A recently emerged custom backdoor called Stealth Soldier has been deployed as part of a series of highly targeted spying attacks in North Africa.
According to a technical report by cybersecurity company Check Point, the Stealth Soldier malware is an undocumented backdoor primarily designed for surveillance. Its functionalities include exfiltrating files, recording screens and microphone input, logging keystrokes, and stealing browser information.
The ongoing operation uses command-and-control (C&C) servers that mimic websites associated with the Libyan Ministry of Foreign Affairs. The earliest traces of this campaign can be traced back to October 2022.
The attacks begin with potential targets downloading fake downloader binaries, delivered through social engineering attacks, and act as a channel for obtaining the Stealth Soldier backdoor. At the same time, a decoy empty PDF file is displayed to deceive the victims.
The custom modular implant, believed to be used sparingly, enables surveillance capabilities by collecting directory listings and browser credentials, recording keystrokes and microphone audio, capturing screenshots, uploading files, and executing PowerShell commands. Check Point stated, “The malware utilizes various types of commands, some of which are plugins downloaded from the C&C server, while others are modules within the malware itself.” The existence of three versions of Stealth Soldier indicates that the operators are actively maintaining it.
Although some components are no longer accessible, it is reported that the screen capture and browser credential-stealing plugins have been influenced by open-source projects available on GitHub. Additionally, the infrastructure used by Stealth Soldier overlaps with the infrastructure linked to a previous phishing campaign called Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019.
This development indicates the potential reappearance of the threat actor after the aforementioned campaign, suggesting that the group is focused on surveillance activities targeting Egyptian and Libyan entities.
Given the modular nature of the malware and the utilization of multiple infection stages, the attackers will continue to evolve their tactics and techniques, deploying new versions of the malware in the near future, as stated by Check Point.