{ "id": "cf67cc78-b01d-4bbe-a0dd-670bf935b66b", "created_at": "2026-04-06T00:21:56.507686Z", "updated_at": "2026-04-10T03:38:10.015236Z", "deleted_at": null, "sha1_hash": "0753cdcfa70bed2b0bd0aa2d32bfc6eafa778a1d", "title": "Gaza Cybergang | Unified Front Targeting Hamas Opposition", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2529812, "plain_text": "Gaza Cybergang | Unified Front Targeting Hamas Opposition\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-12-14 · Archived: 2026-04-05 12:57:35 UTC\r\nExecutive Summary\r\nOverlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that\r\nthe Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of\r\ninternal and/or external malware supply lines.\r\nGaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in\r\n2022 and seen throughout 2023.\r\nRecent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed\r\nsignificant changes in dynamics since the start of the Israel-Hamas war.\r\nSentinelLABS’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically\r\nconsidered a distinct cluster with loose relations to the Gaza Cybergang.\r\nOverview\r\nActive since at least 2012, Gaza Cybergang is a suspected Hamas-aligned cluster whose operations are primarily\r\ntargeting Palestinian entities and Israel, focusing on intelligence collection and espionage. Being a threat actor of\r\ninterest in the context of the Israel-Hamas war, we track Gaza Cybergang as a group composed of several adjacent\r\nsub-groups observed to share victims, TTPs, and use related malware strains since 2018. These include Gaza\r\nCybergang Group 1 (Molerats),  Gaza Cybergang Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Gaza\r\nCybergang Group 3 (the group behind Operation Parliament).\r\nThe goal of this post is twofold:\r\nTo highlight relations between recent and historical operations, providing a new common context\r\nconnecting the Gaza Cybergang sub-groups.\r\nTo provide recent findings and previously unreported IOCs, which add to the accumulated knowledge of\r\nthe group and support further collective tracking of Gaza Cybergang activities.\r\nIn the midst of Gaza Cybergang activity spanning from late 2022 until late 2023, we observed that the group\r\nintroduced a new backdoor to their malware arsenal used in targeting primarily Palestinian entities. We track this\r\nbackdoor as Pierogi++. We assess that Pierogi++ is based on an older malware strain named Pierogi, first\r\nobserved in 2019. We also observed consistent targeting of Palestinian entities in this time period using the\r\ngroup’s staple Micropsia family malware and Pierogi++.\r\nThis targeting is typical for Gaza Cybergang. These activities are likely aligned with the tensions between the\r\nHamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 1 of 13\n\nIsrael–Hamas war. At the time of writing, our visibility into Gaza Cybergang’s activities after the onset of the\r\nconflict does not point to significant changes in their intensity or characteristics.\r\nOur analysis of recent and historical malware used in Gaza Cybergang operations highlights new relations\r\nbetween activities that have taken place years apart – the Big Bang campaign (2018) and Operation Bearded\r\nBarbie (2022). Further, technical indicators we observed, originating from a recently reported activity, reinforce a\r\nsuspected relation between Gaza Cybergang and the lesser-known threat group WIRTE. This group has\r\nhistorically been considered a distinct cluster and then associated with low confidence with the Gaza Cybergang.\r\nThis demonstrates the intertwined nature of the Gaza Cybergang cluster making the accurate delineation between\r\nits constituent and even other suspected Middle Eastern groups challenging.\r\nThroughout our analysis of Gaza Cybergang activities spanning from 2018 until present date we observed\r\nconsistent malware evolution over relatively long time periods. This ranges from minor changes in used\r\nobfuscation techniques, to adopting new development paradigms, and resurfacing old malware strains in the form\r\nof new ones (as Pierogi++ demonstrates). In addition, the observed overlaps in targeting and malware similarities\r\nacross the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a\r\nconsolidation process. This possibly includes the formation of an internal malware development and maintenance\r\nhub and/or streamlining supply from external vendors.\r\nMicropsia and Pierogi++ Target Hamas Opposition\r\nThe Gaza Cybergang umbrella has continuously targeted Israeli and Palestinian entities preceding the Israel-Hamas war. We observed additional activities spanning from late 2021 to late 2023 aligned with previous\r\nresearch. Our visibility into these activities, and the theme and language of the used lure and decoy documents,\r\nindicate that they were primarily targeting Palestinian entities. The majority involved malware variants of the\r\nstaple Micropsia family.