Cyberespionage attackers have ditched their PowerShell backdoor in favor of the Windows BITS ‘notification’ feature.

The notorious Stealth Falcon cyberespionage group has adopted a new backdoor using the Windows Background Intelligent Transfer Service (BITS) in its ongoing spyware attacks against journalists, activists and dissidents in the Middle East.

According to researchers at ESET, attackers are exploiting the BITS “notification” feature in Windows. The feature allows attackers to create a re-occurring task to download and install malware, even after the original malware is extracted.

Stealth Falcon was first identified in 2012 as a cyberespionage group targeting political activists and journalists in the Middle East (and in January, Amnesty International said it believed that Stealth Falcon and a similar cyberespionage group named Project Raven were actually the same). In 2016, Citizen Lab outlined some of the group’s tactics and techniques, highlighting Stealth Falcon’s use of booby-trapped Microsoft Word document. If opened, the document delivered a malicious payload.