Cyber Threat Report: 'Starry Addax targets human rights defenders in North Africa with new malware'

This blog post from researchers at Cisco Talos describes a new threat actor 'Starry Addax'. Starry Addax have been observered conducting a campaign which uses spear-phishing emails to target human rights activists in Morocco and Western Sahara, and leads to either the malware download or credential harvesting. The Android malware used is referred to as "FlexStarling" by the researchers. FlexStarling pretends to be the Sahara Press Service app, serving Spanish content to appear legitimate while stealing information from devices. The infrastructure and malware are custom-made for stealth, aiming to remain undetected on the device for a long time, with a focus on high-value individuals. FlexStarling requests extensive permissions and uses a Firebase-based C2 server to execute commands, indicating sophisticated evasion techniques and data extraction capabilities. The blog post includes TTPs observed in the campaign as well as a timeline and indicators of compromise.