{ "id": "58a82d51-1f2f-48fa-96d0-56faa0bad726", "created_at": "2026-04-06T01:31:35.930698Z", "updated_at": "2026-04-10T03:38:09.735424Z", "deleted_at": null, "sha1_hash": "28b374422af7cc6d63e39db98ca74f69aacd7ed1", "title": "New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2248080, "plain_text": "New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The\r\nSpark Campaign\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-06 00:24:41 UTC\r\nResearch by: Cybereason Nocturnus Team\r\nBackground\r\nOver the last several months, the Cybereason Nocturnus team has been tracking recent espionage campaigns targeting the\r\nMiddle East. These campaigns are specifically directed at entities and individuals in the Palestinian territories. This\r\ninvestigation shows multiple similarities to previous attacks attributed to a group called MoleRATs (aka The Gaza\r\nCybergang), an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012.\r\nIn our analysis, we distinguish between two separate campaigns happening simultaneously. These campaigns differ in tools,\r\nserver infrastructure, and nuances in decoy content and intended targets.\r\n1. The Spark Campaign: This campaign uses social engineering to infect victims, mainly from the Palestinian\r\nterritories, with the Spark backdoor. This backdoor first emerged in January 2019 and has been continuously active\r\nsince then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian\r\nconflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian\r\nmovements.\r\n2. The Pierogi Campaign: This campaign uses social engineering attacks to infect victims with a new, undocumented\r\nbackdoor dubbed Pierogi. This backdoor first emerged in December 2019, and was discovered by Cybereason. In\r\nthis campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by\r\nMoleRATs involving the Micropsia and Kaperagent malware.\r\nIn part one of this research, we analyze the Spark campaign. This campaign is named after a rare backdoor used by the\r\nMoleRATs Group, dubbed Spark by Cybereason and previously reported by 360’s blog.\r\nFor a detailed report on the Pierogi campaign, please see part 2 of this research.\r\nThe creators of the Spark backdoor use several techniques to evade detection and stay under the radar. They pack the\r\nmalware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are\r\nArabic speaking. This minimizes the risk of detection and infection of unwanted victims.\r\nKey Points\r\nCyber Espionage in the Middle East: The Cybereason Nocturnus team has discovered several recent, targeted\r\nattacks in the Middle East. These attacks deliver the Spark and Pierogi backdoors for politically-driven cyber\r\nespionage operations.\r\nTargeting Palestinians: The campaigns seems to target Palestinian individuals and entities, likely related to the\r\nPalestinian government.\r\nPolitically-motivated APT: Cybereason suspects that the objective of the threat actor is to obtain sensitive\r\ninformation from the victims and leverage it for political purposes.\r\nLured Into Deploying a Backdoor: The attackers use specially crafted lure content to trick targets into opening\r\nmalicious files that infect the victim’s machine with a backdoor. The lure content in the malicious files relates to\r\npolitical affairs in the Middle East, with specific references to the Israeli-Palestinian conflict, tension between Hamas\r\nand Fatah, and other political entities in the region.\r\nPerpetrated by an Arabic-Speaking APT Group: The modus-operandi of the attackers in conjunction with the\r\nsocial engineering tactics and decoy content seem aligned with previous attacks carried out by the Arabic-speaking\r\nAPT group MoleRATs (aka Gaza Cybergang). This group has been operating in the Middle East since 2012.\r\nFor a synopsis of this research, check out the Molerats \u0026 Pierogis Threat Alert.