{
	"id": "01cec220-63c5-4f7c-878f-0ece6edded00",
	"created_at": "2026-04-06T00:15:24.065333Z",
	"updated_at": "2026-04-12T02:21:12.879605Z",
	"deleted_at": null,
	"sha1_hash": "1e0539ed5ce294df94ca5011020277177bfc59bc",
	"title": "NimbleMamba (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30432,
	"plain_text": "NimbleMamba (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:58:57 UTC\r\nNimbleMamba\r\nActor(s): Molerats\r\nNimbleMamba is a new implant used by TA402/Molerats group as replacement of LastConn. It uses guardrails to\r\nensure that victims are within the TA's target region. It is written in C# and delivered as an obfuscated .NET\r\nexecutable. One seen obfuscator is SmartAssembly.\r\nReferences\r\nYara Rules\r\n[TLP:WHITE] win_nimblemamba_w0 (20220209 | Detects .NET written NimbleMamba malware used\r\nby TA402/Molereats)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba"
	],
	"report_names": [
		"win.nimblemamba"
	],
	"threat_actors": [
		{
			"id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f",
			"created_at": "2022-10-25T15:50:23.756782Z",
			"updated_at": "2026-04-12T02:00:04.450366Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"Molerats",
				"Operation Molerats",
				"Gaza Cybergang"
			],
			"source_name": "MITRE:Molerats",
			"tools": [
				"MoleNet",
				"DustySky",
				"DropBook",
				"SharpStage",
				"PoisonIvy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-12T02:00:03.535831Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c",
			"created_at": "2023-01-06T13:46:38.508262Z",
			"updated_at": "2026-04-12T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"BLACKSTEM",
				"Gaza Hackers Team",
				"Gaza cybergang",
				"Gaza Cybergang",
				"Operation Molerats",
				"Extreme Jackal",
				"ALUMINUM SARATOGA",
				"G0021"
			],
			"source_name": "MISPGALAXY:Molerats",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0ad97d64-7970-48ca-83f6-3635c66e315c",
			"created_at": "2023-11-21T02:00:07.400003Z",
			"updated_at": "2026-04-12T02:00:03.563069Z",
			"deleted_at": null,
			"main_name": "TA402",
			"aliases": [],
			"source_name": "MISPGALAXY:TA402",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4",
			"created_at": "2022-10-25T16:07:23.875541Z",
			"updated_at": "2026-04-12T02:00:04.730247Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"ATK 89",
				"Aluminum Saratoga",
				"Extreme Jackal",
				"G0021",
				"Gaza Cybergang",
				"Gaza Hackers Team",
				"Molerats",
				"Operation DustySky",
				"Operation DustySky Part 2",
				"Operation Molerats",
				"Operation Moonlight",
				"Operation SneakyPastes",
				"Operation TopHat",
				"TA402",
				"TAG-CT5"
			],
			"source_name": "ETDA:Molerats",
			"tools": [
				"BadPatch",
				"Bladabindi",
				"BrittleBush",
				"Chymine",
				"CinaRAT",
				"Darkmoon",
				"Downeks",
				"DropBook",
				"DustySky",
				"ExtRat",
				"Gen:Trojan.Heur.PT",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"IronWind",
				"Jenxcus",
				"JhoneRAT",
				"Jorik",
				"KasperAgent",
				"Kognito",
				"LastConn",
				"Micropsia",
				"MoleNet",
				"Molerat Loader",
				"NeD Worm",
				"NimbleMamba",
				"Njw0rm",
				"Pierogi",
				"Poison Ivy",
				"Quasar RAT",
				"QuasarRAT",
				"SPIVY",
				"Scote",
				"SharpSploit",
				"SharpStage",
				"WSHRAT",
				"WelcomeChat",
				"Xtreme RAT",
				"XtremeRAT",
				"Yggdrasil",
				"dinihou",
				"dunihi",
				"njRAT",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775960472,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e0539ed5ce294df94ca5011020277177bfc59bc.pdf",
		"text": "https://archive.orkl.eu/1e0539ed5ce294df94ca5011020277177bfc59bc.txt",
		"img": "https://archive.orkl.eu/1e0539ed5ce294df94ca5011020277177bfc59bc.jpg"
	}
}