Check Point Research uncovered a targeted espionage operation in North Africa leveraging a new modular backdoor named Stealth Soldier, active against Libyan entities with links to a broader Eye on the Nile campaign. The malware exfiltrates data, records screens and microphones, logs keystrokes, and harvests browser data through a multi-stage, phishing-driven infrastructure that uses varied C2 domains and versions. #StealthSoldier #EyeOnTheNile #Libya #PowerShell #HackBrowserData
Keypoints
- Stealth Soldier is an undocumented, custom backdoor focused on surveillance (keystrokes, screenshots, microphone capture, browser data).
- Campaign appears to rely on multi-stage downloaders with a loader, watchdog, and payload, evolving from Version 6 (Oct 2022) to Version 9 (Feb 2023).
- Phishing infrastructure impersonates Libyan government domains, supporting spear-phishing campaigns against Libyan targets; overlaps exist with the Eye on the Nile campaign.
- Execution chain starts with a downloader, downloads 6 files, and uses PowerPlus (pwls.dll) to run PowerShell and establish persistence.
- Payload collects system info, drives, and keylogger data, then exfiltrates via a C2 channel using XOR‑encoded packets to 94.156.33.228.
- Modules/plugins include Screen Capture (sc.exe), Keylogger, Browser Credentials (BrCr), and various plugins, with encryption using multiple XOR keys to hide strings.
- Persistence is achieved via Scheduled Tasks and Registry Run keys; version differences include different Run key names and watchdog behavior.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Phishing campaigns targeting Libyan organizations with domains masquerading as Libyan govt sites. Quote: “phishing campaigns against government entities” and “some of the domains masquerade as sites belonging to the Libyan Foreign Affairs Ministry.”
- [T1105] Ingress Tool Transfer – The downloader downloads additional modules from the C&C server. Quote: “The downloader downloads and opens a decoy empty PDF file. It then downloads the loader from filecloud[.]store/sensaxcv/msupdate_enc.txt…”
- [T1059.001] PowerShell – pwls.dll executes PowerShell code as part of the loader and payload. Quote: “This module is written in .NET and executes PowerShell code.”
- [T1053.005] Scheduled Task – The watchdog persists via scheduled tasks. Quote: “Persistent using Schedule Task and the Registry Run key.”
- [T1547.001] Registry Run Keys/Startup Folder – Registry Run key persistence used alongside scheduled tasks. Quote: “Persistent using Schedule Task and the Registry Run key.”
- [T1113] Screen Capture – Screen capture plugin sc.exe downloaded from C&C. Quote: “The screen capture plugin is called sc.exe and is downloaded from the C&C server.”
- [T1056.001] Keylogging – Keystroke capture via keylogger module. Quote: “KeyLogger Task Started Successfully” and “Runs kl.exe (downloads it from C&C)”
- [T1555.003] Credentials from Web Browsers – Browser credential theft via BrCr and HackBrowserData project. Quote: “The real plugin is the open-source project https://github.com/moonD4rk/HackBrowserData, which is an open-source utility to decrypt browser data from the most popular browsers.”
- [T1027] Obfuscated/Compressed Files and Information – XOR-based encryption of strings and payloads. Quote: “the encryption is XORed with 2 hardcoded strings” and “strings used as XOR keys masquerade as legitimate strings.”
- [T1071.001] Web Protocols – C2 communications over HTTP POST. Quote: “POST /Server/Request HTTP/1.1 … The malware sends the string ‘Request for new tasks’ to the C&C…”
Indicators of Compromise
- [Domain] Phishing/infrastructure domains – filestoragehub[.]live, customjvupdate[.]live, filecloud[.]store, and 2 more domains
- [IP] C2/phishing infrastructure IPs – 185.125.230.216, 185.125.230.116, and 4 more IPs
- [Hash] Malware file hashes – 2cad816abfe4d816cf5ecd81fb23773b6cfa1e85b466d5e5a48112862ceb3efb, 05db5e180281338a95e43a211f9791bd53235fca1d07c00eda0be7fdc3f6a9bc, and 2 more hashes
- [File name] Infected filenames – هام وعاجل.exe, برقية 401.exe, and 2 more filenames
- [Domain] Additional phishing domains with similar naming patterns (mail/notify/verify/web/log/live) – 50+ domains observed