Voice-Changing Software Found on APT Attackers Server

Security researchers believe the presence of Morph Vox Pro could indicate APT-C-23 has new plans for their phishing campaigns.

The discovery of voice-changing software on the server of APT-C-23 could have implications for the groups future phishing attacks, Cado Security researchers report.
APT-C-23, a group connected to attacks in the Middle East, is known as part of a larger group called Molerats that is mostly located in Palestine, the report states. Molerats usually target political parties in Palestine and the Israeli government, specifically the Israeli Defense Force (IDF). On occasion, the attackers have also been known to target Western governments.
Cado Security calls APT-C-23 a medium-sophistication group and notes it typically relies on social engineering to manipulate victims into downloading malware. In the past, the group has
been known to
impersonate women to trick their targets into installing malicious applications.
The reason theyre doing this is espionage, and then what theyre doing with this data, is mostly trying to track what people are up to and I think help them on the ground a bit, says Cado Security co-founder and CTO Chris Doman.
Researchers found a server belonging to APT-C-23 in early 2020. The server had previously been identified as serving malware in targeted attacks; however, a misconfiguration had since made the attackers toolset publicly available. By the time they discovered it, the toolkit contained malware used for espionage, tools to identify vulnerable routers, custom tooling to leverage compromised email accounts to send phishing emails, and a phishing code for webmail logins.
Its pretty common to find these servers spun up to serve malware to targets or to receive commands from that malware, he adds. Interestingly in this case, they left the server open.
Molerats use a number of different malware families, researchers state, but most start with a self-extracting rar archive. The archives execute MSHTA/VBScript downloaders, which are used to install the H-Worm backdoor, they
explain in a blog post
.
The servers most interesting tool was a voice-changing application called Morph Vox Pro, which included a serial key and voices pack. Given APT-C-23s previous phishing campaigns, researchers speculate the group is using this tool to produce audio messages that could be used to convince targets to install malware.
In analyzing the server, researchers also learned more about how attackers deliver malware. For example, an application provided guidance on how to bulk-send phishing emails to targets. A separate file contained sample commands to find vulnerable routers with ZoomEye, an Internet scanning service. A support folder held a credential phishing page for Microsoft accounts.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Voice-Changing Software Found on APT Attackers Server