Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine

The Arid Viper APT group is deploying AridSpy malware with Trojanized messaging applications and second-stage data exfiltration.

Hamas-linked advanced persistent threat (APT) group Arid Viper has been observed using Android spyware AridSpy dating back to 2022. Now, for the first time, researchers have provided a full analysis of the malwares previously mysterious later stages.
It turns out AridSpy is being distributed through Trojanized messaging apps, according to researchers with ESET, which recently released a new report on AridSpy campaigns.
New in these campaigns, AridSpy was turned into a multistage trojan, with additional payloads being downloaded from the command-and-control server by the initial, trojanized app, the report said.
The researchers analyzed five separate AridSpy efforts targeting Android users across Egypt and Palestine, according to the report. AridSpy often lurks in applications with legitimate functions, making it more difficult to detect; in this case, victims in Palestine were targeted with advertisements for a malicious app posing as the Palestinian Civil Registry, ESET said. In Egypt, the first-stage
spyware
was hidden in an app called LapizaChat as well as in scam job opportunity postings. The apps are available for download from third-party sites controlled by the threat actors, rather than Google Play.
Once second-stage data exfiltration begins, the analysis showed the threat group is able to collect a raft of data, including device location, contact list, call logs, text messages, photo thumbnails, clipboard data, notifications, video recording thumbnails, as well as giving the cybercriminals the ability to record audio, take pictures, and more.
Previous analysis revealed AridSpy was used in 2022 to
target the FIFA World Cup held in Qatar
, among other campaigns across the Middle East, the
report
said.
Dedicated sites are still running at least three AridSpy espionage campaigns, ESET warns.
At the time of this publication, three out of the five discovered campaigns are still active; the campaigns used dedicated websites to distribute malicious apps impersonating NortirChat, LapizaChat, and ReblyChat, ... job postings..., and Palestinian Civil Registry apps, the report said.
Arid Viper is likely maintaining and improving the AridSpy code as time goes on, as well.
Naturally, the second-stage payload carries the latest updates and malicious code changes, which can be pushed to other ongoing campaigns, the researchers noted. This information suggests that AridSpy is maintained and might receive updates or functionality changes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine