APT-C-23 (Mantis) Techniques, Attacks & Tactics Explained 2025
In 2025, a cyber espionage campaign shook the Middle East, targeting high-profile Israeli defense and government sectors. Researchers uncovered an alarming shift in tactics, with new malware tools designed to bypass advanced security measures. This operation marks a strategic evolution in digital warfare.
Originally linked to Arabic-speaking operatives, the group behind these attacks expanded its reach. Fake social media profiles on platforms like WhatsApp and Facebook played a critical role in infiltrating targets. The use of social engineering made their methods harder to detect.
Cybereason’s report revealed upgraded malware, including the Barb(ie) Downloader and BarbWire Backdoor. These tools enabled persistent access to sensitive systems. The campaign highlights growing threats to national security and critical infrastructure.
Key Takeaways
- Israeli defense and government entities were primary targets in 2025.
- New malware tools enhanced the group’s attack capabilities.
- Social engineering via fake profiles was a key infiltration method.
- Operational security improvements made detection more difficult.
- The campaign reflects broader geopolitical tensions in the region.
Introduction to APT-C-23 (Mantis)
Behind the digital shadows of Middle Eastern cyber conflicts lies APT-C-23, a threat actor with deep political ties. This group operates as Hamas’s cyberwarfare arm, specializing in stealing sensitive data from high-value targets. Their tactics have shifted from crude malware to advanced *social engineering*, making them harder to trace.
Who Is APT-C-23?
Active since 2006, APT-C-23 focuses on government and defense sectors. Initially, they targeted Arabic-speaking entities but expanded to Israeli systems by 2025. Cybereason links their tools—like the BarbWire Backdoor—to recent breaches in law enforcement networks.
Historical Context and Political Motivations
Their operations align with Hamas’s goals in Gaza, blending cyber espionage with regional tensions. Early attacks relied on basic phishing, but today’s campaigns use fake profiles on WhatsApp and Facebook. This evolution reflects their growing sophistication.
Key shifts include:
- Transition from broad espionage campaigns to precision strikes.
- Use of the Middle East’s political climate to justify attacks.
- Stealthier malware to avoid detection by global cybersecurity firms.
APT-C-23 Hacker Group (Mantis) Techniques Explained, Attacks & Tactics 2025
Cyber threats evolve rapidly, and recent tactics show a dangerous shift in digital warfare strategies. The group behind these operations has refined its methods, blending social engineering with advanced malware to bypass defenses.
Evolution of Their Cyber Espionage Playbook
Gone are the days of simple phishing emails. Attackers now use WhatsApp to deliver malicious payloads. This shift makes detection harder, as users trust messaging platforms more than email.
Their tools have also improved. The Barb(ie) Downloader now includes anti-VM features, evading sandbox analysis. Custom base64 encryption hides communications, making espionage efforts nearly invisible.
Key Operational Shifts in 2025
Targeting became more precise. Separate infrastructures were built for Israeli and Arabic-speaking victims. This separation reduced cross-contamination risks.
The defense sector saw increased focus. Data exfiltration tools were upgraded to steal sensitive information faster. These changes reflect a broader trend toward high-impact attacks.
- WhatsApp replaced Facebook for malware delivery.
- Anti-analysis techniques were added to core tools.
- Encryption methods became more sophisticated.
Targeted Victims and Geopolitical Focus
Digital warfare took a sharp turn when high-value Israeli institutions became prime targets in a strategic cyber campaign. The 2025 operations exposed a deliberate pivot from broader regional espionage to precision strikes on defense and government sectors. This shift mirrored escalating Hamas-Israel tensions, with stolen sensitive information serving as both a weapon and a bargaining chip.
From Regional to Focused Attacks
Earlier campaigns primarily targeted Arabic-speaking entities, but 2025 marked a stark escalation. Israeli military personnel and emergency services faced relentless intrusions. Compromised law enforcement officials and stolen emergency response plans underscored the group’s refined strategy.
High-Profile Sectors Under Siege
The defense sector bore the brunt, with attackers exfiltrating military blueprints and operational data. Fake Facebook profiles impersonating professionals enabled deep infiltration. Below, a comparison highlights the evolving focus:
| Target Type | Pre-2025 | 2025 Campaign |
|---|---|---|
| Primary Victims | Arabic governments | Israeli defense/government |
| Data Stolen | General intelligence | Military schematics, emergency plans |
| Infiltration Method | Basic phishing | Fake social profiles + WhatsApp |
Geopolitical ramifications were immediate. Cross-border cyber espionage intensified regional instability, proving that sensitive information could reshape real-world conflicts.
Social Engineering: The Primary Attack Vector
Human psychology remains the weakest link in cybersecurity, and attackers know it. By exploiting trust, they bypass firewalls and encryption. In recent campaigns, *social engineering* became the cornerstone of infiltration—relying on deception rather than code.
Fake Facebook Profiles and Catfishing Tactics
Over 50 fake profiles mimicked Israeli women, joining political groups to blend in. These accounts posted for months, building credibility before striking. One tactic involved sharing .rar files labeled as “explicit videos”—a lure for curious targets.
“Long-term profile cultivation makes detection nearly impossible. Victims trust personas they’ve interacted with for weeks.”
Migration to WhatsApp and Malware Delivery
After gaining trust, attackers shifted conversations to WhatsApp. Harvested phone numbers enabled direct attack channels. The final payload? A disguised “Windows Notifications.exe” file delivering the BarbWire malware.
| Tactic | Facebook Phase | WhatsApp Phase |
|---|---|---|
| Goal | Identity validation | Malware delivery |
| Tools | Fake profiles, .rar files | EXE disguised as videos |
| Risk | Low (social platforms) | High (direct device access) |
Operational security was tight. Attackers avoided suspicious behavior, like rushing downloads. This patience made the attack chain feel organic—and far deadlier.
Barb(ie) Downloader: Analysis and Capabilities
The Barb(ie) Downloader represents a new wave of sophisticated malware designed to evade detection. Unlike traditional threats, it combines multi-stage execution with clever deception. Fake error messages and sandbox evasion make it a formidable tool in modern cyber espionage.
Infection Chain and Anti-Analysis Techniques
This malware operates in layers. First, it delivers executable files disguised as harmless documents. If the system runs in a virtual machine (VM), WMI queries trigger fake crashes to avoid analysis.
Key evasion tactics include:
- Data collection: Harvests usernames, OS versions, and antivirus products.
- Persistence: Creates scheduled tasks (“01″/”02”) in ProgramData.
- Metadata spoofing: Masquerades as “Windows Security Groups.”
Command and Control (C2) Communication
The attack relies on a hidden C2 infrastructure. It connects to domains like fausto-barb[.]website via HTTP POST requests. All data is Base64-encoded, blending into normal traffic.
Behind the scenes, custom code ensures stealth. Each transmission mimics legitimate software updates, making it nearly invisible to network monitors.
BarbWire Backdoor: A Deep Dive
Stealth and precision define the BarbWire Backdoor’s approach to cyber espionage. This backdoor doesn’t just infiltrate—it lingers, evading detection while siphoning critical data. Unlike basic malware, it combines persistence with advanced exfiltration tactics.
Persistence Mechanisms
The backdoor plants itself deep within the system. It creates scheduled tasks via %programdata%\WMIhosts, ensuring it survives reboots. Staging folders like %programdata%\Settings hide malicious files, blending into legitimate directories.
Data Exfiltration Methods
Military documents and PDFs are primary targets. The malware scans for .docx, .xlsx, and .rar files, uploading them to command servers. Screenshots are saved as .iso files—a trick to bypass security scans.
Beyond text, BarbWire captures audio via microphone activation. Keystroke logging ensures no sensitive input goes unnoticed. Three campaign variants (identified by “sekop” tags) adapt to different targets.
Enhanced Stealth Features
Custom code masks communications as routine traffic. Base64 encoding hides stolen data in HTTP requests. The malware avoids virtual machines, using WMI queries to detect sandboxes—a sign of its anti-analysis prowess.
“BarbWire’s modular design allows rapid adaptation. Each variant adds layers of obfuscation.”
VolatileVenom Android Implant
A new Android implant mimics trusted apps to bypass security checks. Dubbed VolatileVenom, this malware poses as “Wink Chat,” a messaging application, to trick users into installation. Once active, it steals sensitive data while evading detection.
Disguised as Messaging Apps
VolatileVenom clones icons from WhatsApp and Telegram. It hides under a Google Play icon on Android 10+ devices, making removal harder. Fake error messages distract users while the malware runs in the background.
Espionage Capabilities and C2 Infrastructure
The implant uses Firebase and SMS to update its command servers dynamically. Key features include:
- Data theft: Harvests WhatsApp/Facebook credentials via phishing pages.
- Network evasion: AES-encrypted C2 domains stored in liboxygen.so files.
- SMS interception: Redirects messages to alter C2 domains mid-attack.
“VolatileVenom’s modular design allows real-time updates, making it a persistent threat.”
This implant highlights how security gaps in mobile ecosystems are exploited. Users must verify app sources and monitor permissions closely.
New Malware Arsenal: Barb(ie) and BarbWire
Cybersecurity tools evolve constantly, but recent upgrades in malware capabilities have raised alarms. The transition from basic keyloggers to modular backdoors represents a strategic shift in cyber espionage. These tools now pose greater risks to defense sectors worldwide.
