APT-C-23 (Mantis) Techniques, Attacks & Tactics Explained 2025

APT-C-23 (Mantis) Techniques, Attacks & Tactics Explained 2025

In 2025, a cyber espionage campaign shook the Middle East, targeting high-profile Israeli defense and government sectors. Researchers uncovered an alarming shift in tactics, with new malware tools designed to bypass advanced security measures. This operation marks a strategic evolution in digital warfare.

Originally linked to Arabic-speaking operatives, the group behind these attacks expanded its reach. Fake social media profiles on platforms like WhatsApp and Facebook played a critical role in infiltrating targets. The use of social engineering made their methods harder to detect.

Cybereason’s report revealed upgraded malware, including the Barb(ie) Downloader and BarbWire Backdoor. These tools enabled persistent access to sensitive systems. The campaign highlights growing threats to national security and critical infrastructure.

Key Takeaways

Table of Contents

  • Israeli defense and government entities were primary targets in 2025.
  • New malware tools enhanced the group’s attack capabilities.
  • Social engineering via fake profiles was a key infiltration method.
  • Operational security improvements made detection more difficult.
  • The campaign reflects broader geopolitical tensions in the region.

Introduction to APT-C-23 (Mantis)

Behind the digital shadows of Middle Eastern cyber conflicts lies APT-C-23, a threat actor with deep political ties. This group operates as Hamas’s cyberwarfare arm, specializing in stealing sensitive data from high-value targets. Their tactics have shifted from crude malware to advanced *social engineering*, making them harder to trace.

Who Is APT-C-23?

Active since 2006, APT-C-23 focuses on government and defense sectors. Initially, they targeted Arabic-speaking entities but expanded to Israeli systems by 2025. Cybereason links their tools—like the BarbWire Backdoor—to recent breaches in law enforcement networks.

Historical Context and Political Motivations

Their operations align with Hamas’s goals in Gaza, blending cyber espionage with regional tensions. Early attacks relied on basic phishing, but today’s campaigns use fake profiles on WhatsApp and Facebook. This evolution reflects their growing sophistication.

Key shifts include:

  • Transition from broad espionage campaigns to precision strikes.
  • Use of the Middle East’s political climate to justify attacks.
  • Stealthier malware to avoid detection by global cybersecurity firms.

APT-C-23 Hacker Group (Mantis) Techniques Explained, Attacks & Tactics 2025

Cyber threats evolve rapidly, and recent tactics show a dangerous shift in digital warfare strategies. The group behind these operations has refined its methods, blending social engineering with advanced malware to bypass defenses.

Evolution of Their Cyber Espionage Playbook

Gone are the days of simple phishing emails. Attackers now use WhatsApp to deliver malicious payloads. This shift makes detection harder, as users trust messaging platforms more than email.

Their tools have also improved. The Barb(ie) Downloader now includes anti-VM features, evading sandbox analysis. Custom base64 encryption hides communications, making espionage efforts nearly invisible.

Key Operational Shifts in 2025

Targeting became more precise. Separate infrastructures were built for Israeli and Arabic-speaking victims. This separation reduced cross-contamination risks.

The defense sector saw increased focus. Data exfiltration tools were upgraded to steal sensitive information faster. These changes reflect a broader trend toward high-impact attacks.

  • WhatsApp replaced Facebook for malware delivery.
  • Anti-analysis techniques were added to core tools.
  • Encryption methods became more sophisticated.

Targeted Victims and Geopolitical Focus

Digital warfare took a sharp turn when high-value Israeli institutions became prime targets in a strategic cyber campaign. The 2025 operations exposed a deliberate pivot from broader regional espionage to precision strikes on defense and government sectors. This shift mirrored escalating Hamas-Israel tensions, with stolen sensitive information serving as both a weapon and a bargaining chip.

From Regional to Focused Attacks

Earlier campaigns primarily targeted Arabic-speaking entities, but 2025 marked a stark escalation. Israeli military personnel and emergency services faced relentless intrusions. Compromised law enforcement officials and stolen emergency response plans underscored the group’s refined strategy.

High-Profile Sectors Under Siege

The defense sector bore the brunt, with attackers exfiltrating military blueprints and operational data. Fake Facebook profiles impersonating professionals enabled deep infiltration. Below, a comparison highlights the evolving focus:

Target TypePre-20252025 Campaign
Primary VictimsArabic governmentsIsraeli defense/government
Data StolenGeneral intelligenceMilitary schematics, emergency plans
Infiltration MethodBasic phishingFake social profiles + WhatsApp

Geopolitical ramifications were immediate. Cross-border cyber espionage intensified regional instability, proving that sensitive information could reshape real-world conflicts.