\r\nAmong the Micropsia family malware, we observed its Delphi and Python-based variants deploying decoy\r\ndocuments written in Arabic and focussing on Palestinian matters, such as the Palestinian cultural heritage and\r\npolitical events. Many of the associated C2 domain names, such as bruce-ess[.]com and wayne-lashley[.]com , reference public figures, which aligns with the known domain naming conventions of the group.\r\nTo support further collective tracking of Gaza Cybergang activities, we focus at the end of the report on listing\r\npreviously unreported Micropsia indicators.\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 2 of 13\n\nDecoy document\r\nAmong the Micropsia activities we identified a backdoor that we assess is based on a malware first reported in\r\n2020 and named Pierogi. This backdoor, which we labeled Pierogi++, is implemented in C++, and we observed its\r\nuse in 2022 and over 2023. The malware is typically delivered through archive files or weaponized Office\r\ndocuments on Palestinian matters, written in English or Arabic.\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 3 of 13\n\nMalicious documents distributing Pierogi++\r\nThe documents distributing Pierogi++ use macros to deploy the malware, which then typically masquerades as a\r\nWindows artifact, such as a scheduled task or a utility application. The malware implementation is embedded\r\neither in the macros or in the documents themselves, often in Base64-encoded form.\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 4 of 13\n\nOffice macro deploying Pierogi++\r\nPierogi++ executables also masquerade as politically-themed documents, with names such as “The national role\r\nof the revolutionary and national councils in confronting the plans for liquidation and Judaization”,  “The\r\nsituation of Palestinian refugees in Syria refugees in Syria”, and “The Ministry of State for Wall and Settlement\r\nAffairs established by the Palestinian government”.\r\nWe assess that Pierogi++ is based on the Pierogi backdoor, whose variants are implemented in Delphi and Pascal.\r\nPierogi and Pierogi++ share similarities in code and functionalities, such as strings, reconnaissance techniques,\r\nand deployment of decoy documents, some also seen in Micropsia malware.\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 5 of 13\n\nString indicating that no anti-virus solution has been detected: Pierogi++ (Tm9BVg== decodes to\r\nNoAV)\r\nMicropsia\r\nFurther, Pierogi++ samples implement in the same order the same backdoor functionalities as Pierogi: taking\r\nscreenshots, command execution, and downloading attacker-provided files.\r\nWhen handling backdoor commands, some Pierogi++ samples use the strings download and screen , whereas\r\nearlier Pierogi samples have used the Ukrainian strings vydalyty ,  Zavantazhyty , and Ekspertyza . This\r\nraised suspicions at the time of potential external involvement in Pierogi’s development. We have not observed\r\nindicators pointing to such involvement in the Pierogi++ samples we analyzed.\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 6 of 13\n\nPierogi++ backdoor strings\r\nMost of the Pierogi++ C2 servers are registered at Namecheap and hosted by Stark Industries Solutions LTD,\r\naligning with previous infrastructure management practices of the Gaza Cybergang umbrella. The backdoor uses\r\nthe curl library for exchanging data with the C2 server, a technique that we do not often observe in Gaza\r\nCybergang’s malware arsenal.\r\nUse of the curl library\r\nPierogi++ represents a compelling illustration of the continuous investment in maintenance and innovation of\r\nGaza Cybergang’s malware, likely in an attempt to enhance its capabilities and evade detection based on known\r\nmalware characteristics.\r\nFrom Molerats to Arid Viper And Beyond\r\nFollowing the first report on the Pierogi backdoor in February 2020, late 2020 and 2021 mark the association of\r\nthe backdoor and its infrastructure with Arid Viper. The Micropsia activity linked to Arid Viper, which led to the\r\ndiscovery of the then-new PyMicropsia malware in December 2020, includes Pierogi samples. Further historical\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 7 of 13\n\nPierogi samples use the escanor[.]live and nicoledotso[.]icu domains for C2 purposes, which have been\r\nassociated with Arid Viper in December 2020 and April 2021. The latest variant of Pierogi is Pierogi++, which we\r\nobserved targeting Palestinian entities in 2022 and over 2023 – this targeting is typical for Arid Viper.\r\nOur investigations into malware used by Gaza Cybergang prior to 2022, which share capabilities, structure, and\r\ninfrastructure with Pierogi, resulted in a multitude of samples implemented in Delphi, Pascal, and C++. This\r\nhighlights the frequent adoption of different development paradigms by Gaza Cybergang and aligns with the\r\nobservations by Facebook, which associates these variants with Arid Viper and tracks them using different names\r\nunder the broader Micropsia malware family, such as Glasswire, Primewire, and fgref.\r\nMalware attributions\r\nIn late 2020, victims targeted with Pierogi variants as part of a suspected Arid Viper operation were observed to be\r\nalso infected with the then-new SharpStage and DropBook malware, an overlap assessed to strengthen the ties\r\nbetween the Molerats and Arid Viper Gaza Cybergang sub-groups.\r\nLater in June 2021, the LastConn malware, which has been discovered as part of activities attributed to the TA402\r\ncluster, was assessed with high confidence to be an updated version of SharpStage.\r\nBased on our followup investigation into recent 2023 TA402 activity targeting Middle Eastern government\r\nentities, we highlight concrete overlaps in malware used by TA402 and a lesser-known threat actor named\r\nWIRTE. First disclosed in April 2019, WIRTE was initially considered to be a distinct cluster but later associated\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 8 of 13\n\nwith low confidence to the Gaza Cybergang umbrella (primarily based on the use of decoys on Palestinian\r\nmatters, which are typical for the Gaza Cybergang constituent sub-groups).\r\nWIRTE is known for using a unique custom user agent for C2 communication when staging malware, with the\r\nvalue of the rv field likely being an intrusion identifier. WIRTE’s stagers encapsulate C2 communication\r\nattempts in an infinite loop, separated by sleep periods of randomly generated lengths within defined lower and\r\nupper boundaries. We observe the same unique user agent format and C2 communication pattern in TA402’s .NET\r\nmalware stagers.\r\nUser agent and C2 communication in 2020 WIRTE malware\r\nUser agent and C2 communication in 2022 TA401 malware\r\nThe involvement of malware artifacts previously seen only in the context of WIRTE indicates a likely relation\r\nbetween the TA402, WIRTE, and Gaza Cybergang clusters. This aligns with the latest TA402 attribution\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 9 of 13\n\nassessment as a cluster overlapping with Gaza Cybergang and WIRTE.\r\nBack To The Big Bang\r\nOperation Bearded Barbie, revealed in April 2022 and attributed with moderate-high confidence to Arid Viper, is a\r\ncampaign that has been targeting Israeli individuals and officials in the law enforcement, military, and emergency\r\nservices sectors. The operation highlights the BarbWire backdoor as a novel malware in Arid Viper’s arsenal.\r\nA closer look at the implementation of the BarbWire variants observed as part of Operation Bearded Barbie reveal\r\nrelations to a malware strain used as part of the 2018 Big Bang campaign, which was considered an evolution of a\r\n2017 campaign targeting Palestinian individuals and entities. Without making a concrete attribution at the time,\r\nthe campaign was loosely associated with the Gaza Cybergang, noting some links to Arid Viper in particular.\r\nThe Big Bang campaign involves the use of a C++ implant, assessed to be an upgraded version of older Micropsia\r\nvariants. In addition to some similarities in execution flow and structure, we observed that the backdoors used in\r\nthe Big Bang and Bearded Barbie campaigns share unique strings that report the execution status and/or indicate\r\ninternal references to malware modules.\r\nThe BarbWire samples used as part of Operation Bearded Barbie are reported to implement a custom base64\r\nalgorithm (cit.) to obfuscate strings. The backdoor does not implement changes to the Base64 encoding algorithm\r\nitself, but modifies Base64 strings by adding an extra character that is removed before decoding. String decoding\r\nof BarbWire strings in this way reveals exact matches between BarbWire and the backdoor observed in the Big\r\nBang campaign.\r\nBackdoor string matches\r\nIn contrast to BarbWire, BigBang backdoor samples obfuscate the same strings present in BarbWire using\r\nBase64-encoding only. The malware authors have likely introduced the Base64 string modification technique in\r\nlater malware development efforts (reflected in Operation Bearded Barbie), as a relatively simple but effective\r\nattempt to evade detection based on known string artifacts.\r\nThis technique also allows for quick changes of the modified Base64 strings by only changing the second\r\ncharacter to keep evading detection over time. For example, both of the strings IZERvZXMgbm90IGV4aXN0Lg and\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 10 of 13\n\nIHERvZXMgbm90IGV4aXN0Lg Base64-decode to “ Does not exist. ” once the second character is removed.\r\nConclusions\r\nGaza Cybergang operations over 2022 and 2023 reveal a sustained focus on targeting Palestinian entities. The\r\ndiscovery of the Pierogi++ backdoor shows that the group continues to evolve and supplement its staple malware\r\narsenal, including transforming older implementations into new tooling.\r\nThe intertwined nature of its constituent sub-groups sharing TTPs, malware, and victims, indicates that Gaza\r\nCybergang is a unified front against anti-Hamas interests. The persistent nature of the Gaza Cybergang threat\r\nunderscores the necessity for sustained vigilance and cooperative measures to address the challenges posed by\r\nthese threat actors.\r\nSentinelLABS continues to monitor Gaza Cybergang activities to further improve the collective knowledge on the\r\ngroup’s dynamics and to supply indicators, which are relevant to security teams defending their organizations and\r\nindividuals at risk of being targeted.\r\nIndicators of Compromise\r\nSHA-1 Hashes\r\n003bb055758a7d687f12b65fc802bac07368335e Micropsia family malware\r\n19026b6eb5c1c272d33bda3eab8197bec692abab Micropsia family malware\r\n20c10d0eff2ef68b637e22472f14d87a40c3c0bd Pierogi backdoor\r\n26fe41799f66f51247095115f9f1ff5dcc56baf8 TA402 malware staging executable (2022 version)\r\n278565e899cb48138cc0bbc482beee39e4247a5d Pierogi backdoor\r\n2a45843cab0241cce3541781e4e19428dcf9d949 Micropsia family malware\r\n32d0073b8297cc8350969fd4b844d80620e2273a Document distributing Pierogi++\r\n3ae41f7a84ca750a774f777766ccf4fd38f7725a Document distributing Pierogi++\r\n42cb16fc35cfc30995e5c6a63e32e2f9522c2a77 Pierogi++\r\n4dcdb7095da34b3cef73ad721d27002c5f65f47b BarbWire backdoor\r\n5128d0af7d700241f227dd3f546b4af0ee420bbc Pierogi++\r\n5619e476392c195ba318a5ff20e40212528729ba Micropsia family malware\r\n599cf23db2f4d3aa3e19d28c40b3605772582cae Pierogi backdoor\r\n5e46151df994b7b71f58556c84eeb90de0776609 Document distributing Pierogi++\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 11 of 13\n\n5fcc262197fe8e0f129acab79fd28d32b30021d7 WIRTE PowerShell script\r\n60480323f0e6efa3ec08282650106820b1f35d2f Archive distributing Pierogi++\r\n694fa6436302d55c544cfb4bc9f853d3b29888ef BarbWire backdoor\r\n708f05d39df7e47aefc4b15cb2db9f26bc9fad5f TA402 malware staging executable (2022 version)\r\n745657b4902a451c72b4aab6cf00d05895bbc02f Micropsia family malware\r\n75a63321938463b8416d500b34a73ce543a9d54d Pierogi++\r\n95fc3fb692874f7415203a819543b1e0dd495a57 Micropsia family malware\r\n994ebbe444183e0d67b13f91d75b0f9bcfb011db Operation Big Bang backdoor\r\naeeeee47becaa646789c5ee6df2a6e18f1d25228 Pierogi++\r\nc3038d7b01813b365fd9c5fd98cd67053ed22371 Micropsia family malware\r\nda96a8c04edf8c39d9f9a98381d0d549d1a887e8 Pierogi++\r\nee899ae5de50fdee657e04ccd65d76da7ede7c6f Operation Big Bang backdoor\r\nf3e99ec389e6108e8fda6896fa28a4d7237995be Pierogi++\r\nDomains\r\naracaravan[.]com Pierogi++ C2 server\r\nbeatricewarner[.]com Pierogi++ C2 server\r\nbruce-ess[.]com Micropsia C2 server\r\nclaire-conway[.]com Micropsia C2 server\r\ndelooyp[.]com Micropsia C2 server\r\nescanor[.]live Pierogi backdoor C2 server\r\nizocraft[.]com Micropsia C2 server\r\njane-chapman[.]com Micropsia C2 server\r\nlindamullins[.]info Operation Big Bang backdoor C2 server\r\nnicoledotson[.]icu Pierogi backdoor C2 server\r\noveringtonray[.]info Pierogi backdoor C2 server\r\nporthopeminorhockey[.]net Micropsia C2 server\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 12 of 13\n\nspgbotup[.]club Operation Big Bang backdoor C2 server\r\nstgeorgebankers[.]com WIRTE C2 server\r\nswsan-lina-soso[.]info Pierogi++ C2 server\r\ntheconomics[.]net TA402 C2 server\r\nwanda-bell[.]website BarbWire C2 server\r\nwayne-lashley[.]com Micropsia C2 server\r\nzakaria-chotzen[.]info Pierogi++ C2 server\r\nSource: https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nhttps://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/" ], "report_names": [ "gaza-cybergang-unified-front-targeting-hamas-opposition" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "9198aefa-3da6-4605-bb52-923df20a7fce", "created_at": "2023-01-06T13:46:38.766848Z", "updated_at": "2026-04-10T02:00:03.093153Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "MISPGALAXY:The Big Bang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f7d9b02d-d294-422b-adf7-4b3adfac9d9a", "created_at": "2022-10-25T16:07:23.392241Z", "updated_at": "2026-04-10T02:00:04.577887Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "ETDA:The Big Bang", "tools": [ "Micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434916, "ts_updated_at": 1775792290, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0753cdcfa70bed2b0bd0aa2d32bfc6eafa778a1d.pdf", "text": "https://archive.orkl.eu/0753cdcfa70bed2b0bd0aa2d32bfc6eafa778a1d.txt", "img": "https://archive.orkl.eu/0753cdcfa70bed2b0bd0aa2d32bfc6eafa778a1d.jpg" } }