07 December 2023

Stealth Soldier is a new custom backdoor targeting North Africa with espionage attacks

According to a report dated June 9, 2023, a new custom Trojan called Stealth Soldier has been deployed as part of a series of highly targeted espionage attacks in North Africa.

Stealth Soldier is a relatively unknown Trojan that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke capture and browser information theft."

The current attack campaign is characterized by the use of command and control (C&C) servers that mimic sites belonging to the Libyan Ministry of Foreign Affairs. The first artifacts associated with the campaign date back to October 2022.

Attacks begin by downloading fake downloader files that are delivered via social engineering attacks and serve as a Stealth Soldier recovery channel, while simultaneously displaying a decoy empty PDF file.

The trojan enables surveillance capabilities by collecting directory listings and browser credentials, recording keystrokes, recording microphone audio, taking screenshots, downloading files and executing PowerShell commands.

Some of the components are no longer available, but it is said that the screen capture and browser credential stealing plugins were inspired by open source projects available on GitHub. In addition, Stealth Soldier's infrastructure bears similarities to the infrastructure associated with another phishing campaign called Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019.

This campaign of attacks could be linked to an espionage campaign carried out by an APT group in search of intelligence on various organizations in the North African region, which is still the scene of intense military and geopolitical confrontations. There are many issues at stake that could lead sponsored groups to carry out espionage campaigns on behalf of their sponsor state to help them carry out their influential or military policies in the region.