{ "id": "e23b6eda-6556-4569-92aa-98314027456f", "created_at": "2026-04-06T00:12:26.329191Z", "updated_at": "2026-04-10T03:38:03.258382Z", "deleted_at": null, "sha1_hash": "2a0e8294813fffcf3f62860c2d879d0c4775ed4b", "title": "Molerats APT: New Malware and Techniques in Middle East Espionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 245828, "plain_text": "Molerats APT: New Malware and Techniques in Middle East\r\nEspionage Campaign\r\nBy Cybereason Team\r\nArchived: 2026-04-05 21:25:46 UTC\r\nSecurity researchers observed a politically motivated APT called “Molerats” using three new malware variants to\r\nconduct espionage in the Middle East.\r\nOverview of the Campaign\r\nOn December 9, Cybereason published a report that revealed that they had uncovered a new attack campaign\r\nlaunched by Molerats. This operation cohered with previous attacks launched by the APT in that it used political\r\nevents in the Middle East as lures.\r\nIn particular, the campaign focused on the ongoing normalization process between Israel and its Arab neighbors.\r\nOne of the phishing documents, a PDF file titled “MBS-Israel,” explored that development by referencing the\r\npeace talks between Israeli Prime Minister Benjamin Netanyahu and His Royal Highness Mohammed bin Salman,\r\nSaudi Crown Prince.\r\nThe PDF document instructed the recipient to download password-protected archives that claimed to contain the\r\ncontents of those peace talks. \r\nAt the time of discovery, Molerats was using Dropbox and Google Drive to host those password-protected\r\narchives at:\r\nhttps://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign\r\nPage 1 of 4\n\nhttps://www.dropbox[dot]com/s/r81t6y7yr8w2ymc/MOM.zip?dl=1\r\nand\r\nhttps://drive.google[dot]com/uc?export=download\u0026id=1NnMlUPwkxK4_wAJwrqxqBAfdKCPDxyeh\r\nBoth archives arrived with several executables whose names referenced the talks.\r\nMalware Variant #1: SharpStage Backdoor\r\nOne of those executables, “Details Crown Prince held 'secret meeting' with Israeli PM.Nov.23.20.MoM.exe,” was\r\nresponsible for infecting the victim’s computer with SharpStage.\r\nThe first of the three new malware variants detected by Cybereason Nocturnus, SharpStage is a .NET malware\r\nwith backdoor capabilities. \r\nCybereason’s researchers identified three variants of the SharpStage threat. Those three versions registered\r\ncompilation timestamps between October 4 and November 29, 2020. They also shared similar functionality in\r\nterms of code modularity, obfuscation and persistence. \r\nUpon successful installation, SharpStage enables the attackers to capture snapshots of a victim’s screen, download\r\nand execute additional files and specifically check for the presence of Arabic on the infected machine to avoid\r\nexecuting on computers outside of its purview.\r\nThe backdoor also came equipped with a Dropbox API. This feature enabled SharpStage to communicate with\r\nDropbox using a token in order to download and exfiltrate stolen data.\r\nSharpStage registered the detection rate of 1/70 with VirusTotal at the time of discovery.\r\nMalware Variant #2: DropBook Backdoor\r\nThe second executable, “Talking points for meeting.exe,” infected the machine with a sample of the DropBook\r\nbackdoor.\r\nSimilar to SharpStage, DropBook executed on a machine only if the infected machine had configured the Arabic\r\nlanguage. But this malware also came with another precondition: the machine needed to have WinRAR perhaps in\r\norder for a later stage of the attack to work.\r\nDropBook also mimicked SharpStage by using DropBox for file uploads and downloads. The threat didn’t stop\r\nthere with its abuse of legitimate services, however. It also used posts on Facebook and note-taking application\r\nSimplenote to receive a Dropbox token as well as command-and-control (C2) instructions from the attackers. \r\nhttps://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign\r\nPage 2 of 4\n\nAssaf Dahan, Sr. Director, Head of Threat Research, explained how this technique helped the attackers to evade\r\ndetection:\r\nMolerats created fake Facebook accounts that specifically for this campaign, those accounts are effectively being\r\nused by the group for command-and-control purposes by sending instructions to the malware using Facebook\r\nposts. This is a clever way of hiding in plain sight, abusing the trust given to a legitimate platform such as\r\nFacebook. This helps the group to remain under the radar.\r\nBy using Facebook and Simplenote as communication channels, the attackers could proceed to drop additional\r\nthreats onto the infected computer. Those secondary malware strains included the Quasar RAT and SharpStage.\r\nMalware Variant #3: MoleNet Downloader\r\nDropBook also served as a vehicle through which attackers could install the MoleNet Downloader, a tool which\r\nhas been in active development since at least 2019.\r\nhttps://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign\r\nPage 3 of 4\n\nHeavily obfuscated and written in .NET, the MoleNet Downloader enabled the attackers to profile the OS of the\r\ninfected machine and submit the resulting information to the C2. The malware also came with the ability to\r\ndownload additional payloads from the C2 and to establish persistence using PowerShell.\r\nSimilar Techniques to Come\r\nAfter analyzing the attack campaign, Cybereason Nocturnus reported the abuses it had documented to Google,\r\nFacebook, Dropbox and Simplenote. Some of those vendors responded to the security team and informed them\r\nthat they were launching an investigation to determine what had happened. Others had not yet responded at the\r\ntime of this writing. \r\nOverall, Dahan feels that this new campaign helps to indicate the general direction in which Molerats as an APT is\r\nmoving:\r\nWe see constant changes and developments and an increased level of sophistication. The group invests time and\r\nresources to try to keep the activity under the radar and evade detection. They are doing a good job with evading\r\nautomatic sandbox analysis by checking for Arabic language settings. Otherwise, the malware won’t run. We\r\nestimate that the abuse of legitimate cloud platforms and social media will only increase, as attackers see the value\r\nin blending in and hiding in plain sight.\r\nMore information about some of Molerats’ earlier attack activity is available here and here. Open the chatbot on\r\nthe lower right-hand side of this blog to download your copy of the Indicator's of Compromise, which includes C2\r\nDomains, IP addresses, Docx files SHA-1 hashes, and Msi files.\r\nSource: https://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign\r\nhttps://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign" ], "report_names": [ "molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434346, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a0e8294813fffcf3f62860c2d879d0c4775ed4b.pdf", "text": "https://archive.orkl.eu/2a0e8294813fffcf3f62860c2d879d0c4775ed4b.txt", "img": "https://archive.orkl.eu/2a0e8294813fffcf3f62860c2d879d0c4775ed4b.jpg" } }