APT C-23 also known as AridViper and Desert Falcon is active in the region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 with their main targets emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23.A mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps.
New sample seems used by APT-C-23. Once it gets executed, a document relating to information about EgyptAir is shown to confuse the victim and meanwhile RAT is executed to perform remote control.