A Hamas-supported hacking group, dubbed APT-C-23, was found catfishing high-ranking Israeli officials to deploy malware. These targeted officials work in defense, law enforcement, and other government agencies.

The campaign

Researchers from Cybereason named the campaign Operation Bearded Barbie, in which the attackers deploy new custom backdoors for Android and Windows devices with the goal of espionage.
  • The attackers have created various fake Facebook profiles with fabricated identities and stolen or AI-generated images of good-looking women. They engage with the targets via these profiles.
  • The operators of these profiles eventually developed an entire network of friends who are the targeted people working with Israel's police, emergency services, defense forces, or the government.
  • After gaining the trust of the target by engaging them on Facebook for a short time, the attackers suggest users start the conversation on WhatsApp instead of on social media for better privacy.
  • Finally, when the conversation becomes erotic, the attackers again suggest migrating the conversation to a supposedly more private Android IM app, which is actually the VolatileVenom malware.
  • Subsequently, the attackers send a link to a RAR file that supposedly includes explicit content (a video). However, in reality, the file contains a downloader for the BarbWire backdoor.


In the disguise of secure messaging applications, the attackers infect the victims with VolatileVenom Android malware.  For this specific campaign, they used the Wink Chat application.
  • This Android spyware has been in use since April 2020, however, now it has been updated with additional features.
  • It is capable of various malicious tasks, including stealing SMS messages, recording audio, and reading notifications from Whatsapp, Facebook, Instagram, and Skype.


During the catfish attempts, the attackers used the fully-fledged BarbWire backdoor with extensive capabilities such as keylogging, screen capturing, and audio recording. Researchers have found at least three different variants of BarbWire, showing active development of the backdoor.


The APT-C-23 group seems to be evolving with new tools and sophisticated social engineering attempts. Further, the recent attacks on Israeli officials show the group’s aggressive espionage intent. Thus, users should always stay alert wherever an unknown individual makes contact on social media.
Cyware Publisher