{ "id": "cde108a3-c88b-4568-abeb-a8c98f23c4b8", "created_at": "2026-04-06T00:13:06.495279Z", "updated_at": "2026-04-10T13:12:18.79486Z", "deleted_at": null, "sha1_hash": "3816c046dc3492252cc07d6a4d3f02c1f05fb0a5", "title": "Gaza Cybergang - updated activity in 2017:", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1034049, "plain_text": "Gaza Cybergang - updated activity in 2017:\r\nBy Mohamad Amin Hasbini\r\nPublished: 2017-10-30 · Archived: 2026-04-05 16:18:37 UTC\r\n1. Summary information\r\nThe Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively\r\ntargeting the MENA (Middle East North Africa) region. The Gaza cybergang’s attacks have never slowed down and its\r\ntypical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.\r\nOne of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA\r\nregion, infiltrating systems and pilfering data, apparently for more than a year.\r\nAnother interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsoft Access files\r\ninto which the download scripts were embedded to reduce the likelihood of their detection. Traces of mobile malware that\r\nstarted to appear from late April 2017, are also being investigated.\r\nRecent targets for the group seem to be varied in nature; the attackers do not appear to be choosing targets selectively, but\r\nrather seeking different kinds of MENA intelligence.\r\nSome of the interesting new updates about the Gaza cybergang:\r\nGaza cybergang attackers have continued their interest in government entities in MENA\r\nNew targets identified include oil and gas in MENA\r\nNew tools and techniques include\r\nAbuse of the CVE 2017-0199 vulnerability\r\nUsage of macros inside Microsoft Access files, enabling lower detection rates\r\nPossible Android mobile malware being used by attackers\r\nPrevious published research:\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nKaspersky Lab products and services successfully detect and block Gaza cybergang attacks, detection names below:\r\nHEUR:Exploit.MSOffice.Generic\r\nHEUR:Trojan.Win32.Cometer.gen\r\nHEUR:Trojan.Win32.Generic\r\nTrojan-Downloader.Win32.Downeks\r\nTrojan-Spy.MSIL.Downeks\r\nWin32.Bublik\r\nWin32.Agentb\r\nMore information about Gaza cybergang is available to customers of the Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com\r\n2. Technical details\r\nPreviously, Gaza cybergang attacks were surprisingly successful in using simple and common tools to achieve their goals.\r\nThey relied on a variety of Remote Access Trojans (RATs) to perform their activities, including Downeks, Qasar,\r\nCobaltstrike…\r\nAs recently as June 2017, however, the attackers started using the CVE 2017-0199 vulnerability which enables direct code\r\nexecution from a Microsoft office document on non-patched victim systems (Cobaltstrike payload in this case). Another\r\nfinding is a possible Android Trojan that the attackers positioned on one of their command servers in April 2017.\r\nIn most cases, malware is sent by email as a compressed attachment or download links. Starting from March 2017, we have\r\nobserved downloaders or Microsoft office documents with embedded macros being sent to victims. When opened, the\r\ndownloader would contact a URL or IP address to retrieve the actual payload. Once successfully executed, the malware\r\ngrants full access to the attackers, providing them with the ability to collect files, keystrokes and screenshots from victims’\r\ndevices. If the initial downloaded malware was detected by the victim, the downloader would attempt to retrieve other\r\nmalware files to the victim’s device, in the hope that one of those files would work.\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 1 of 12\n\nThe full list of indicators of compromise (IOCs) can be found in Appendix I. The list of the most interesting lure content,\r\nmalware files and related droppers, and command servers can be found in Appendix II.