\r\nTable of Contents\r\nBackground\r\nKey Points\r\nSuspected Threat Actor Description\r\nInfection Vector: Social Engineering using Targeted Content\r\nExample 1: Social Engineering using a PDF Document\r\nBackdoor Installation: Autoit Dropper\r\nExample 2: Dropper with a Decoy Document\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 1 of 13\n\nSpark Backdoor Analysis\r\nEnigma Packer\r\nChecking for Security Products\r\nChecking for the Arabic Language\r\nC2 Communication\r\nConclusion\r\nIndicators of Compromise \r\nMITRE ATT\u0026CK Breakdown\r\nPart 2: The Discovery of the New, Mysterious Pierogi Backdoor\r\nSuspected Threat Actor Description\r\nThese attacks show significant similarities to previously documented attacks attributed to the Arabic-speaking threat actor,\r\ncommonly referred to as the MoleRATs group (aka, The Gaza Cybergang, Moonlight, DustySky, Gaza Hacker Team). This\r\ngroup, which has been attributed by various security teams, is believed to be comprised of three subgroups:\r\n1. Gaza Cybergang Group 1, also dubbed MoleRATs: MoleRATs has been active since at least 2012. This Arabic-speaking group uses spear phishing attacks to infect target machines in the Middle East and North Africa with various\r\nRemote Access Trojans (RATs). As MoleRATs most prominently targets Palestinian territories, its spear phishing\r\nattacks often use attached malicious documents on topical Palestinian Authority-related issues to lure their victims.\r\nThe group uses a mix of tools and malware, some developed by the group and others that are more generic tools.\r\n2. Gaza Cybergang Group 2, also dubbed Desert Falcons, APT-C-23, Arid Viper. This second group is an Arabic-speaking group that mainly targets the Middle East and North Africa, with a few targets in European and Asian\r\ncountries as well. The group is known for their advanced attacks that leverage custom-built Windows malware\r\n(Kasperagent, Micropsia) as well as Android malware (Vamp, GnatSpy).\r\n3. Gaza Cybergang Group 3: This group is believed to be behind Operation Parliament. It is considered to be the most\r\nadvanced group of the three, and is focused on high-profile targets in the Middle East, North America, Europe and\r\nAsia. The group is reported to have previously attacked government institutions, parliaments, senates, diplomatic\r\nfunctions, and even Olympic and other sports bodies.\r\nA Note on Attribution\r\nIt is important to remember there are many threat actors operating in the Middle East, and often there are overlaps in TTPs,\r\ntools, motivation, and victimology. There have been cases in the past where a threat actor attempted to mimic another to\r\nthwart attribution efforts, and as such, attribution should rarely be taken as is, but instead with a grain of salt and critical\r\nthinking.\r\nInfection Vector - Social Engineering using Targeted Content\r\nThemes of the Content Used to Lure Targets\r\nIn this attack, the targets are lured to open a document or a link attached to an email. There have been cases in the past\r\nwhere victims also downloaded malicious content from fake news websites. The names of the files and their content play a\r\nmajor part in luring victims to open them, as they usually relate to current topics pertaining to Hamas, the Palestinian\r\nNational Authority, or other recent events in the Middle East. The lure documents analyzed by Cybereason in this attack\r\nconcentrate on the following themes:\r\nThe Conflict between Hamas and Fatah: The historical rivalry between the Hamas and Fatah has resulted in many\r\nopen battles between the two entities. Since 2006, Hamas has controlled the Gaza strip and Fatah has controlled the\r\nWest Bank.\r\nMatters pertaining to the Israeli-Palestinian Conflict: Some of the documents in this campaign reference different\r\naspects of the Israeli-Palestinian conflict, and the efforts for ceasefire and peace processes between the Israelis and\r\nthe Palestinians, including the latest peace plan made by President Donald Trump and Senior Advisor to the President\r\nof the United States Jared Kushner.\r\nVigilance Following Soleimani’s Assassination: One of the lure documents mentions sources in Lebanon that report\r\na state of alert and vigilance amongst Iranian, Syrian, and Lebasense militias following Soleimani’s assassination.