Stealth Falcon spyware targeting critics of the UAE, say researchers

Is the UAE using malware to spy on its enemies at home and abroad?

David bisson
David Bisson

Stealth Falcon APT targeting critics of the UAE, say researchers

Researchers believe they have found evidence that suggests the United Arab Emirates (UAE) is developing its own custom spyware to monitor its critics at home and abroad.

The UAE, which Freedom House classified as “not free” in its Freedom in the World report, has a reputation for targeting human rights activists, journalists, and others who are critical of the government.

The country uses a variety of tools to monitor those it deems a threat to the government’s legitimacy. In the digital realm, for instance, the UAE has purchased spyware from companies such as Hacking Team and used it against various targets.

Sign up to our free newsletter.
Security news, advice, and tips.

But that all changed in 2012 when a hacker leaked data revealing several nation-states – including the UAE – had been customers of the spyware firm.

The UAE has not halted its surveillance activities in the aftermath of those leaks.

On the contrary, according to Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, it would appear the country has simply adopted a subtler, more home-grown approach:

“The U.A.E. has gotten much more sophisticated since we first caught them using Hacking Team software in 2012. They’ve clearly upped their game. They’re not on the level of the United States or the Russians, but they’re clearly moving up the chain.”

Rori Donaghy, a UK journalist who writes about Middle Eastern affairs, reached out to Marczak late last year and informed him he had received the following email containing a link shortened by “”:

Screen shot 2016 05 31 at 10.46.07 am

Mr. Marczak and his team at Citizen Lab spent some time researching the email. They ultimately linked it to a malicious Microsoft Office document that claimed it was inviting the recipient to participate in a Middle Eastern human rights panel.

In actuality, after the researchers enabled macros in a test environment, the macro passed Base64-encoded command to Windows PowerShell, which began gathering system information, including data relating to any browsers and/or anti-virus programs in use.

Image16 768x576

Further analysis on the part of Citizen Lab determined that Donaghy was not the only target.

In total, 27 individuals have been targeted by what can only be described as a sophisticated web of fake social media profiles and malicious email documents.

Citizen Lab has published a report on this threat, which it has named “Stealth Falcon.”

The report explains how the threat actor responsible for these ongoing attacks used a variety of techniques, including posing as a journalist, to entice victims critical of the UAE to open malicious documents.

Roadmap 768x672

Researchers queried “” and found over 400 pieces of bait content linked to the threat campaign. 73 percent of those were related to UAE content. Those messages led to the arrest of 6 individuals, two of whom were ultimately convicted by the UAE government.

The Citizen Lab stops short of naming the UAE as those responsible for Stealth Falcon. However, Ron Deibert, Director of the Citizen Lab and Professor of Political Science at the University of Toronto, told that the threat actor helps illuminate how malicious attackers can leverage the Internet for their own nefarious purposes:

“Autocratic regimes like the United Arab Emirates are now routinely finding ways to subvert the tools of social media to accomplish their sinister aims. Careful research of the sort undertaken here can help journalists, activists, and others be on guard for these new threats.”

For more information on Stealth Falcon, please view the full Citizen Lab report.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.