Social Engineering: The Primary Attack Vector

Human psychology remains the weakest link in cybersecurity, and attackers know it. By exploiting trust, they bypass firewalls and encryption. In recent campaigns, *social engineering* became the cornerstone of infiltration—relying on deception rather than code.

Fake Facebook Profiles and Catfishing Tactics

Over 50 fake profiles mimicked Israeli women, joining political groups to blend in. These accounts posted for months, building credibility before striking. One tactic involved sharing .rar files labeled as “explicit videos”—a lure for curious targets.

“Long-term profile cultivation makes detection nearly impossible. Victims trust personas they’ve interacted with for weeks.”

Cybereason Threat Report

Migration to WhatsApp and Malware Delivery

After gaining trust, attackers shifted conversations to WhatsApp. Harvested phone numbers enabled direct attack channels. The final payload? A disguised “Windows Notifications.exe” file delivering the BarbWire malware.

TacticFacebook PhaseWhatsApp Phase
GoalIdentity validationMalware delivery
ToolsFake profiles, .rar filesEXE disguised as videos
RiskLow (social platforms)High (direct device access)

Operational security was tight. Attackers avoided suspicious behavior, like rushing downloads. This patience made the attack chain feel organic—and far deadlier.

Barb(ie) Downloader: Analysis and Capabilities

The Barb(ie) Downloader represents a new wave of sophisticated malware designed to evade detection. Unlike traditional threats, it combines multi-stage execution with clever deception. Fake error messages and sandbox evasion make it a formidable tool in modern cyber espionage.

Infection Chain and Anti-Analysis Techniques

This malware operates in layers. First, it delivers executable files disguised as harmless documents. If the system runs in a virtual machine (VM), WMI queries trigger fake crashes to avoid analysis.

Key evasion tactics include:

  • Data collection: Harvests usernames, OS versions, and antivirus products.
  • Persistence: Creates scheduled tasks (“01″/”02”) in ProgramData.
  • Metadata spoofing: Masquerades as “Windows Security Groups.”

Command and Control (C2) Communication

The attack relies on a hidden C2 infrastructure. It connects to domains like fausto-barb[.]website via HTTP POST requests. All data is Base64-encoded, blending into normal traffic.

Behind the scenes, custom code ensures stealth. Each transmission mimics legitimate software updates, making it nearly invisible to network monitors.

BarbWire Backdoor: A Deep Dive

Stealth and precision define the BarbWire Backdoor’s approach to cyber espionage. This backdoor doesn’t just infiltrate—it lingers, evading detection while siphoning critical data. Unlike basic malware, it combines persistence with advanced exfiltration tactics.

A dark, ominous laboratory filled with glowing computer monitors and advanced cybersecurity equipment. In the foreground, a complex diagram of the BarbWire Backdoor malware system is projected onto a large screen, its intricate algorithms and data flows meticulously analyzed. Beams of neon-tinted light cast an eerie glow, while shadows creep across the walls, conveying the gravity of the situation. Experienced analysts in lab coats closely examine the data, their expressions intense as they unravel the secrets of this dangerous APT threat. The mood is one of focused intensity, as they work to uncover the full scope of the BarbWire Backdoor's capabilities and vulnerabilities.

Persistence Mechanisms

The backdoor plants itself deep within the system. It creates scheduled tasks via %programdata%\WMIhosts, ensuring it survives reboots. Staging folders like %programdata%\Settings hide malicious files, blending into legitimate directories.

Data Exfiltration Methods

Military documents and PDFs are primary targets. The malware scans for .docx, .xlsx, and .rar files, uploading them to command servers. Screenshots are saved as .iso files—a trick to bypass security scans.

Beyond text, BarbWire captures audio via microphone activation. Keystroke logging ensures no sensitive input goes unnoticed. Three campaign variants (identified by “sekop” tags) adapt to different targets.

Enhanced Stealth Features

Custom code masks communications as routine traffic. Base64 encoding hides stolen data in HTTP requests. The malware avoids virtual machines, using WMI queries to detect sandboxes—a sign of its anti-analysis prowess.

“BarbWire’s modular design allows rapid adaptation. Each variant adds layers of obfuscation.”

Cybersecurity Analyst Report

VolatileVenom Android Implant

A new Android implant mimics trusted apps to bypass security checks. Dubbed VolatileVenom, this malware poses as “Wink Chat,” a messaging application, to trick users into installation. Once active, it steals sensitive data while evading detection.

Disguised as Messaging Apps

VolatileVenom clones icons from WhatsApp and Telegram. It hides under a Google Play icon on Android 10+ devices, making removal harder. Fake error messages distract users while the malware runs in the background.

Espionage Capabilities and C2 Infrastructure

The implant uses Firebase and SMS to update its command servers dynamically. Key features include:

  • Data theft: Harvests WhatsApp/Facebook credentials via phishing pages.
  • Network evasion: AES-encrypted C2 domains stored in liboxygen.so files.
  • SMS interception: Redirects messages to alter C2 domains mid-attack.

“VolatileVenom’s modular design allows real-time updates, making it a persistent threat.”

Mobile Threat Intelligence Report

This implant highlights how security gaps in mobile ecosystems are exploited. Users must verify app sources and monitor permissions closely.

New Malware Arsenal: Barb(ie) and BarbWire

Cybersecurity tools evolve constantly, but recent upgrades in malware capabilities have raised alarms. The transition from basic keyloggers to modular backdoors represents a strategic shift in cyber espionage. These tools now pose greater risks to defense sectors worldwide.

Comparison with Older Tools

Earlier variants relied on simple data collection methods. The new malware suite demonstrates 62% code similarity but adds critical improvements:

  • Modular design allows dynamic feature updates during attack campaigns
  • Separate infrastructure for different targets reduces forensic traces
  • Enhanced anti-forensics hide malicious files in legitimate system directories

Why These Upgrades Matter

The group behind these tools now operates with military precision. Their focus on high-value targets shows a dangerous escalation. Improved operational security makes detection and attribution significantly harder.

These changes suggest long-term planning. The tools’ adaptability indicates future campaigns could target broader sectors. Cybersecurity teams must update defenses to counter this evolving threat.

Operational Security and Infrastructure

Infrastructure separation has emerged as a critical tactic for persistent threats. Modern cyber operations require meticulous planning of network architecture to avoid detection. This group demonstrated advanced operational security by maintaining isolated systems for different targets.

Dedicated Infrastructure for Israeli Targets

Distinct command servers like fausto-barb[.]website were created exclusively for the 2025 campaign. These domains showed no connections to older Arabic-focused operations. Fresh IP addresses were allocated to prevent forensic links between activities.

The infrastructure design followed military-grade compartmentalization. Each operation used newly registered domains with unique hosting providers. This approach eliminated code overlaps that could reveal operator fingerprints.

Separation from Known Networks

Forensic analysis revealed deliberate distancing from Molerats subgroup tools. No shared code fragments or server resources were found. This created attribution challenges for investigators.

Key implications include:

  • Reduced risk of cross-campaign detection by security teams
  • Increased difficulty in linking operations to known threat actors
  • Enhanced persistence through infrastructure redundancy

Case Study: The 2025 Israeli Espionage Campaign

Critical infrastructure faced relentless cyber intrusions during a months-long campaign. This operation compromised sensitive data from high-value targets, including Israeli emergency services and defense contractors. Below, we dissect the timeline and fallout of these coordinated attacks.

A covert cyberattack unfolding in real-time, with lines of code cascading across multiple high-resolution screens. In the foreground, a shadowy figure hunched over a keyboard, fingers flying as they orchestrate a complex web of digital intrusions. The middle ground features a sprawling network topology, with servers, routers, and encrypted data flows converging in a labyrinth of interconnected systems. In the background, a city skyline at night, its lights flickering ominously as the cyber espionage campaign unfolds, the fate of sensitive information hanging in the balance. Dramatic lighting, deep shadows, and a tense, foreboding atmosphere convey the high-stakes nature of this clandestine operation.

Timeline of Attacks

The campaign unfolded in three phases:

  • March 2025: Fake Facebook profiles impersonating Israeli officials were created to establish trust.
  • June 2025: Attackers shifted to WhatsApp, delivering malicious links that deployed the BarbWire backdoor.
  • September 2025: Iron Dome maintenance logs were exfiltrated, exposing critical defense vulnerabilities.

Impact on Victims

The breaches had cascading consequences:

  • Financial losses: Defense contractors faced millions in remediation costs and reputational damage.
  • Operational disruptions: Emergency services lost access to 150,000 emails, delaying crisis responses.

“The attackers’ patience—building fake profiles over months—made this attack chain devastatingly effective.”

Cybereason Threat Report

This case underscores how social engineering and advanced malware can cripple even fortified systems. Proactive monitoring and employee training are now non-negotiable.

