{ "id": "4c52da83-7bc8-4ab9-a676-f5060e46bb5b", "created_at": "2026-04-06T00:07:55.85488Z", "updated_at": "2026-04-10T03:33:54.737465Z", "deleted_at": null, "sha1_hash": "2eb5209479c499db090911af31a4756962be6580", "title": "Dissecting 'Operation Ababil' - an OSINT Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 709446, "plain_text": "Dissecting 'Operation Ababil' - an OSINT Analysis\r\nPublished: 2012-09-28 · Archived: 2026-04-05 15:12:45 UTC\r\nProvoked by a questionable online video posted on YouTube, Muslims from the around the world united in an\r\napparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against\r\nYouTube for keeping the video online, and against several major U.S banks and financial institutions.\r\nDubbed \"Operation Ababil\", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the\r\ncampaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other\r\ncrowdsourced opt-in botnet campaign such as the \"Coordinated Russia vs Georgia cyber attack in progress\",\r\nthe \"Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites\", the \"Electronic\r\nJihad v3.0 - What Cyber Jihad Isn't\" campaign, and the \"The DDoS Attack Against CNN.com\" campaign,\r\npolitical sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.\r\nWhat's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities?\r\nWas the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government?\r\nCan we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have\r\na strong digital fingerprint?\r\nIn this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part\r\nof the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups\r\nas possible, and actually claim responsibility for the attacks once they took place.\r\nThe campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group\r\nannouncing \"Operation Ababil\":\r\nThe original message left is as follows:\r\n\"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting\r\nexalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series\r\nof cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 1 of 8\n\npeople's attention from the subject and claimed that the main aim of the operation was not deal to insults but it\r\nhad other intentions. \r\nThe officials claimed that certain countries have taken these measures to solve their internal problems.We strongly\r\nreject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of\r\nMuslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger\r\nbe deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the\r\nLast prophet Muhammad (Peace Be upon Him). \r\nSo as we promised before, the attack will be continued until the removal of that sacrilegious movie from the\r\nInternet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets\r\nare out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while\r\nthe specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. \r\nWe repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all\r\ncyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will\r\nbe large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday\r\n9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site,\r\nwww.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week'\r\nattacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters\"\r\nPeriodically, the group also released update notes for the campaigns currently taking place:\r\nThe original message published is as follows:\r\n\"Operation Ababil\" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the\r\nsecond step we attacked the largest bank of the united states, the \"chase\" bank. These series of attacks will\r\ncontinue untill the Erasing of that nasty movie from the Internet.The site \"www.chase.com\" is down and also\r\nOnline banking at \"chaseonline.chase.com\" is being decided to be Offline !Down with modern infidels.### Cyber\r\nfighters of Izz ad-din Al qassam ###\"\r\nSecond statement released by the group:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 2 of 8\n\nThe original message published is as follows:\r\n\"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes\r\n(those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more\r\nsupporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie\r\ninsulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action,\r\nMuslims must do whatever is necessary to stop spreading this movie. \r\nWe will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will\r\nattack to American and Zionist Web bases as much as needed such that they say that they are sorry about that\r\ninsult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange\r\nfor the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at\r\n2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type.\r\nDown with modern infidels.\"\r\nClearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected\r\nusers who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the\r\ndistributed DDoS tool that was used in the campaign.\r\nSample screenshot of the DDoS script in Arabic:\r\nInside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 3 of 8\n\nDetection rate for the DDoS script:\r\nyoutube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997\r\nDetected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924\r\nOriginally, the attack relied on a static recruitment message which included links to the DIY DDoS script located\r\non 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a\r\nuser going under the handle of \"Marzi Mahdavi II\". It's important to point out that these static links were\r\ndistributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.\r\nThanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message\r\nseeking participation in the upcoming attacks.\r\nMarzi Mahdavi II's Facebook account:\r\nSample shared Wall post seeking participation in the upcoming DDoS campaign:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 4 of 8\n\nSample blog post enticing users to participate:\r\nMarzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the\r\nongoing recruitment campaigns across multiple Web sites:\r\nSecond blog post enticing users to participate in the DDoS campaign:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 5 of 8\n\nThis very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me\r\nto the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with\r\nyears compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that\r\nIran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into\r\nthinking that it's still in a \"catch up mode\" with the rest of the world when it comes to offensive cyber operations.\r\nDid these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data\r\nfrom the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the\r\nlow profile DDoS script released by the campaigners.\r\nSample Host-Tracker report for a targeted web site during the campaign:\r\nSecond Host-Tracker report for a targeted web site during the campaign:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 6 of 8\n\nThird Host-Tracker report for a targeted web site during the campaign:\r\n \r\nFourth Host-Tracker report for a targeted web site during the campaign:\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 7 of 8\n\nFifth Host-Tracker report for a targeted web site during the campaign: \r\nIs the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and\r\nvirtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian\r\nhacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations\r\ntaking into consideration the centralized nature of the chain of command in this group.\r\nWhat's also worth pointing out is the fact that this is the first public appearance of the group that claims\r\nresponsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in\r\nquestion, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by\r\nbasically impersonating a what's believed to be an Iranian group.\r\nThis post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.\r\nSource: http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nhttp://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" ], "report_names": [ "dissecting-operation-ababil-osint.html" ], "threat_actors": [ { "id": "bb08058c-a744-4129-aa80-10aa34ed8766", "created_at": "2022-10-25T16:07:24.474826Z", "updated_at": "2026-04-10T02:00:05.003307Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Cyber fighters of Izz Ad-Din Al Qassam", "Fraternal Jackal", "QCF", "Qassam Cyber Fighters" ], "source_name": "ETDA:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d63af7da-1b27-4f7e-a006-e7398c38f436", "created_at": "2023-01-06T13:46:38.702633Z", "updated_at": "2026-04-10T02:00:03.073096Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Fraternal Jackal" ], "source_name": "MISPGALAXY:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434075, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2eb5209479c499db090911af31a4756962be6580.pdf", "text": "https://archive.orkl.eu/2eb5209479c499db090911af31a4756962be6580.txt", "img": "https://archive.orkl.eu/2eb5209479c499db090911af31a4756962be6580.jpg" } }