyber threat.