APT C-23 also known as AridViper and Desert Falcon is active in the region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps.
A new sample also seems to be used by APT-C-23. Once it gets executed, a document relating to information about EgyptAir is shown to confuse the victim and meanwhile RAT is executed to perform remote control.