\r\nTensions Between Hamas and the Egyptian Government: Egypt plays a major role as a mediator in the Israeli-Palestinian confict and has brokered several ceasefire deals and other negotiations in the past. Changes to Egypt’s\r\ninternal political climate are known to have affected Egyptian government relations with Hamas over the years. It\r\nwas recently reported that Ismail Haniyeh, the head of Hamas’ political Bureau, had a falling-out with the Egyptian\r\ngovernment over his visit to Tehran to participate in General Qasem Soleimani’s funeral, following Soleimani’s\r\nassassination.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 2 of 13\n\nSpark Backdoor dropper named “Abu-Mazen and Kushner’s meeting” uploaded to VirusTotal from the Palestinian\r\nterritories.\r\nFile Name SHA-256\r\nexe.لقاء ابو مازن و كوشنري\r\nTranslation: Meeting between Abu-Mazen and Kushner\r\n01887df1febdf6fdf85e870e8d87f4397a4854ffedeaffd2f8d21310306e50b0\r\nمحضر اجتماع قيادةاالجهزة االمنية في غزة من اجل\r\nexe.افشال انطالقة فتح\r\nTranslation: Minutes of the meeting of\r\nthe leadership of the security services in\r\nGaza in order to thwart the anniversary\r\nof Fatah.exe\r\n2268101c32989e7cfcb8b2ef47163f741850e7619edf0c0e8f365cfceb1b1e82\r\nDetails%20Ceasfire%20with%Israel.zip 31b08c139b6fc3bdde0734d1b2c609550a03ca97ec941eaf24224bb449e17e26\r\nهنية سيقيم في الخارج و حماس تصعد في\r\npdf.غزة\r\nTranslation: Haniyeh will remain\r\nabroad and Hamas steps up in Gaza.pdf\r\n5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e\r\nexe.تقرير معلومات فوري\r\nTranslation: Urgent Information\r\nReport.exe\r\n6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47\r\nTable that summarizes files observed in the Spark campaign.\r\nIn the Spark campaign, the lure documents and links point to one of two file sharing websites, Egnyte or Dropbox. The\r\ntarget is encouraged to download an archive file in a rar or zip format that contains an executable file masquerading as a\r\nMicrosoft Word document. \r\nThe following file was downloaded from DropBox: \r\nMalicious archive hosted on Dropbox.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 3 of 13\n\nMalicious archive with a name meant to lure targets.\r\nExample 1: Social Engineering using a PDF Document\r\nOne example of a lure document used in the Spark campaign is a PDF file that is used to deliver the Spark backdoor to the\r\nvictim. The document includes a special report allegedly quoted from the Egyptian newspaper Al-Ahram. This document\r\nreports that Ismail Hanieyh, the political leader of Hamas, had notified the Egyptian government that he will remain abroad\r\nafter his visit to Tehran to take part in Soleimani’s funeral, which sparked tension with the Egyptian authorities. \r\nFile Name SHA-256\r\nهنية سيقيم في الخارج و حماس تصعد في غزة.pdf\r\nTranslation: Haniyeh will remain abroad\r\nand Hamas rises in Gaza.pdf\r\n5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e\r\nThe document was submitted to VirusTotal on the 20/01/2020 from the Palestinian territories: \r\nDocument uploaded to VirusTotal on 20/01/2020 from the Palestinian territories.\r\nPhishing document luring the readers to click on a malicious link.\r\nThe target is encouraged to click on the link to read the entire article. However, the document does not link to the Egyptian\r\nNewspaper website, but instead to a file sharing website called Egnyte. It prompts the user to download a file that\r\nsupposedly contains the full article.\r\nLink embedded in the PDF document: hxxps://csaasd.egnyte[.]com/dd/h5s7YHzOy5\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 4 of 13\n\nThe downloaded file is an archive file (.r23), that contains a Windows executable file with the same name as the PDF and\r\nwith a fake Microsoft Word icon. \r\nSHA-256 File Name\r\ne8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614\r\nهنية سيقيم في الخارج و حماس تصعد في\r\n23r.غزة\r\n(Hanieh will remain abroad and Hamas\r\nsteps up in Gaza.r23)\r\n7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128\r\nهنية سيقيم في الخارج و حماس تصعد في\r\nexe.غزة\r\n(Hanieh will remain abroad and Hamas\r\nsteps up in Gaza.exe)\r\nSpark backdoor dropper file masquerading as Word document using a fake icon.