Home/Threat Actor/DarkMatter / Project Raven
Threat Actor

DarkMatter / Project Raven

darkmatter_uae_project_raven · uae_commercial_cyber_mercenary · active since 2008

DarkMatter / Project Raven (canonical corporate naming "DarkMatter Group" UAE-headquartered Abu Dhabi.

Reuters Bing+Schectman 2019 canonical operation naming "Project Raven".

original 2008 program naming "DREAD" Development Research Exploitation and Analysis Department per Richard A. Clarke / Good Harbor Consulting.

signature Citizen Lab UAE-aligned adjacent cluster naming "Stealth Falcon") is a UAE state-aligned cyber-mercenary contractor serving the UAE National Electronic Security Authority (NESA, UAE's NSA equivalent established late 2011 with US assistance) and operationally serving Mohamed bin Zayed Al Nahyan's court strategic priorities; operationally the first non-Israeli cyber-mercenary cluster in this curated corpus, operationally distinct from sibling Israeli cyber-mercenary clusters (NSO Group + Candiru + Intellexa + Paragon Solutions all curated separately) through non-Israeli corporate origin + signature former-US-NSA-operator workforce composition rather than Israeli Unit 8200 alumni.

signature operational tradecraft is acquired Karma iOS zero-click iMessage 0day (cluster-defining commercial-sourced exploit acquired 2016 from external vendor allegedly Denver-based Accuvant for $1.6M, capable of remotely exploiting iPhones anywhere in the world without user interaction via Apple ID/email/phone-number targeting, neutralized by Apple iOS update mid-2017) plus Karma 2 successor exploit per US DOJ September 2021 court filings.

Reuters Bing+Schectman January 30, 2019 canonical disclosure "Inside the UAE's Secret Hacking Team of American Mercenaries" based on interviews with 9 former Raven operatives + review of thousands of pages of project documents established operational phases: DREAD 2008 (Richard A. Clarke) - NESA establishment late 2011 - CyberPoint US contractor era 2008-2016 (Baltimore- based, Karl Gumtow founder) - DarkMatter UAE transition 2016 (American contractors given choice to transfer or quit, ~75% transferred including Lori Stroud) - Karma acquisition 2016 - Karma 2 successor 2017-2019 - US persons targeting expansion 2019 - Lori Stroud whistleblower disclosure.

documented Karma victim list includes Emir of Qatar Sheikh Tamim bin Hamad Al Thani (Project Raven codename "Crybaby") + brother Sheikh Hamad bin Khalifa Al Thani (codename "AngryFather") + Prime Minister of Lebanon Saad Hariri (UAE associated with supporting Hezbollah) + Ahmed Mansoor's wife Nadia (codename "Purple Egret".

Ahmed was "Egret", operationally significant for UAE-NSO Pegasus overlap as Ahmed Mansoor was first publicly documented Pegasus victim per Citizen Lab August 2016) + British journalist Rori Donaghy (codename "Gyro") + Yemeni Nobel Laureate Tawakkol Karman (Arab Spring leader) + hundreds of others in Qatar + Yemen + Kuwait + Oman + Serbia + Lebanon + Iran + Turkey + Europe + US persons (signature controversial expansion implicating American staff in unlawful behavior).

signature DarkMatter Certificate Authority capability attempt operationally neutralized by Mozilla Firefox + Google Chrome CA root revocations 2019 following Reuters disclosure.

signature operational hub "the Villa" in Khalifa City suburb of Abu Dhabi.

US Department of Justice deferred prosecution agreement September 14, 2021 of Marc Baier + Ryan Adams + Daniel Gericke ($1.68M payment + relinquished security clearances + CNE employment restrictions + ITAR compliance restrictions) + US State Department arms export debar August 26, 2022 three-year ITAR prohibition.

Gericke subsequently served as ExpressVPN CIO (Kape Technologies British-Israeli subsidiary) prompting Edward Snowden customer warning; adjacent Stealth Falcon Citizen Lab canonical UAE-aligned cluster tracking operationally adjacent to DarkMatter corporate identity.

fills the 5th cyber-mercenary cell in the curated corpus and is the 1st non-Israeli cyber- mercenary cluster, operationally complementary to sibling clusters through shared commercial-spyware- vendor business model but operationally distinct through UAE corporate origin + former-US-NSA-operator workforce + Karma external-acquisition exploit model.

uae_commercial_cyber_mercenary confidence: high 17 aliases MITRE ATT&CK G0038 ↗
Sigma rules200 YARA rules1 Live IOCs0 CVEs exploited0

Profile

DarkMatter / Project Raven (canonical corporate naming "DarkMatter Group" UAE-headquartered Abu Dhabi.

Reuters Bing+Schectman 2019 canonical operation naming "Project Raven".

original 2008 program naming "DREAD" Development Research Exploitation and Analysis Department per Richard A. Clarke / Good Harbor Consulting.

signature Citizen Lab UAE-aligned adjacent cluster naming "Stealth Falcon") is a UAE state-aligned cyber-mercenary contractor serving the UAE National Electronic Security Authority (NESA), UAE's NSA equivalent established late 2011 with US assistance, and operationally serving Mohamed bin Zayed Al Nahyan's court strategic priorities. Operationally distinguished as the first non-Israeli cyber-mercenary cluster in this curated corpus, operationally distinct from sibling Israeli cyber- mercenary clusters (nso_group_pegasus + candiru_sourgum + intellexa_predator + paragon_solutions_graphite all curated separately) through non-Israeli corporate origin + signature former-US-NSA-operator workforce composition rather than Israeli Unit 8200 alumni. Operational phases: (1) DREAD CORPORATE EMERGENCE (2008). Richard A. Clarke / Good Harbor Consulting establishes DREAD as arm of Mohamed bin Zayed Al Nahyan court. Original Villa operational hub in Khalifa City Abu Dhabi. (2) NESA ESTABLISHMENT (Late 2011). US assistance for UAE cyber-security agency creation following Iranian 2010- 2011 cyber operations. (3) CYBERPOINT US CONTRACTOR ERA (2008-2016). Project Raven run by Baltimore-based US cybersecurity firm CyberPoint International (founded by Karl Gumtow). NSA- trained American workforce of 12-20 operatives at peak. Lori Stroud joined 2014 via Marc Baier recruitment. (4) THE INTERCEPT FIRST EXPOSE (October 24, 2016). Public-record exposure of DarkMatter operations. (5) DARKMATTER UAE TRANSITION (2016). UAE terminated CyberPoint contract.

DarkMatter (UAE-owned) hired American contractors who chose to transfer. ~75% transferred including Lori Stroud. (6) KARMA ZERO-CLICK ACQUISITION (2016). Karma iOS zero-click iMessage 0day acquired from external vendor (allegedly Accuvant Denver for $1.6M). Karma deployed against hundreds of targets 2016-2017 including Emir of Qatar + PM Lebanon Saad Hariri + Ahmed Mansoor's wife Nadia. (7) KARMA 2 SUCCESSOR (2017-2019). Per US DOJ September 2021: Baier + Adams + Gericke developed Karma 2 as successor exploit. (8) US PERSONS TARGETING + LORI STROUD WHISTLEBLOWER (2019). Project Raven expanded to US persons targeting operationally implicating American staff in unlawful behavior. Reuters Bing+Schectman canonical disclosure January 30, 2019. (9) CERTIFICATE AUTHORITY REVOCATION (2019). Mozilla Firefox + Google Chrome revoked DarkMatter CA root certificate following Reuters disclosure, operationally neutralizing strategic HTTPS-interception capability. (10) US DOJ DEFERRED PROSECUTION (September 14, 2021). Baier + Adams + Gericke pay $1.68M.

relinquish security clearances.

CNE employment restrictions. (11) US STATE DEPARTMENT ARMS EXPORT DEBAR (August 26, 2022). Three-year arms-export prohibition under ITAR. (12) CONTINUED OPERATIONS (2020-2026). DarkMatter operations continue per Darknet Diaries + industry tracking despite sanctions waves.

Signature operational tradecraft
  • Former-US-NSA-operator workforce (cluster-defining): operationally distinct from sibling Israeli cyber- mercenary clusters through American intelligence operator composition rather than Unit 8200 alumni. Reuters January 2019: "surveillance techniques taught by the NSA were central to the UAE's efforts to monitor opponents.".
  • Karma iOS zero-click exploit (signature acquired capability): cluster-defining commercial-sourced iMessage 0day acquired from external vendor 2016. Targeting via Apple ID/email/phone-number without user interaction. Apple unknowingly patched mid-2017.
  • Karma 2 successor exploit: per US DOJ September 2021, successor zero-click iOS exploit chain.
  • Operational hub at "the Villa" Khalifa City Abu Dhabi: signature converted-mansion operational facility.
  • NESA UAE NSA-equivalent operational customer relationship: signature operational dependency on UAE state cyber-security agency.
  • DarkMatter Certificate Authority capability attempt (signature): cluster operationally attempted to become Certificate Authority for HTTPS interception capability , strategically significant infrastructure investment operationally neutralized by Mozilla + Google CA root revocations 2019.
  • Operationally controversial US persons targeting: signature controversial expansion of Project Raven surveillance to include US persons, operationally implicating American staff in unlawful behavior per US Stored Communications Act + Computer Fraud and Abuse Act.
  • Tiger teams + Connection Systems shell-company response: signature DarkMatter operational response to The Intercept October 2016 exposure, CFO Samer Khalife transferred US citizens to Connection Systems shell.
  • Documented Karma victim list (signature): Emir of Qatar Sheikh Tamim bin Hamad Al Thani (codename "Crybaby") + brother (codename "AngryFather") + Prime Minister Lebanon Saad Hariri + Ahmed Mansoor's wife Nadia (codename "Purple Egret"; Ahmed was "Egret") + British journalist Rori Donaghy (codename "Gyro") + Yemeni Nobel Laureate Tawakkol Karman + hundreds of others in Qatar + Yemen + Kuwait + Oman + Serbia + Lebanon + Iran + Turkey + Europe + US persons.
  • Stealth Falcon adjacent cluster naming: signature Citizen Lab canonical UAE-aligned cluster tracking operationally adjacent to (though distinct from) DarkMatter corporate identity. The cluster fills the 5th cyber-mercenary cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd) + paragon_solutions_graphite (4th), and is the 1st non- Israeli cyber-mercenary cluster. Operationally complementary to sibling clusters through shared commercial-spyware-vendor business model and government- client servicing pattern, but operationally distinct through UAE corporate origin + former-US-NSA-operator workforce + Karma external-acquisition exploit model rather than in-house development.

Aliases

17
darkmatterdark matterdarkmatter_groupdarkmatter groupproject_ravenproject ravenraven_projectcyberpoint_uae_operationcyberpoint international uaedreaddevelopment research exploitation and analysis departmentstealth_falconstealth falconfruity armordarkmatter_uae_project_ravenuae_cyber_mercenaryuae nesa adjacent operations

Notable Campaigns

13
2022US State Department Arms Export Debar (August 26, 2022)
2021-PresentGericke ExpressVPN CIO Employment Controversy (2021-Present)
2021US DOJ Deferred Prosecution Agreement (September 14, 2021)
2020-2026Continued Operations Through 2020-2026
2019US Persons Targeting Expansion + Lori Stroud Whistleblower (2019)
2017-2019Karma 2 Successor Exploit Deployment
2016-2019DarkMatter Certificate Authority Capability Attempt + Mozilla/Google Revocation (2016-2019)
2016Karma iOS Zero-Click Acquisition + Deployment (2016)
2016DarkMatter UAE Domestic Company Transition (2016)
2016The Intercept First Major DarkMatter Expose (October 24, 2016)
2011UAE NESA Establishment with US Assistance (Late 2011)
2008-2016CyberPoint US Contractor Era (2008-2016)
2008DREAD Corporate Emergence (2008)

Attribution & Reporting

Attributed by
Reuters (Christopher Bing + Joel Schectman, canonical January 30 2019 "Inside the UAE's Secret Hacking Team of American Mercenaries" disclosure)Citizen Lab (Stealth Falcon canonical 2016 + ongoing tracking)The Intercept (October 24 2016 first major DarkMatter expose)Darknet Diaries Episode 47 "Project Raven" (Jack Rhysider + David + Rori Donaghy)Lori Stroud (Project Raven former NSA analyst + whistleblower 2019 Reuters source)David (Darknet Diaries Episode 47 source, former Project Raven)US Department of Justice (deferred prosecution agreement September 2021)US Department of State (arms export debar August 2022)US Federal Bureau of InvestigationMozilla / Firefox (DarkMatter certificate authority root revocation)Google / Chrome (DarkMatter certificate authority root revocation)Microsoft Threat Intelligence CenterMandiant / Google Threat Intelligence GroupSymantec / Broadcom Threat Hunter TeamCyberScoopDaniel Wolford (former DarkMatter employee, Ars Technica February 2019 alternative testimony)Simone Margaritelli (security researcher who declined DarkMatter job offer 2016 + published blog disclosure)
Key reporting
reportReuters (Christopher Bing + Joel Schectman): Inside the UAE's Secret Hacking Team of American Mercenaries (January 30, 2019), canonical Project Raven / DarkMatter disclosure based on interviews with 9 former Raven operatives + review of thousands of pages of project documents
reportReuters (Christopher Bing + Joel Schectman): How Mercenaries Hacked iPhones Around the Globe With Karma (January 30, 2019), companion Karma exploit disclosure
reportThe Intercept (Jenna McLaughlin): UAE Surveillance Program, DarkMatter Disclosure (October 24, 2016), first major DarkMatter expose
reportDarknet Diaries Episode 47 (Jack Rhysider): Project Raven (2019), David + Rori Donaghy + Lori Stroud sourcing
reportCitizen Lab: Stealth Falcon, Targeted Attacks on Emirati Journalists, Activists, and Dissidents (May 29, 2016), canonical Stealth Falcon cluster disclosure
reportCitizen Lab (Bill Marczak): Million Dollar Dissident UAE, Ahmed Mansoor case (August 25, 2016), operationally significant for UAE-NSO Pegasus overlap with DarkMatter targeting via wife Nadia
reportUS Department of Justice: Three Former US Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges (September 14, 2021)
reportUS Department of State: Administrative Debarment of Three Former US Intelligence Employees (August 26, 2022)
reportMicrosoft Threat Intelligence Center: UAE adjacent cluster tracking
reportMandiant / Google Threat Intelligence Group: Stealth Falcon / UAE-aligned cluster context
reportSymantec / Broadcom Threat Hunter Team: UAE state-aligned cluster tracking
reportDaniel Wolford (former DarkMatter employee): Ars Technica February 1, 2019 alternative testimony, disputed Reuters characterization
reportSimone Margaritelli (security researcher): DarkMatter Job Offer Decline + Blog Disclosure (2016)
reportEdward Snowden: ExpressVPN / Gericke Customer Warning (2021)
reportMITRE ATT&CK Group G0038, Stealth Falcon
reportMalpedia Actor Profile: Stealth Falcon

Operational

State sponsor

United Arab Emirates state-aligned cyber-mercenary firm operationally serving UAE National Electronic Security Authority (NESA), UAE's equivalent to the US NSA, established late 2011 with US assistance per Wikipedia compilation following 2010-2011 Iranian cyber espionage operations against UAE. DarkMatter Group operates as UAE cyber-arms firm with corporate HQ in Abu Dhabi, UAE. Operational origin: Project Raven established 2008 as Development Research Exploitation and Analysis Department (DREAD) by Richard A. Clarke (former US National Coordinator for Security, Infrastructure Protection, and Counter-terrorism under Bill Clinton and George W. Bush) through his security advisory group Good Harbor Consulting, as an arm of UAE royal Mohamed bin Zayed Al Nahyan's court. Originally based in converted mansion in Abu Dhabi Khalifa City suburb nicknamed "the Villa." Operational evolution (cluster-defining): (a) CyberPoint US contractor era (2008-2016): Project Raven originally run by US cybersecurity firm CyberPoint International (Baltimore-based, founded by Karl Gumtow). Originally intended for Americans to develop and run program for 5-10 years until Emirati intelligence officers were skilled enough to take over. By 2013, American contingent at Raven numbered between dozen and 20 members at any time, accounting for the majority of the staff. Per Reuters Bing+Schectman 2019 canonical disclosure: "Surveillance techniques taught by the NSA were central to the UAE's efforts to monitor opponents." (b) DarkMatter UAE-owned transition (2016-2019): Late 2015 power dynamic at the Villa shifted as UAE grew more uncomfortable with core national security program being controlled by foreigners. Emirati defense officials told Gumtow they wanted Project Raven to be run through a domestic company, named DarkMatter. UAE government terminated the contract with Project Raven and brought in new contractor DarkMatter, a UAE company owned and operated by UAE citizens. American contractors given option to join DarkMatter or quit. About a quarter quit; the rest moved on to DarkMatter, operationally creating cyber-mercenary entity staffed with former-US-NSA-operators under UAE state control. (c) Karma iOS zero-click acquisition (2016): Project Raven bought Karma iOS zero-click exploit from external commercial vendor 2016. Karma was able to remotely exploit Apple iPhones anywhere in the world without requiring any interaction on the part of the iPhone's owner, as long as a username was provided (Apple ID + Email address associated with phone + or phone number). Reportedly developed and sold by Denver-based Accuvant for $1.6 million per Gizmodo + court filings, though direct attribution remains contested. Karma achieved remote iPhone exploitation by exploiting a zero-day vulnerability in the device's iMessage app. Around mid- 2017, Apple patched some of the security vulnerabilities exploited by Karma (unknowingly), reducing the tool's effectiveness.

cluster operators say Karma exploits could not be used on iPhones with iOS updated past 2017 patches. (d) Karma 2 successor exploit: per US DOJ September 2021 court filings: Marc Baier + Ryan Adams + Daniel Gericke helped develop both Karma and Karma 2, two iOS zero-click exploits used by UAE officials to spy on dissidents, reporters, and government opposition leaders. Karma 2 was a successor zero-click iOS exploit chain operationally distinct from Karma original. Operational classification: UAE state-aligned cyber- mercenary contractor operationally distinct from sibling Israeli cyber-mercenary clusters through non-Israeli origin + signature former-US-NSA-operator workforce composition. NESA-adjacent operational relationship operationally distinct from Israeli MoD export-licensing regime of NSO + Candiru. Per The Intercept October 24, 2016 disclosure (first major DarkMatter expose) + Reuters Bing+Schectman January 30, 2019 canonical disclosure "Inside the UAE's Secret Hacking Team of American Mercenaries" + Darknet Diaries Episode 47 "Project Raven" + subsequent industry analysis. Documented Project Raven / DarkMatter / Karma targets per Wikipedia + Reuters compilation: (1) Heads of state / royals: Emir of Qatar Sheikh Tamim bin Hamad Al Thani (Project Raven nickname "Crybaby")

his brother Sheikh Hamad bin Khalifa Al Thani (nickname "AngryFather") and several close associates.

Prime Minister of Lebanon Saad Hariri (UAE associated him with supporting Hezbollah); (2) Activists + journalists: Nadia Mansoor (wife of imprisoned UAE human rights activist Ahmed Mansoor; nickname "Purple Egret".

Ahmed Mansoor's nickname "Egret" , operationally significant as Ahmed Mansoor was the first publicly-documented Pegasus victim per Citizen Lab August 2016, indicating operational overlap with NSO Group's UAE deployment)

British journalist Rori Donaghy (nickname "Gyro")

Yemeni Nobel Laureate Tawakkol Karman (leader in Arab Spring)

(3) US persons (signature controversial expansion): Project Raven reportedly expanded surveillance to include targeting Americans, operationally implicating American staff in unlawful behavior per US Stored Communications Act + Computer Fraud and Abuse Act.

(4) Government targets: Qatar government + Yemen government + Kuwait government + Oman government + Serbia government + Lebanon government + Iran government + Turkey government. Hundreds of other targets in Europe and the Middle East. The cluster fills the 5th cyber-mercenary cell in this curated corpus and the 1st non-Israeli cyber-mercenary cluster. Operationally adjacent to (but distinct from) sibling Israeli cyber-mercenary clusters through shared commercial-spyware-vendor business model + government- client servicing pattern, but operationally distinct through non-Israeli corporate origin + UAE-NESA-adjacent operational relationship + signature former-US-NSA- operator workforce.

Motivations
uae_state_aligned_offensive_cyber_capability_development_via_commercial_contractor, nesa_uae_equivalent_nsa_signals_intelligence_capability_development, mohamed_bin_zayed_court_arm_offensive_cyber_operations, former_us_nsa_operator_workforce_offensive_cyber_for_uae_government, dissident_and_critic_surveillance_for_uae_government, qatar_yemen_iran_turkey_geopolitical_adversary_government_targeting, prime_minister_and_head_of_state_targeting_capability, karma_zero_click_ios_exploitation_capability_acquisition_and_deployment, certificate_authority_capability_attempt_for_https_interception, americans_us_persons_unlawful_targeting_per_whistleblower_disclosures
Sectors
heads_of_stateroyal_family_membersprime_ministersgovernment_officialsforeign_ministry_officialsintelligence_services_officialsopposition_politicianshuman_rights_activistsjournalistsnobel_laureatesarab_spring_leadersdissidentsamericans_us_personsunderage_americansmuslim_brotherhood_networkreligious_dissidentscivil_society_organizations
Regions
qataryemeniranturkeylebanonkuwaitomanserbiaunited_kingdomunited_statesunited_arab_emiratespalestine_palestinian_authoritymiddle_east_broadlyeurope_broadly

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.003T1059.007T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1190T1203T1204T1213T1218T1430T1497T1539T1543T1543.001T1543.004T1547T1548T1552T1555T1556T1556.004T1557

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)57/60 · 95%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)11/60 · 18%
File / malware (YARA)1/60 · 1%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
STEALTH FALCON UAE ALIGNED CLUSTER
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin