Skip to content

North Africa hit by espionage attacks utilizing Stealth Soldier malware

  • by
  • 3 min read

A sophisticated custom backdoor called Stealth Soldier has been identified in a series of highly-targeted espionage attacks in North Africa. The malware is a custom malware implant that enables various surveillance capabilities.

Security firm Check Point described the Stealth Soldier malware as an undocumented backdoor with surveillance capabilities, including file exfiltration, screen and microphone recording, keystroke logging, and browser information theft.

The ongoing operation is characterized by the use of command-and-control (C&C) servers that mimic websites belonging to the Libyan Ministry of Foreign Affairs. Evidence of the campaign dates back to October 2022. with potential targets being tricked into downloading fake downloaded binaries through social engineering attacks. these binaries act as a conduit for retrieving the Stealth Soldier backdoor while simultaneously displaying a decoy empty PDF file.

“The execution flow for all Stealth Soldier versions begins with the execution of the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader is currently unknown, the names suggest they were delivered using social engineering,” Check Point researchers pointed out.

Check Point’s investigation revealed that Stealth Soldier utilises different types of commands, including plugins downloaded from the C&C servers and internal modules within the malware itself. The existence of three different versions of Stealth Soldier suggests ongoing maintenance and active development by its operators.

Stealth Soldier’s infection flow. | Source: Check Point

Interestingly, components of the Stealth Soldier infrastructure overlap with the infrastructure associated with a previous phishing campaign known as Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019. This suggests a possible reappearance of the threat actor, indicating their focus on surveillance and Egyptian and Libyan targets.

Check Point warns that due to the modularity of the malware and the multi-stage infection process, the attackers are likely to continue evolving their tactics and techniques, potentially deploying new versions of Stealth Soldier in the near future.

“Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future,” Check Point said.

In the News: Meta is working on Threads, a Twitter rival


Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: [email protected]