\r\nWhen the victim double clicks on the executable file, it unpacks and installs the Spark backdoor, as shown in the attack tree\r\nscreenshot below.\r\nInstallation process of the Spark backdoor, as shown in Cybereason’s attack tree. \r\nBackdoor Installation: Autoit Dropper\r\nThe extracted executable file contains a compiled Autoit script, which can be seen in the RT_RCDATA section of the file. \r\nAutoit indications found in the binary resources of the dropper (SHA-256:\r\n7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128).\r\nThe decompiled code shows the decryption routine that unpacks the embedded Spark backdoor.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 5 of 13\n\nExcerpt from the decompiled Autoit script where it is unpacking the Spark backdoor.\r\nOnce the file is unpacked, the backdoor is dropped in two different locations on the infected operating system: \r\nC:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe\r\nC:\\Users\\user\\runawy.exe \r\nIn addition, the Autoit code also creates the following scheduled task for persistence: \r\nSCHTASKS /Create /f /SC minute /TN runawy /mo 5 /tr C:\\Users\\\u003cUSER\u003e\\runawy.exe\r\nExcerpt from the decompiled Autoit script where it installs the backdoor and creates persistence.\r\nExample 2: Dropper with a Decoy Document\r\nDuring our investigation, we found the following executable file.\r\nFile name SHA-256\r\nexe.تقرير معلومات فوري\r\n(Urgent Information Report.exe)\r\n6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47\r\n The executable has a Microsoft Word icon to trick victims into believing they are opening a Word document. \r\nSpark backdoor dropper file masquerading as Word document using a fake icon\r\nOnce the user double-clicks on the executable file, the dropper drops a Word document in %AppData% and displays the\r\nfollowing decoy document to the victim, while the dropper runs in the background and installs the backdoor. \r\nDecoy Document Name and Path SHA-256\r\n%appdata%\\info.docx  2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 6 of 13\n\nThe decoy document presents to the user titled “Urgent Information Report” in Arabic.\r\nThe dropper drops the Spark backdoor binary and a shortcut file used to initiate persistence in the following locations. \r\nFile name SHA-256\r\nC:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\Blaster.lnk\r\n4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842\r\nC:\\Users\\user\\AppData\\Roaming\\Blaster.exe cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551\r\nCybereason UI: The attack tree displaying the Spark backdoor infection chain.\r\nSpark Backdoor Analysis \r\nThe Spark payload is a custom backdoor likely developed by the MoleRATs group. In addition to known generic malware\r\n(such as: njRAT, Poison Ivy, XtremeRAT), the MoleRATs group has been known to develop its own custom tools such as\r\nDustySky, the MoleRAT Loader and Scote. We believe this backdoor is relatively new and seems to have appeared starting\r\nin the beginning of 2019. \r\nThe name Spark is derived from the PDB path left in a few of the backdoor binaries: \r\nW:\\Visual Studio 2017\\Spark4.2\\Release\\Spark4.2.pdb\r\nThe Spark backdoor allows the attackers to:\r\nCollect information about the infected machine.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 7 of 13\n\nEncrypt the collected data and send it to the attackers over the HTTP protocol.\r\nDownload additional payloads.\r\nLog keystrokes.\r\nRecord audio using the computer’s microphone.\r\nExecute commands on the infected machine.\r\nThe creators of the Spark backdoor use a few techniques that are intended to keep the backdoor under-the-radar, including: \r\nPacking the payloads with the Enigma packer.\r\nChecking for antivirus and other security products using WMI.\r\nValidating Arabic keyboard and language settings on the infected machine.\r\nEnigma Packer\r\nAll the the payloads observed by Cybereason in this campaign were packed by a powerful yet commercial packer called\r\nEnigma Packer. The MoleRATs group have been known to use this packer in previous attacks. \r\nEnigma packer artifacts in file metadata (SHA-256:\r\nb08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca).\r\nChecking for Security Products\r\nOne common evasive mechanism used by the Spark backdoor is its ability to check for installed security products using\r\nWMI queries (WQL). If certain security products are installed, the backdoor does not carry out its malicious activity. \r\nSELECT * FROM AntiVirusProduct\r\nSELECT * FROM FirewallProduct\r\nChecking for the Arabic Language\r\nAnother evasive mechanism used by the backdoor is how it checks whether an Arabic keyboard and Arabic language\r\nsettings are used on the infected machine. If Arabic keyboard and language settings are not found on the machine, the\r\nbackdoor will not carry out its malicious activity. This check serves two purposes: \r\n1. It minimizes the risk of overexposure by specifically targeting Arabic speakers. \r\n2. It can thwart detection by automated analysis engines and sandbox solutions.\r\nEnumerating installed keyboards on the infected machine.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 8 of 13\n\nObtaining locale information from the infected machine.\r\nComparing the results of the language checks with the word Arabic.\r\nUsing a Hidden Window\r\nAfter unpacking itself, the Spark backdoor creates a hidden window where most of the malicious activity is handled. \r\nCreation of the hidden window, using 0 value for the ShowWindow function to hide the window.\r\nThis behavior can be detected using a tool called WinLister, which enumerates hidden windows. The name of the window is\r\nSpark4.2.\r\nC2 Communication\r\nThe Spark backdoor communicates with the C2 servers over the HTTP protocol. The data is first encrypted and then\r\nencoded with Base64. In this instance, the backdoor posts the data to the domain Nysura[.]com (For more domains, please\r\nsee the IOC section of this research).\r\nIt is interesting to see that the HTTP POST host header refers to a legitimate domain cnet.com, however, in acutality, the\r\ndata is sent to nysura[.]com, as can be seen in the traffic screenshot below.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 9 of 13\n\nThe Spark backdoor sends data to the C2 server.\r\nThe data sent to the C2 follows a structured pattern that uses a predefined keywords array, where each keyword is mapped to\r\na certain subroutine. The keywords are comprised of the names of individuals. They are mostly Western names, but there\r\nwere some Arabic names in a few of the samples. \r\nKeywords comprised of names used by the backdoor.\r\nPrior to sending the data to the server, the data is encrypted and staged in an array like this: \r\n[27089,28618,9833,4170,25722,19977,2369,21426,3435,7442,30146,21719,16140,16280,16688,22550,19867,194,3298]\r\nThe data is then encoded with Base64: \r\n\"WzI3MDg5LDI4NjE4LDk4MzMsNDE3MCwyNTcyMiwxOTk3NywyMzY5LDIxNDI2LDM0MzUsNzQ0MiwzMDE0NiwyMTcxOSwxNjE0MCwxNjI4MCwx\r\nThe Base64-encoded data is inserted into the following json object, which contains the individual names.\r\njson object containing the Base64-encoded data.\r\nLastly, the entire json object is encoded with Base64 and undergoes another stage of encryption, and then sent to the server: \r\nZjRTc1dTTU9nVW5FaXM3bGgvbU90MTlVMHFkb1c5SFFuRXhhSVR5YytIQkZremk3bk5wY21BUEZRYitJenA1cnlJY1lxREJJZ1RrL0N4UzZWcVVQM0p\r\nUsing names as keywords is an identical technique to that of the data structure logic previously documented by 360’s blog\r\npost. This post discusses an earlier variant of the backdoor attributed to the MoleRATs group. Using other individuals names\r\nfor C2 communication has also been done by the two other Gaza Cybergang groups: \r\nGaza Cybergang Group 2 with the Micropsia backdoor:  In this instance, the C2 communication implemented by\r\nthe Micropsia backdoor also used specific names for different C2 commands. \r\nGaza Cybergang Group 3 in Operation Parliament: In this instance, the malware also used people’s names for C2\r\ncommunication to send and receive commands from the server. Based on the similarity of the naming convention and\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 10 of 13\n\ndata format, we believe the Spark backdoor could be an evolution of the backdoor mentioned in Operation\r\nParliament, or at least inspired by the malware.