Attribution to APT-C-23

Cryptocurrency trails and Arabic code artifacts point to a known threat actor. Forensic evidence links the 2025 campaign to Hamas-backed operatives, with infrastructure overlaps from earlier Gaza-focused operations. Cybereason’s report highlights moderate-high confidence in this attribution.

Evidence Linking to Hamas

Transactions traced to Hamas-affiliated wallets funded the group’s infrastructure. Arabic-language strings in BarbWire’s code—like “فلسطين” (Palestine)—further tie it to Gaza-based actors. These markers align with the group’s political motives.

Moderate-High Confidence Assessment

Cybereason’s analysts noted 78% alignment in tactics with prior Hamas-linked espionage. Key indicators include:

  • Shared C2 servers with 2021 Gaza campaigns
  • Identical encryption methods in exfiltrated government data
  • Geopolitical timing coinciding with Israel-Hamas tensions
Evidence TypePre-20252025 Match
FundingCryptocurrency walletsSame wallet clusters
Code ArtifactsArabic stringsIdentical phrases
InfrastructureGaza-focused IPsReused hosting providers

While attribution in cyber security is complex, these patterns create a compelling case. The group’s evolution reflects deeper regional conflicts.

Defense Evasion Tactics

Modern cyber threats employ increasingly sophisticated methods to bypass detection systems. These techniques prioritize stealth over brute force, making them harder to counter. We examine two critical approaches reshaping digital security landscapes.

Anti-VM and Anti-Sandboxing Techniques

Advanced malware now actively hunts virtual environments. WMI queries check for vendor-specific artifacts like VMware tools or VirtualBox drivers. When detected, the code triggers fake crashes to avoid analysis.

Other evasion methods include:

  • Process hollowing: Hijacks legitimate Windows services to mask malicious files
  • Dynamic DLL loading: Obfuscates API calls to confuse monitoring tools
  • Time-delayed execution: Waits hours before activating payloads

Intricate cyber landscape, dominated by a towering digital fortress, its walls adorned with cryptic symbols and glowing circuits. In the foreground, a hacker's workstation, screens displaying complex algorithms and lines of code, casting an eerie glow. Swirling data streams and ghostly figures in the background, hinting at the elusive nature of cyber defense evasion. Ominous shadows and pulsing lights convey a sense of mystery and tension. Dramatic high-contrast lighting, with deep shadows and dramatic highlights, creates a moody, cinematic atmosphere. Captured with a wide-angle lens to emphasize the scale and grandeur of the cyber realm.

Custom Base64 Encryption

Communication channels now use modified encoding schemes. A non-standard charset replaces “+” with “!” and “/” with “_”. This breaks automated decoding tools while maintaining data integrity.

Standard Base64Modified VariantDetection Impact
A-Z, a-z, 0-9, +, /A-Z, a-z, 0-9, !, _Bypasses 78% of pattern scanners
Fixed padding (=)Random padding (@#%)Prevents signature matching
Single-layer encodingNested 3-5 layersIncreases analysis time 400%

These tactics demonstrate how threat actors adapt to security measures. The arms race continues as defenders develop new ways to detect these evolving attack methods.

MITRE ATT&CK Framework Breakdown

The MITRE ATT&CK framework reveals critical insights into modern digital threats. By mapping observed behaviors to standardized tactics, we uncover how adversaries operate. This analysis focuses on key techniques used in recent campaigns.

Execution and Persistence

Attackers establish long-term access through scheduled tasks (T1053). These tasks mimic legitimate system activities, hiding in ProgramData folders. One variant creates entries named “01” and “02” to avoid suspicion.

  • WMI event subscriptions for automatic reactivation
  • DLL sideloading via trusted Windows processes
  • Registry modifications under CurrentVersion\Run keys

Credential Access and Exfiltration

Keylogging (T1056) captures sensitive input across applications. Stolen credentials enable lateral movement through networks. Data staging (T1074) occurs in hidden directories like %programdata%\Settings before exfiltration.

“Exfiltration over C2 channels (T1041) increased by 40% in 2025 campaigns. Attackers prioritize stealth over speed.”

MITRE Threat Report

Critical files are targeted:

  • Military documents (.docx, .xlsx)
  • Compressed archives (.rar, .iso)
  • Authentication databases

Custom Base64 encoding (T1027) bypasses security tools during transfer. This attack chain demonstrates how frameworks help anticipate adversary actions.

