The C2 domain is hosted through the dynamic DNS provider No-IP and previously resolved to a number of different IP addresses in the same range of addresses. The address space appears to be operated by Libyan Telecom and Technology, a consumer internet service provider, and the naming of the reverse DNS records associated with the IP addresses indicates that they are likely part of a pool used for DSL connections.

The person or group running the campaign is likely in Libya and using their own infrastructure to run the C2, or is leveraging infrastructure they have compromised there. As the applications are also specifically aimed at Libyan users, this appears to be a regionally targeted surveillance effort.

While Lookout researchers have not seen anything at the moment to indicate this is a state-sponsored campaign, the use of these commercial surveillanceware families has been observed in the past as part of the tooling used by nation states in the Middle East. While nation states can and do develop their own custom tooling, they have also been known to use out-of-the-box open-source and commercial tools, as well as sometimes use commercial or open source malware as a starting point to develop their own malware.

What is interesting to note is the malware used in this campaign can be easily purchased and customized. Lookout researchers have found several connections between these families in this campaign, as well as believe it is reasonable to assume the creator of MobiHok is familiar with and has used or developed SpyNote in the past. In terms of ease of acquisition, SpyNote and Mobihok have fairly cheap licensing costs, and even offer support for users to set up their applications. With sites that offer an easy checkout process and customer support, these commercial surveillanceware vendors make it possible for anyone to acquire, customize and manage their own spy tools.