New Modular Deadglyph Backdoor Used in a Government Attack | Cyware Hacker News

A novel and sophisticated backdoor malware named Deadglyph was seen used in a cyberespionage campaign targeting a government agency in the Middle East. The malware is attributed to the Stealth Falcon hacking group, which is infamous for targeting activists, journalists, and dissidents.

Deadglyph infection method

  • While the exact delivery method is currently unknown, it is suspected that a malicious x64 executable, possibly a program installer, is used to propagate Deadglyph. 
  • The malicious executable, in turn, downloads a .NET-based component called Orchestrator, which communicates with the C2 server for further malicious commands. 
  • This enables the malware to engage in a series of evasive maneuvers to stay under the radar. 
  • If the backdoor fails to establish communications with the C2 server after a determined period, it triggers a self-removal mechanism to prevent its analysis.


  • Deadglyph is modular in nature, means it allows threat actors to create or modify modules tailored to their needs..
  • ESET believes that the backdoor includes nine to fourteen different modules, however, it could obtain only three: a process creator, an info collector, and a file reader.
  • Besides this, the malware boasts a range of anti-evasion mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns.

Too many malware backdoors lately

  • Recently, the Chinese hacking group Earth Lusca was attributed to a new Linux backdoor, SprySOCKS, that targeted multiple government organizations in several countries. 
  • In another incident, a threat actor employed two new backdoors—HTTPSnoop and PipeSnoop—in a cyberespionage campaign targeting Middle East-based telecommunications organizations. These backdoors masqueraded as popular software products and used extensive anti-detection mechanisms to stay under the radar. 
  • Furthermore, a new Sandman APT group was found using a modular backdoor named LuaDream to target telecom service providers in Europe and Asia. The malware utilizes the LuaJIT platform to propagate on targeted organizations’ systems.


Researchers are yet to uncover the full range of capabilities of Deadglyph malware as the investigation continues. Meanwhile, organizations are advised to leverage the IOCs associated with the malware to protect endpoints or networks vulnerable to attacks.