Threat Actor Profile
High APT
Description

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

Confidence Score
90%
Known Aliases
Stealth Falcon
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (16)
T1005 - Data from Local System
Collection
T1071.001 - Web Protocols
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1555.004 - Windows Credential Manager
Credential Access
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Stealth Falcon'],
 'created': '2017-05-31T21:32:06.390Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a '
                'threat group that has conducted targeted spyware attacks '
                'against Emirati journalists, activists, and dissidents since '
                'at least 2012. Circumstantial evidence suggests there could '
                'be a link between this group and the United Arab Emirates '
                '(UAE) government, but that has not been confirmed. (Citation: '
                'Citizen Lab Stealth Falcon May 2016)',
 'external_references': [{'external_id': 'G0038',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0038'},
                         {'description': '(Citation: Citizen Lab Stealth '
                                         'Falcon May 2016)',
                          'source_name': 'Stealth Falcon'},
                         {'description': 'Marczak, B. and Scott-Railton, J.. '
                                         '(2016, May 29). Keep Calm and '
                                         '(Don’t) Enable Macros: A New Threat '
                                         'Actor Targets UAE Dissidents. '
                                         'Retrieved June 8, 2016.',
                          'source_name': 'Citizen Lab Stealth Falcon May 2016',
                          'url': 'https://citizenlab.org/2016/05/stealth-falcon/'}],
 'id': 'intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8',
 'modified': '2025-04-25T14:49:04.710Z',
 'name': 'Stealth Falcon',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (16)
Data from Local System
Collection
Web Protocols
Command and Control
Symmetric Cryptography
Command and Control
Credentials from Password Sto…
Credential Access
Credentials from Web Browsers
Credential Access
View All 16 TTPs
Back to Threat Actors
Dashboard Home