\r\nConclusion\r\nThe Spark campaign detailed in this blog demonstrates how the tense geopolitical climate in the Middle East is used by\r\nthreat actors to lure victims and infect them with the Spark backdoor for cyber espionage purposes. \r\nThe names of the files and decoy content seem to be carefully crafted, often referencing controversial and topical political\r\nissues. Cybereason estimates that the files are specifically meant to lure and appeal to victims from the Middle East,\r\nespecially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the\r\nFatah movement.\r\nThe techniques, tools, and procedures used in this campaign bear great resemblance to previous attacks attributed to the\r\nMoleRATs Group (aka Gaza Cybergang Group), an Arabic-speaking, politically motivated group that has operated in the\r\nMiddle East since 2012.\r\nOur research demonstrates the efforts used by attackers to reduce the risk of detection of the Spark backdoor by various\r\nsecurity products. The backdoor checks for the existence of antivirus and firewall products before it initiates its malicious\r\nactivity. Importantly, the backdoor simply will not reveal its malicious nature unless Arabic language keyboard and settings\r\nare found on the infected machine. This shows how the attackers use this backdoor in a surgical way to exclusively attack\r\nspecific targets. \r\nIn addition, analysis of these backdoor delivery methods also highlights a trend by many threat actors where they use\r\nlegitimate storage platforms to deliver the initial stages of the attack. By storing malicious content on trusted platforms like\r\nDropBox, attackers reduce the risk of detection by certain security solutions that are gaining popularity, like email filters. \r\nPart 2: The discovery of the New, Mysterious Pierogi Backdoor\r\nCybereason Detection, Visibility, and Prevention\r\nCybereason prevents and detects the attacks mentioned in this research.  \r\nCybereason UI: The attack tree showing the installation of the Spark backdoor.\r\nCybereason’s Next-generation Antivirus can detect and prevent the Spark backdoor.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 11 of 13\n\n(SHA-256: 5139a334d5629c598325787fc43a2924d38d3c005bffd93afb7258a4a9a8d8b3)\r\nThe file (pdf.exe) was automatically blocked by NGAV.\r\nCybereason agent blocks the execution of the Spark Backdoor.\r\nIndicators of Compromise\r\nClick here to download the MoleRATs IOCs (PDF)\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery Collection C\u0026C Exfiltra\r\nSpearphishing\r\nAttachment\r\nCommand-Line\r\nInterface\r\nScheduled\r\nTask\r\nBypass\r\nUser\r\nAccount\r\nControl\r\nBypass User\r\nAccount Control\r\nSystem Information\r\nDiscovery\r\nScreen\r\nCapture\r\nWeb\r\nService\r\nData\r\nEncrypt\r\nSpearphishing\r\nLink\r\nScheduled\r\nTask\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nStartup\r\nItems\r\nDeobfuscate/Decode\r\nFiles or Information\r\nUser Discovery\r\nAutomated\r\nCollection\r\nData\r\nEncoding\r\n \r\n  Scripting\r\nShortcut\r\nModification\r\n \r\nDisabling Security\r\nTools\r\nVirtualization/Sandbox\r\nDiscovery\r\n \r\nRemote\r\nFile\r\nCopy\r\n \r\n \r\nUser\r\nExecution\r\n    File Deletion        \r\n        Software Packing        \r\n        Masquerading        \r\n       \r\nEvade Analysis\r\nEnvironment\r\n       \r\n       \r\nSecurity Software\r\nDiscovery\r\n       \r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 12 of 13\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one" ], "report_names": [ "new-cyber-espionage-campaigns-targeting-palestinians-part-one" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439095, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28b374422af7cc6d63e39db98ca74f69aacd7ed1.pdf", "text": "https://archive.orkl.eu/28b374422af7cc6d63e39db98ca74f69aacd7ed1.txt", "img": "https://archive.orkl.eu/28b374422af7cc6d63e39db98ca74f69aacd7ed1.jpg" } }