Security experts have discovered previously undiscovered Creepy Malware that is employed by the threat actors that appear to target Israeli firms only, members of the cyber espionage hacker group “POLONIUM.”

ESET claims that POLONIUM targets engineering, IT, legal, communications, and marketing. And insurance organizations in Israel use a wide variety of bespoke malware. At the time of writing, the group’s campaigns were still going strong.

The group’s destructive actions were first reported by Microsoft’s Threat Intelligence team in June 2022, when they connected Lebanon-based POLONIUM threat actors with Iran’s Ministry of Intelligence and Security (MOIS).

The POLONIUM toolset

According to ESET, POLONIUM does not use data wipes, ransomware, or other file-damaging malware and is only engaged in cyberespionage.

At least seven different types of bespoke backdoors have been employed by hackers since September 2021. Including four new, undocumented backdoors called “TechnoCreep,” “FlipCreep,” “MegaCreep,” and “PapaCreep.”

The seven backdoors deployed by POLONIUM
The seven backdoors deployed by POLONIUM since September 2021 (ESET)

Some backdoors take advantage of legitimate cloud services, like Mega, OneDrive, and Dropbox, as command and control (C2) servers. Other backdoors connect to external C2 servers using regular TCP connections or obtain commands from files stored on FTP sites.

The capacity to collect keystrokes, screenshot the desktop, take pictures with the webcam, exfiltrate files from the host, and install new malware. And run commands on the compromised device is just a few of the dangerous activities that backdoors are capable of.

The first backdoor written in C++ was discovered in September 2022 and is called PapaCreep. Earlier backdoors were either written in PowerShell or C#.

Additionally modular, PapaCreep divides the tasks of command execution, C2 communication, file upload, and file download into manageable units.

The benefits include the ability for the components to operate independently, persist through various scheduled operations in the compromised system, and make the backdoor more difficult to find.


There is some redundancy in the processes because POLONIUM uses a variety of free source tools, either customized or off-the-shelf, for reverse proxying, screenshotting, keylogging, and webcam snapping in addition to the “Creepy” variations.

An elusive hacking groups

Microsoft previously stated that POLONIUM was utilizing well-known VPN product weaknesses to breach networks. But ESET was unable to identify the methods used to initially compromise a network.

Mapping the group’s operations is difficult since the threat actor’s private network infrastructure is concealed behind virtual private servers (VPS) and legitimately compromised websites.

Israel is currently in the crosshairs of POLONIUM, a sophisticated and highly focused danger. But this might alter at any time if the objectives or interests shift.