G0038: Stealth Falcon
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [1]
Analyst context for executives and security teams
Stealth Falcon matters because ATT&CK associates the group with targeted spyware activity against journalists, activists, and dissidents, and with behaviors that move from host discovery to credential access, data collection, command-and-control, and exfiltration. For leaders, the practical issue is not attribution certainty; it is whether the organization can prove it would notice sensitive-user compromise, credential theft from local stores or browsers, and data leaving over web-like C2 channels.
Executive priority
Prioritize this as a readiness and assurance question for high-risk users, sensitive data, and investigations involving targeted surveillance. Executives should ask whether SOC and IR teams have evidence for endpoint command execution, credential-store access, scheduled task persistence, WMI activity, and outbound web-protocol traffic sufficient to support incident decisions, legal/compliance reporting, and protection of at-risk personnel. The supplied ATT&CK record notes only circumstantial, unconfirmed government linkage, so decisions should focus on observable behaviors rather than attribution claims.
Technical view
The relationship set points defenders toward a Windows-heavy validation path for registry queries, WMI, PowerShell, scheduled tasks, Windows Credential Manager, and browser credential access, while also including cross-platform discovery, local data collection, web-protocol C2, encrypted C2, and exfiltration over the C2 channel. SOC teams should test whether they can correlate discovery commands, process and user enumeration, access to local files or credential stores, persistence via scheduled tasks, and outbound HTTP/S-like communications from the same host or user context.
Likely telemetry
- Endpoint process creation and command-line telemetry for scripting interpreters, PowerShell, discovery utilities, and scheduled task creation or execution
- Windows event data for WMI activity, registry queries, scheduled tasks, and credential-related access where available
- File and object access telemetry for local sensitive files, browser credential stores, password stores, and configuration data
- Network telemetry for outbound web-protocol communications, unusual destinations, session timing, volume, and potential exfiltration over an existing C2 channel
- Authentication and user context telemetry to tie activity to the logged-in user or system owner
Detection direction
- Validate behavior chains rather than single commands: discovery followed by credential-store access, local data staging or collection, and outbound web-protocol traffic is higher value than isolated administrative activity.
- Tune for administrative false positives around WMI, PowerShell, registry access, and scheduled tasks by baselining known management tools and approved admin accounts.
- Confirm visibility into browser and Windows Credential Manager access; these are common blind spots when endpoint logging is limited or privacy controls restrict file access monitoring.
- For web-protocol C2 and encrypted traffic, focus on anomalous host-to-destination relationships, rare user agents or processes initiating connections, and suspicious timing or data transfer patterns rather than relying only on payload inspection.
- Use the ATT&CK relationships to build coverage tests for T1005, T1012, T1016, T1033, T1041, T1047, T1053.005, T1057, T1059, T1059.001, T1071.001, T1082, T1555, T1555.003, T1555.004, and T1573.001.
Mitigation priorities
- Reduce credential exposure by limiting saved credentials in browsers and local password stores where business workflows allow, and by enforcing strong identity controls for high-risk users.
- Harden and monitor scripting and administration surfaces such as PowerShell, WMI, registry tooling, and scheduled tasks without disrupting legitimate operations.
- Apply least privilege so routine users and compromised endpoints have limited access to sensitive local files, configuration data, and credential material.
- Strengthen egress governance and monitoring for web-protocol traffic, especially from endpoints or user groups handling sensitive communications.
- Prepare IR playbooks for targeted spyware scenarios, including rapid endpoint isolation, credential reset decisions, preservation of endpoint and network evidence, and executive/legal notification workflows.
Analyst notes and limits
The ATT&CK object identifies Stealth Falcon as a group associated with targeted spyware attacks since at least 2012 against Emirati journalists, activists, and dissidents. The cited possible UAE government link is explicitly unconfirmed. The strongest defensive value comes from the related techniques, which describe observable behaviors across discovery, execution, persistence, credential access, collection, command-and-control, and exfiltration.
The supplied group object has no official detection text, no group-level platforms or tactics, and only one cited external report. Platform references come from related ATT&CK techniques, not from a group-level platform declaration. Local telemetry, asset roles, user risk, and business data flows are required to determine actual exposure and coverage.
Stealth Falcon
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | Stealth Falcon malware gathers passwords from the Windows Credential Vault.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1059 | Command and Scripting Interpreter | Stealth Falcon malware uses WMI to script data collection and command execution on the victim.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1555 | Credentials from Password Stores | Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1057 | Process Discovery | Stealth Falcon malware gathers a list of running processes.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1016 | System Network Configuration Discovery | Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1012 | Query Registry | Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Stealth Falcon malware communicates with its C2 server via HTTPS.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1033 | System Owner/User Discovery | Stealth Falcon malware gathers the registered user and primary owner name via WMI.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1047 | Windows Management Instrumentation | Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1005 | Data from Local System | Stealth Falcon malware gathers data from the local victim system.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.CitationCitizen Lab Stealth Falcon May 2016 |
| Enterprise | T1082 | System Information Discovery | Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.CitationCitizen Lab Stealth Falcon May 2016 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b4351f018f23… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Citizen Lab Stealth Falcon May 2016
Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
Open source URL -
[2]
Stealth Falcon
(Citation: Citizen Lab Stealth Falcon May 2016)
-
[3]
mitre-attack G0038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.