G1028: APT-C-23
Analyst context for executives and security teams
APT-C-23 is an ATT&CK group entry associated with long-running activity since at least 2014, primarily focused on the Middle East, with reporting that includes Israeli military assets and mobile spyware for Android and iOS. For leaders, the practical issue is not just a named threat group: it is whether mobile devices, personally assigned devices, and Windows endpoints used by sensitive users are included in security monitoring, incident response, and evidence collection.
Executive priority
Prioritize this object where the organization has Middle East exposure, military/government-adjacent operations, high-risk executives, field staff, journalists, activists, or users handling sensitive regional information. The ATT&CK relationships point to both mobile surveillanceware and Windows remote access tooling, so risk owners should ask whether mobile security, phishing resilience, endpoint visibility, and incident response playbooks cover non-traditional endpoints as well as standard corporate laptops.
Technical view
ATT&CK does not provide an official detection section for this group, so defenders should validate coverage through the related software and techniques. Relationship context includes Micropsia on Windows; Desert Scorpion, FrozenCell, and SpyC23 on Android; Phenakite on iOS; and mobile techniques for phishing, matching legitimate names or locations, and system network configuration discovery. SOC and IR teams should confirm they can investigate suspicious mobile app installation, app impersonation, mobile phishing delivery, abnormal device permission use, and Windows remote access tooling without assuming that EDR-only coverage is sufficient.
Likely telemetry
- Mobile device management and mobile threat defense alerts where deployed
- Mobile application inventory, package names, signing metadata, app names, icons, and install sources
- Mobile phishing reports, messaging/email security logs, and user-submitted suspicious content
- Android and iOS device security events available through enterprise management tooling
- Endpoint telemetry from Windows systems, especially for remote access tool behavior associated with Micropsia relationship context
Detection direction
- Start with gap assessment: ATT&CK provides no official detection guidance for this group, so coverage must be derived from related software, mobile techniques, and local telemetry.
- Tune for mobile app impersonation patterns, including apps that match or approximate legitimate names, icons, package names, or locations, while accounting for legitimate regional apps and enterprise-approved lookalikes.
- Validate phishing intake and triage for mobile-focused delivery paths, not only corporate email; mobile messaging and user-reported suspicious links may be decisive depending on the environment.
- For Android and iOS, confirm whether the organization can see app inventory changes, risky permissions, suspicious profiles or installs, and device network indicators; many SOCs have limited mobile visibility.
- For Windows, review endpoint detection and investigation procedures for remote access tooling in the context of the Micropsia relationship, without treating the group relationship as proof of local compromise.
Mitigation priorities
- Identify high-risk user populations and ensure mobile devices used for sensitive work are in scope for security policy, monitoring, and incident response.
- Strengthen mobile phishing prevention and reporting workflows, including user education for targeted social engineering against phones and tablets.
- Enforce managed app installation, app inventory review, and mobile configuration controls where business requirements allow.
- Maintain endpoint controls and monitoring for Windows systems used by the same high-risk users, because the relationship set includes Windows tooling as well as mobile malware.
- Document evidence sources and response procedures for mobile incidents so compliance and incident leadership are not dependent on ad hoc device handling during a crisis.
Analyst notes and limits
Aliases in the ATT&CK object include APT-C-23, Mantis, Arid Viper, Desert Falcon, TAG-63, Grey Karkadann, Big Bang APT, and Two-tailed Scorpion. The most decision-relevant relationship context is the mix of mobile malware across Android and iOS, mobile phishing and masquerading techniques, and one Windows remote access tool relationship. This supports a blended mobile-plus-endpoint readiness review rather than a purely network or EDR-centered view.
The supplied ATT&CK group object has no official detection text, no specified platforms or tactics at the group level, and no supplied procedure-level detail beyond the listed relationships. This take therefore avoids claims about current activity, attribution certainty, customer exposure, or guaranteed detection. Local asset inventory, mobile management coverage, regional exposure, and incident telemetry are required to determine actual risk and control coverage.
APT-C-23
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0339: Micropsia
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 539b64163d03… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
symantec_mantis
Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.
Open source URL -
[2]
welivesecurity_apt-c-23
Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
Open source URL -
[3]
Arid Viper
(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)
-
[4]
Big Bang APT
(Citation: checkpoint_interactive_map_apt-c-23)
-
[5]
Desert Falcon
(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)
-
[6]
Grey Karkadann
(Citation: sentinelone_israel_hamas_war)
-
[7]
Mantis
(Citation: symantec_mantis)(Citation: sentinelone_israel_hamas_war)
-
[8]
Two-tailed Scorpion
(Citation: welivesecurity_apt-c-23)
-
[9]
checkpoint_interactive_map_apt-c-23
Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.
Open source URL -
[10]
fb_arid_viper
Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.
Open source URL -
[11]
mitre-attack G1028Open source URL
-
[12]
sentinelone_israel_hamas_war
Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.
Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.