Threat Intelligence Tarot
Vol. II · 130
United Arab Emirates
G0038
risk 4/5
The Desert Hawk
Stealth Falcon
Project Raven · FruityArmor
Emirati journalistsHuman rights defendersRegional dissidentsForeign policy advisors
Active since ~2012 · Domestic dissident surveillance, Regional opposition tracking
The Desert Hawk circles low over the homes of the noisy. Where journalists and exiles tap into encrypted messengers, this hawk has already perched on their endpoint, listening before encryption is applied.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.001
PowerShell
Execution
T1547.001
Registry Run Keys
Persistence
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • Citizen Lab disclosure of dissident targeting (2016)
  • Karma iOS toolset (former US intelligence personnel involvement reported)
  • Windows Update service repurposing for persistence (FruityArmor)
  • Reuters Project Raven investigative reporting (2019)
Defenses
  • Apple Lockdown Mode deployment for high-risk individuals
    Apple Platform Security Guide
  • Mobile device threat hunting (Citizen Lab and Amnesty toolkits)
    MITRE D3FEND
  • Windows service auditing for unexpected modifications
    CIS Control 8
  • Civil society organizational threat assistance programs
    NIST CSF: ID.RA
Reversed: Their Weakness
Hardened mobile device protocols for at-risk journalists and activists, paired with Apple Lockdown Mode and audit-only review of installed configuration profiles, raise the cost of this operator's playbook.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Cloud AtlasNext →The Poisoned Spring
Related Adversaries
The Many-Headed Whisper
DarkHydrus
5 shared TTPs
The USB Serpent
Aoqin Dragon
5 shared TTPs
The Cloud Atlas
Inception
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.