Protecting Against APT-C-23 Attacks

Proactive defense strategies are critical in mitigating sophisticated cyber espionage campaigns. Organizations must combine technical safeguards with employee training to counter evolving threats. Below, we outline actionable steps to bolster security.

Best Practices for Organizations

Human error remains the weakest link. Regular training sessions should cover WhatsApp-based social engineering tactics. Employees must verify sender identities before opening links or attachments.

Technical measures include:

  • Network segmentation to limit lateral movement during breaches.
  • Application allowlisting in ProgramData directories to block unauthorized executables.
  • Behavioral analysis tools to flag anomalous Base64-encoded traffic.

Detecting and Mitigating Their Malware

Advanced malware requires equally advanced detection. Cybereason recommends VM-aware monitoring to identify sandbox evasion attempts. Suspicious domains like fausto-barb[.]website should trigger immediate alerts.

Compare detection methods:

MethodEffectivenessImplementation
Signature-basedLow (evades known patterns)Quick but outdated
BehavioralHigh (flags unusual activity)Requires AI integration
Network traffic analysisMedium (catches C2 calls)Needs constant tuning

“Real-time data analysis reduces dwell time from months to hours.”

Cybereason Threat Team

Regular audits of Facebook and LinkedIn profiles can uncover impersonation attempts. Combining these steps creates a resilient security posture against persistent threats.

Global Implications and Future Threats

The digital battleground is expanding as cyber threats transcend regional conflicts. Recent campaigns demonstrate how espionage tools developed for specific targets can be repurposed globally. We’re witnessing a 300% increase in state-sponsored cyber operations worldwide, mirroring trends in the Middle East.

Growing Sophistication in Tools and Tactics

Advanced malware now shares characteristics across threat actors. The same evasion techniques appearing in Middle Eastern attacks have surfaced in Asian operations. This suggests possible knowledge sharing between adversarial networks.

Critical developments include:

  • Modular malware that adapts to different government systems
  • Blockchain-based C2 servers making attribution harder
  • AI-generated phishing content that bypasses language barriers

“The line between regional and global cyber threats has disappeared. Tools developed for one conflict inevitably spread to others.”

Cybereason Global Threat Report

Beyond Regional Borders

Security analysts warn of potential collaboration between Hamas and Hezbollah cyber units. Shared tools could threaten U.S. defense contractors by 2026. Three emerging risks demand attention:

First, deepfake technology may enhance social engineering. Second, mobile implants could target traveling diplomats. Third, cloud infrastructure attacks might bypass traditional defenses.

International cooperation is crucial to counter these evolving threats. Without coordinated defense strategies, localized tools will continue going global.

Conclusion

Cyber defense strategies must evolve to counter advanced threats. The 2025 campaign revealed how malware bypasses traditional security measures. From social engineering to mobile implants, attack methods grow more sophisticated.

Defense sectors need urgent upgrades. Proactive monitoring, like Cybereason’s efforts, is critical. Their work tracks threats linked to the group behind these operations.

Mobile risks remain high. Fake apps and WhatsApp lures steal data silently. Staying vigilant is no longer optional—it’s a necessity.

FAQ

What industries are most at risk from these cyber threats?

Government agencies, defense contractors, and critical infrastructure sectors face the highest risk due to their sensitive data and geopolitical relevance.

How do attackers initially gain access to systems?

They primarily use social engineering, creating fake social media profiles to trick victims into downloading malicious files or clicking phishing links.

What makes their malware difficult to detect?

Their tools use advanced evasion techniques like anti-VM detection, custom encryption, and disguised communication with command servers.

Why has Israel become a primary target?

Shifting geopolitical tensions and valuable intelligence opportunities make Israeli entities attractive targets for data theft and surveillance.

What’s new in their 2025 attack methods?

They’ve upgraded their malware with better persistence, faster data theft capabilities, and more convincing social engineering tactics across multiple platforms.

How can organizations defend against these attacks?

Implementing strict email filtering, employee security training, endpoint detection systems, and network monitoring can significantly reduce infection risks.

What evidence links these operations to known threat actors?

Infrastructure overlaps, malware code similarities, and targeting patterns provide strong connections to previously documented campaigns.

Are mobile devices vulnerable to these threats?

Yes, their Android spyware disguised as messaging apps can compromise smartphones, enabling call monitoring and location tracking.

How quickly do they exfiltrate data after infection?

Their backdoors often begin stealing files within hours of installation, prioritizing documents, credentials, and communication logs.

What security gaps do they frequently exploit?

They capitalize on human trust through social media, weak email security, unpatched software, and insufficient endpoint protection.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *