Stealth Falcon (also tracked as FruityArmor in some vendor reporting, Project-Raven-adjacent, and MITRE ATT&CK G0038) is a suspected United Arab Emirates state-aligned cyber-espionage cluster active since at least 2012 and publicly disclosed by Citizen Lab in May 2016 ("Keep Calm and (Don't) Enable Macros: A New Threat Actor Targets UAE Dissidents"). The cluster's most operationally consequential foundational evidence is the Citizen Lab investigation's detailed documentation of sustained multi-year spear-phishing targeting of UK-based journalist Rori Donaghy in retaliation for his reporting critical of UAE government practices, alongside parallel targeting of numerous other UAE-critical voices including human-rights activists, lawyers, academics, and opposition political figures. The Citizen Lab investigation established Stealth Falcon as one of the most clearly-documented publicly-tracked state-sponsored-surveillance cases of journalists and dissidents by their subject's home government and contributed substantially to broader policy attention to UAE state-cyber operations.
The cluster operates within the broader UAE state-cyber ecosystem documented in Reuters' January 30, 2019 investigative series "Inside the UAE's secret hacking team of American mercenaries" describing Project Raven, a UAE-state-funded offensive cyber operation operated by DarkMatter (an Abu Dhabi-based UAE-state- affiliated contractor) and staffed in part by former US National Security Agency personnel. The September 14, 2021 US Department of Justice deferred prosecution agreement with three former NSA employees (Marc Baier, Ryan Adams, Daniel Gericke) for providing offensive cyber-operations services to UAE government on behalf of DarkMatter, requiring USD 1.685 million in penalties and prohibiting future US security-clearance work, represented formal US-government corroboration of the Project Raven UAE-state- cyber operations. While the DPA did not specifically name Stealth Falcon, the broader ecosystem attribution and Citizen Lab's specific Stealth Falcon evidence combine to make the UAE-state- aligned framing high-confidence by research-and-investigative- reporting standards.
A defining operational consideration is the unresolved cluster- identity question between Stealth Falcon and FruityArmor. Microsoft Security Response Center and ESET have published a series of disclosures across 2016-2018 documenting FruityArmor, a cluster operating with sustained Windows zero-day exploit capability against a small number of Middle Eastern targets, using CVE-2016-4117 (Adobe Flash), CVE-2017-8464 (Windows LNK Shortcut), CVE-2018-8453 (Windows Win32k privilege escalation), and CVE-2019-0859 (Windows ALEO privilege escalation). Whether FruityArmor is identical to Stealth Falcon, a closely-adjacent sibling cluster within the same UAE state-cyber ecosystem, or a separate cluster has been analytically open across vendor reporting.
This record treats FruityArmor as a possible alias / adjacent cluster but acknowledges the unresolved consolidation question. The sustained Windows 0day capability, uncommon among publicly-tracked state-aligned clusters at this tier, would represent substantial cluster sophistication if the FruityArmor attribution is sustained. Operationally Stealth Falcon's signature toolkit centers on the Win32/StealthFalcon Windows backdoor (analyzed in detail by Bitdefender in April 2019) and the substantially-more-sophisticated Deadglyph implant disclosed by ESET in September 2023.
Deadglyph represents a meaningful escalation in cluster tradecraft sophistication, with extensive anti-analysis tradecraft (deep obfuscation, custom code-execution flow, modular plugin architecture, native registration as a Component Object Model shell extension for persistence). The Deadglyph disclosure demonstrates continued operational tempo through 2023 and continued investment in capability development despite the September 2021 DOJ action on adjacent Project Raven operations. Initial-access tradecraft is predominantly spear-phishing with weaponized Office documents (macros, CVE exploitation alongside 0day capability for high-value targets), credential-phishing landing pages mimicking Microsoft, Google, and UAE-specific services, and fake-account social engineering.
The cluster operates with comparatively low-volume target selection, a small number of high-value dissident, journalist, and activist targets rather than broad scattershot campaigns, reflecting the targeted-surveillance mission profile. A handful of operational notes: First, the cluster is ecosystem-adjacent to but operationally distinct from Windshift (separately covered as windshift.yaml, also UAE-state-aligned suspected, also Project-Raven-adjacent, but with a distinct toolkit anchored on macOS-targeting Windtail/Windtape implants and a 2017-onward shorter operational history). The two clusters appear to operate within the same UAE state-cyber ecosystem but represent separate operational identities.
Second, the cluster is operationally distinct from Bahamut (already covered as bahamut.yaml, private mercenary with multiple suspected state clients including UAE). Bahamut's signature fake-news watering-hole infrastructure and Google- Play-Store Android implant distribution contrast with Stealth Falcon's spear-phishing-and-Windows-implant tradecraft. Third, UAE state-cyber operations encompass both custom-implant clusters (Stealth Falcon, Windshift) and commercial mobile- surveillance product use (NSO Pegasus, Intellexa Predator).
The two operational streams are distinct but share state sponsorship and target categories. Fourth, attribution to specifically the UAE state, though dominant in vendor and Citizen Lab reporting and corroborated by the September 2021 DOJ DPA on adjacent Project Raven operations , has not been confirmed by formal state attribution naming Stealth Falcon specifically. Treat the UAE-state-aligned framing as suspected at the cluster level even though the broader Project Raven ecosystem is formally documented.
Fifth, the FruityArmor consolidation question (above) should be treated as analytically open. If FruityArmor and Stealth Falcon are confirmed as the same cluster, the cluster's assessed sophistication tier increases substantially due to the sustained Windows 0day capability documented under the FruityArmor naming.