Stealth Falcon spyware used on UAE critics

News by Ali Taherian

Circumstantial evidence suggests a link between the Stealth Falcon spyware campaign and the UAE government.

Citizen Lab researchers have uncovered what they describe as a spyware attack campaign dubbed Stealth Falcon which targets dissidents and activists in the United Arab Emirates (UAE). They believe that there is circumstantial evidence suggesting a link between the targeted spyware attack and the UAE government.

The Toronto-based research lab started to investigate this case when Rori Donaghy, a journalist and founder of the Emirates Center for Human Rights shared a suspicious email he had received in November 2015 with Bill Marczak, a researcher at The Citizen Lab.

The email was a formal request sent by an organisation called "The Right to Fight" asking Donaghy to join a panel of a human rights experts. It also asked his opinion on an article concerning "what more David Cameron can be doing to help aid the Middle East” along with a shortened-link redirecting to a page in an Al Jazeera website whilst invoking a JavaScript code to profile the target's computer simultaneously. 

Bill Marczak and John Scott-Railton wrote in a report published at “We queried the URL shortener with every possible short URL, and identified 402 instances of bait content which we believe were sent by Stealth Falcon, 73 percent of which obviously referenced UAE issues.  Of these URLs, only the one sent to Donaghy definitively contained spyware.  However, we were able to trace the spyware Donaghy received to a network of 67 active command and control (C2) servers, suggesting broader use of the spyware, perhaps by the same or other operators”.

Over the course of the investigation, Donaghy was instructed to contact the organisation and ask for further information. Interestingly, the information he asked for was sent to him through a macro-enabled attachment with an explanation that the organisation added macro enabled security to protect the content of the attachment and asked him to enable the macro for accessing the provided information.

The security solution running on the Donaghy's system identified the attachment as a malicious file and blocked it, therefore, he was instructed to ask the fictitious organisation to send the file via another method. The next email, contained another shortened-link redirecting to a password-protected Microsoft Word file shared on ownCloud, an open source, self-hosted file sync and share app platform.

Upon opening the file, a fake Proofpoint image, a legitimate provider of security solutions for Office 365, is shown to gain target's trust and persuade them to enable the macro. If the target enables the macro, content of the file will be shown as well as stealthily executing codes in the background. The macro passes commands to Windows PowerShell in several stages and as a result gathers system information, enables the operator to have control over the victim's computer, and install additional spyware or perform other activities, according to the report published by the Citizen Lab.

Comprehensive analysis of the Citizen lab shows that Donaghy was not the only target of the Stealth Falcon and “In total, 27 individuals have been targeted by what can only be described as a sophisticated web of fake social media profiles and malicious email documents,” David Bisson, reported in a blog post on

“The attacks appear to have had extremely serious consequences: many dissidents targeted, and presumably entrapped by Stealth Falcon, disappeared into the clutches of UAE authorities and were reportedly tortured,” Ronald Deibert, director of Citizen Lab, wrote in a blog post.

The UAE is classified as a 'not free' country by Freedom house, an independent watchdog organisation dedicated to the expansion of freedom and democracy around the world. The country restricted the use of social media and passed an expansive anti-terrorism law that criminalises criticism of the regime according to the Freedom report in 2015.

This is the second time that the UAE government has been accused of using spyware against activists. It was first highlighted when 400GB of confidential data from the Hacking Team was revealed publicly and indicated several countries' involvement. "Invoices from Hacking Team showed that through 2015, the Emirates were Hacking Team's second-biggest customers, behind only Morocco, and they paid Hacking Team more than US$ 634,500 (£440,000) to deploy spyware on 1,100 people,” wrote Nicole Perlroth, in the New York Times.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews