{ "id": "33608e8c-aacc-413a-a948-97c83d846c05", "created_at": "2026-04-06T00:08:18.148477Z", "updated_at": "2026-04-10T03:38:03.409817Z", "deleted_at": null, "sha1_hash": "0dccfbb91d70972f4b113a02db4011701d15db2c", "title": "Palestine-Aligned Hackers Use New NimbleMamba Implant in Recent Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 374460, "plain_text": "Palestine-Aligned Hackers Use New NimbleMamba Implant in\r\nRecent Attacks\r\nBy The Hacker News\r\nPublished: 2022-02-08 · Archived: 2026-04-05 18:05:00 UTC\r\nAn advanced persistent threat (APT) hacking group operating with motives that likely align with Palestine has\r\nembarked on a new campaign that takes advantage of a previously undocumented implant called NimbleMamba.\r\nThe intrusions leveraged a sophisticated attack chain targeting Middle Eastern governments, foreign policy think\r\ntanks, and a state-affiliated airline, enterprise security firm Proofpoint said in a report, attributing the covert\r\noperation to a threat actor tracked as Molerats (aka TA402).\r\nNotorious for continuously updating their malware implants and their delivery methods, the APT group was most\r\nrecently linked to an espionage offensive aimed at human rights activists and journalists in Palestine and Turkey,\r\nwhile a previous attack exposed in June 2021 resulted in the deployment of a backdoor called LastConn.\r\nBut the lull in the activities has been offset by the operators actively working to retool their arsenal, resulting in\r\nthe development of NimbleMamba, which is designed to replace LastConn, which, in turn, is believed to be an\r\nhttps://thehackernews.com/2022/02/palestinian-hackers-using-new.html\r\nPage 1 of 3\n\nupgraded version of another backdoor called SharpStage that was used by the same group as part of its campaigns\r\nin December 2020.\r\n\"NimbleMamba uses guardrails to ensure that all infected victims are within TA402's target region,\" the\r\nresearchers said, adding the malware \"uses the Dropbox API for both command-and-control as well as\r\nexfiltration,\" suggesting its use in \"highly targeted intelligence collection campaigns.\"\r\nAlso delivered is a trojan dubbed BrittleBush that establishes communications with a remote server to retrieve\r\nBase64-encoded commands to be executed on the infected machines. What's more, the attacks are said to have\r\noccurred in tandem with the aforementioned malicious activity targeting Palestine and Turkey.\r\nThe infection sequence mirrors the exact same technique used by the threat actor to compromise its targets. The\r\nspear-phishing emails, which act as the starting point, contain geofenced links that lead to malware payloads —\r\nbut only if the recipient is in one of the targeted regions. If the targets live outside of the attack radius, the links\r\nredirect the user to a benign news website like Emarat Al Youm.\r\nHowever, more recent variations of the campaign in December 2021 and January 2022 have involved the use of\r\nDropbox URLs and attacker-controlled WordPress sites to deliver malicious RAR files containing NimbleMamba\r\nand BrittleBush.\r\nThe development is the latest example of adversaries using cloud services, such as Dropbox, to launch their\r\nattacks, not to mention how quickly sophisticated actors can respond to public disclosures of their invasion\r\nmethods to create something potent and effective that can go past security and detection layers.\r\n\"TA402 continues to be an effective threat actor that demonstrates its persistence with its highly targeted\r\ncampaigns focused on the Middle East,\" the researchers concluded. \"The [two] campaigns demonstrate Molerats'\r\nhttps://thehackernews.com/2022/02/palestinian-hackers-using-new.html\r\nPage 2 of 3\n\ncontinued ability to modify their attack chain based on their intelligence targets.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/02/palestinian-hackers-using-new.html\r\nhttps://thehackernews.com/2022/02/palestinian-hackers-using-new.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/02/palestinian-hackers-using-new.html" ], "report_names": [ "palestinian-hackers-using-new.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0dccfbb91d70972f4b113a02db4011701d15db2c.pdf", "text": "https://archive.orkl.eu/0dccfbb91d70972f4b113a02db4011701d15db2c.txt", "img": "https://archive.orkl.eu/0dccfbb91d70972f4b113a02db4011701d15db2c.jpg" } }