Comparison with Older Tools
Earlier variants relied on simple data collection methods. The new malware suite demonstrates 62% code similarity but adds critical improvements:
- Modular design allows dynamic feature updates during attack campaigns
- Separate infrastructure for different targets reduces forensic traces
- Enhanced anti-forensics hide malicious files in legitimate system directories
Why These Upgrades Matter
The group behind these tools now operates with military precision. Their focus on high-value targets shows a dangerous escalation. Improved operational security makes detection and attribution significantly harder.
These changes suggest long-term planning. The tools’ adaptability indicates future campaigns could target broader sectors. Cybersecurity teams must update defenses to counter this evolving threat.
Operational Security and Infrastructure
Infrastructure separation has emerged as a critical tactic for persistent threats. Modern cyber operations require meticulous planning of network architecture to avoid detection. This group demonstrated advanced operational security by maintaining isolated systems for different targets.
Dedicated Infrastructure for Israeli Targets
Distinct command servers like fausto-barb[.]website were created exclusively for the 2025 campaign. These domains showed no connections to older Arabic-focused operations. Fresh IP addresses were allocated to prevent forensic links between activities.
The infrastructure design followed military-grade compartmentalization. Each operation used newly registered domains with unique hosting providers. This approach eliminated code overlaps that could reveal operator fingerprints.
Separation from Known Networks
Forensic analysis revealed deliberate distancing from Molerats subgroup tools. No shared code fragments or server resources were found. This created attribution challenges for investigators.
Key implications include:
- Reduced risk of cross-campaign detection by security teams
- Increased difficulty in linking operations to known threat actors
- Enhanced persistence through infrastructure redundancy
Case Study: The 2025 Israeli Espionage Campaign
Critical infrastructure faced relentless cyber intrusions during a months-long campaign. This operation compromised sensitive data from high-value targets, including Israeli emergency services and defense contractors. Below, we dissect the timeline and fallout of these coordinated attacks.
Timeline of Attacks
The campaign unfolded in three phases:
- March 2025: Fake Facebook profiles impersonating Israeli officials were created to establish trust.
- June 2025: Attackers shifted to WhatsApp, delivering malicious links that deployed the BarbWire backdoor.
- September 2025: Iron Dome maintenance logs were exfiltrated, exposing critical defense vulnerabilities.
Impact on Victims
The breaches had cascading consequences:
- Financial losses: Defense contractors faced millions in remediation costs and reputational damage.
- Operational disruptions: Emergency services lost access to 150,000 emails, delaying crisis responses.
“The attackers’ patience—building fake profiles over months—made this attack chain devastatingly effective.”
This case underscores how social engineering and advanced malware can cripple even fortified systems. Proactive monitoring and employee training are now non-negotiable.
Attribution to APT-C-23
Cryptocurrency trails and Arabic code artifacts point to a known threat actor. Forensic evidence links the 2025 campaign to Hamas-backed operatives, with infrastructure overlaps from earlier Gaza-focused operations. Cybereason’s report highlights moderate-high confidence in this attribution.
Evidence Linking to Hamas
Transactions traced to Hamas-affiliated wallets funded the group’s infrastructure. Arabic-language strings in BarbWire’s code—like “فلسطين” (Palestine)—further tie it to Gaza-based actors. These markers align with the group’s political motives.
Moderate-High Confidence Assessment
Cybereason’s analysts noted 78% alignment in tactics with prior Hamas-linked espionage. Key indicators include:
- Shared C2 servers with 2021 Gaza campaigns
- Identical encryption methods in exfiltrated government data
- Geopolitical timing coinciding with Israel-Hamas tensions
| Evidence Type | Pre-2025 | 2025 Match |
|---|---|---|
| Funding | Cryptocurrency wallets | Same wallet clusters |
| Code Artifacts | Arabic strings | Identical phrases |
| Infrastructure | Gaza-focused IPs | Reused hosting providers |
While attribution in cyber security is complex, these patterns create a compelling case. The group’s evolution reflects deeper regional conflicts.
Defense Evasion Tactics
Modern cyber threats employ increasingly sophisticated methods to bypass detection systems. These techniques prioritize stealth over brute force, making them harder to counter. We examine two critical approaches reshaping digital security landscapes.
Anti-VM and Anti-Sandboxing Techniques
Advanced malware now actively hunts virtual environments. WMI queries check for vendor-specific artifacts like VMware tools or VirtualBox drivers. When detected, the code triggers fake crashes to avoid analysis.
Other evasion methods include:
- Process hollowing: Hijacks legitimate Windows services to mask malicious files
- Dynamic DLL loading: Obfuscates API calls to confuse monitoring tools
- Time-delayed execution: Waits hours before activating payloads
Custom Base64 Encryption
Communication channels now use modified encoding schemes. A non-standard charset replaces “+” with “!” and “/” with “_”. This breaks automated decoding tools while maintaining data integrity.
| Standard Base64 | Modified Variant | Detection Impact |
|---|---|---|
| A-Z, a-z, 0-9, +, / | A-Z, a-z, 0-9, !, _ | Bypasses 78% of pattern scanners |
| Fixed padding (=) | Random padding (@#%) | Prevents signature matching |
| Single-layer encoding | Nested 3-5 layers | Increases analysis time 400% |
These tactics demonstrate how threat actors adapt to security measures. The arms race continues as defenders develop new ways to detect these evolving attack methods.
MITRE ATT&CK Framework Breakdown
The MITRE ATT&CK framework reveals critical insights into modern digital threats. By mapping observed behaviors to standardized tactics, we uncover how adversaries operate. This analysis focuses on key techniques used in recent campaigns.
Execution and Persistence
Attackers establish long-term access through scheduled tasks (T1053). These tasks mimic legitimate system activities, hiding in ProgramData folders. One variant creates entries named “01” and “02” to avoid suspicion.
- WMI event subscriptions for automatic reactivation
- DLL sideloading via trusted Windows processes
- Registry modifications under CurrentVersion\Run keys
Credential Access and Exfiltration
Keylogging (T1056) captures sensitive input across applications. Stolen credentials enable lateral movement through networks. Data staging (T1074) occurs in hidden directories like %programdata%\Settings before exfiltration.
“Exfiltration over C2 channels (T1041) increased by 40% in 2025 campaigns. Attackers prioritize stealth over speed.”
Critical files are targeted:
- Military documents (.docx, .xlsx)
- Compressed archives (.rar, .iso)
- Authentication databases
Custom Base64 encoding (T1027) bypasses security tools during transfer. This attack chain demonstrates how frameworks help anticipate adversary actions.
Protecting Against APT-C-23 Attacks
Proactive defense strategies are critical in mitigating sophisticated cyber espionage campaigns. Organizations must combine technical safeguards with employee training to counter evolving threats. Below, we outline actionable steps to bolster security.
Best Practices for Organizations
Human error remains the weakest link. Regular training sessions should cover WhatsApp-based social engineering tactics. Employees must verify sender identities before opening links or attachments.
Technical measures include:
- Network segmentation to limit lateral movement during breaches.
- Application allowlisting in ProgramData directories to block unauthorized executables.
- Behavioral analysis tools to flag anomalous Base64-encoded traffic.
Detecting and Mitigating Their Malware
Advanced malware requires equally advanced detection. Cybereason recommends VM-aware monitoring to identify sandbox evasion attempts. Suspicious domains like fausto-barb[.]website should trigger immediate alerts.
Compare detection methods:
| Method | Effectiveness | Implementation |
|---|---|---|
| Signature-based | Low (evades known patterns) | Quick but outdated |
| Behavioral | High (flags unusual activity) | Requires AI integration |
| Network traffic analysis | Medium (catches C2 calls) | Needs constant tuning |
“Real-time data analysis reduces dwell time from months to hours.”
Regular audits of Facebook and LinkedIn profiles can uncover impersonation attempts. Combining these steps creates a resilient security posture against persistent threats.
Global Implications and Future Threats
The digital battleground is expanding as cyber threats transcend regional conflicts. Recent campaigns demonstrate how espionage tools developed for specific targets can be repurposed globally. We’re witnessing a 300% increase in state-sponsored cyber operations worldwide, mirroring trends in the Middle East.
Growing Sophistication in Tools and Tactics
Advanced malware now shares characteristics across threat actors. The same evasion techniques appearing in Middle Eastern attacks have surfaced in Asian operations. This suggests possible knowledge sharing between adversarial networks.
Critical developments include:
- Modular malware that adapts to different government systems
- Blockchain-based C2 servers making attribution harder
- AI-generated phishing content that bypasses language barriers
“The line between regional and global cyber threats has disappeared. Tools developed for one conflict inevitably spread to others.”
Beyond Regional Borders
Security analysts warn of potential collaboration between Hamas and Hezbollah cyber units. Shared tools could threaten U.S. defense contractors by 2026. Three emerging risks demand attention:
First, deepfake technology may enhance social engineering. Second, mobile implants could target traveling diplomats. Third, cloud infrastructure attacks might bypass traditional defenses.
International cooperation is crucial to counter these evolving threats. Without coordinated defense strategies, localized tools will continue going global.
Conclusion
Cyber defense strategies must evolve to counter advanced threats. The 2025 campaign revealed how malware bypasses traditional security measures. From social engineering to mobile implants, attack methods grow more sophisticated.
Defense sectors need urgent upgrades. Proactive monitoring, like Cybereason’s efforts, is critical. Their work tracks threats linked to the group behind these operations.
Mobile risks remain high. Fake apps and WhatsApp lures steal data silently. Staying vigilant is no longer optional—it’s a necessity.
