Home/ Threat Actors/ Stealth Falcon

🌐Stealth Falcon

🌐 Stealth Falcon is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 16 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0038) ↗

14Use cases

0Articles

16Techniques

0IOCs

About this actor (MITRE)

[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

Known aliases

Stealth Falcon

Top techniques

T1005 · Data from Local System T1012 · Query Registry T1016 · System Network Configuration Discovery

All other tracked techniques

T1033 · System Owner/User Discovery T1041 · Exfiltration Over C2 Channel T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1071.001 · Web Protocols T1082 · System Information Discovery T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1555.004 · Windows Credential Manager T1573.001 · Symmetric Cryptography

Detection use cases (14)

Stealth Falcon BITS-job C2 / exfiltration via PowerShell or bitsadmin.exe AI · profile SΣ Stealth Falcon scheduled-task PowerShell collecting Windows Vault & browser credential stores AI · profile S 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match