\r\n3. Summary of recent campaigns\r\nBelow can be found the list of recent findings related to Gaza cybergang operations:\r\nCommand and control\r\nserver\r\nHash\r\nFirst\r\nseen\r\nFile name/Social engineering lure\r\nupgrade.newshelpyou[.]com 552796e71f7ff304f91b39f5da46499b\r\n25-\r\n07-\r\n2017\r\nnvStView.exe\r\n6fba58b9f9496cc52e78379de9f7f24e\r\n23-\r\n03-\r\n2017\r\n??? ????.exe\r\n(Translation: Special photos)\r\neb521caebcf03df561443194c37911a5\r\n03-\r\n04-\r\n2017\r\n??? ????.exe\r\n(Translation: Special photos)\r\nmoreoffer[.]life 66f144be4d4ef9c83bea528a4cd3baf3\r\n27-\r\n05-\r\n2017\r\n????? ????? ??? ?????? ???????? ?? ?????? ????? ???????.exe\r\n(Translation: A statement by the Emir of Qatar accusing the UA\r\nnews agency)\r\n3ff60c100b67697163291690e0c2c2b7\r\n11-\r\n05-\r\n2017\r\nMOM.InstallProxy.exe\r\nb7390bc8c8a9a71a69ce4cc0c928153b\r\n05-\r\n04-\r\n2017\r\n???? ??? ??????? ???? ????? ????????\r\n(Translation: Learn about the woman wearing niqab which offe\r\nf43188accfb6923d62fe265d6d9c0940\r\n21-\r\n03-\r\n2017\r\nGcc-Ksa-uae.exe\r\n056d83c1c1b5f905d18b3c5d58ff5342\r\n16-\r\n03-\r\n2017\r\n?????? ????? ?????? ????? ???????.exe\r\n(Translation: Correspondence regarding the meeting of Heads o\r\n138.68.242[.]68 87a67371770fda4c2650564cbb00934d\r\n20-\r\n06-\r\n2017\r\nhamas.doc\r\n???? ????? ???? ????? ??? ????????.doc (Translation: the points\r\nbetween Hamas and the reformist Fateh movement)\r\n???? ?????? ?????? ??? ??????.doc (Translation: minutes of the\r\n???? ?? ???? ???????? ??? ???????? ???????.doc (Translation: A\r\nor full salary for employees next Tuesday?)\r\nlol.mynetav[.]org 4f3b1a2088e473c7d2373849deb4536f\r\n20-\r\n06-\r\n2017\r\nNotepad.exe\r\nattachment.scr\r\nhttps://drive.google.com/uc?\r\nexport=download\u0026id=0B1NUTMCAOKBTdVQzTXlUNHBm\r\nsignup.updatesforme[.]club 7d3426d8eb70e4486e803afb3eeac14f\r\n04-\r\n05-\r\n2017\r\nPalestinian Retirement Authority Ramallah.exe\r\n0ee4757ab9040a95e035a667457e4bc6\r\n27-\r\n04-\r\n2017\r\n27-4-2017 Fateh Gaza plo.exe\r\nping.topsite[.]life b68fcf8feb35a00362758fc0f92f7c2e\r\n19-\r\n03-\r\n2017\r\nDownloaded by Macro in MDB files:\r\nhttp://download.data-server.cloudns[.]club/indexer.exe\r\n7bef124131ffc2ef3db349b980e52847 13-\r\n03-\r\n???? ??????? ???? -???? ???? ?????? ??????? .exe\r\n(Translation: Brother Ismail Haniyeh – Deputy Head of the Poli\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 2 of 12\n\n2017\r\nd87c872869023911494305ef4acbd966\r\n19-\r\n03-\r\n2017\r\nDownloaded by Macro in MDB files: http://download.data-server.cloudns[.]club/wordindexer.exe\r\na3de096598e3c9c8f3ab194edc4caa76\r\n12-\r\n04-\r\n2017\r\nviewimages.exe\r\nc078743eac33df15af2d9a4f24159500\r\n28-\r\n03-\r\n2017\r\nviewimages.exe\r\n70d03e34cadb0f1e1bc6f4bf8486e4e8\r\n30-\r\n03-\r\n2017\r\ndownload-file.duckdns[.]org/send/Egyptian_agreement_with_President_M\r\n67f48fd24bae3e63b29edccc524f4096\r\n17-\r\n04-\r\n2017\r\nhttp://alasra-paper.duckdns[.]org/send/?????_???_?????? ??????\r\n_???.rar\r\n(Message from President Abu Mazen to Hamas in Gaza Strip)\r\n7b536c348a21c309605fa2cd2860a41d\r\n17-\r\n04-\r\n2017\r\nhttp://alasra-paper.duckdns[.]org/send/????_??????_???????_??\r\n(Translation: captives paper submitted to stop the strike)\r\nalasra-paper.duckdns[.]org Mobile malware N/A\r\n23-\r\n04-\r\n2017\r\nPossible Android malware. http://alasra-paper.duckdns[.]org/sen\r\nEdition-1.04_ApkHouse.com/Dont-Starve-Pocket-Edition-1.04_ApkHouse.com.apk\r\nhamas-wathaq.duckdns[.]org\r\ncf9d89061917e9f48481db80e674f0e9\r\n16-\r\n04-\r\n2017\r\n????? ???? ???? ??? ?? ??? ???? ????? ??? .exe\r\n(Translation: Documents published for the first time on Hamas\r\nStrip)\r\nmanual.newphoneapp[.]com 86a89693a273d6962825cf1846c3b6ce\r\n02-\r\n02-\r\n2017\r\nSQLiteDatabaseBrowserPortable.exe\r\n3f67231f30fa742138e713085e1279a6\r\n02-\r\n02-\r\n2017\r\nSQLiteDatabaseBrowserPortable.exe\r\nThe above listed files are further described in Appendix 1.\r\n4. New findings\r\nGaza Cybergang attackers have been continuously evolving their skills on different levels, using new methods and\r\ntechniques to deliver malware, in addition to adapting social engineering decoys to regional political and humanitarian\r\nincidents.\r\nIn mid-2017, the attackers were discovered inside an oil and gas organization in the MENA region, infiltrating systems and\r\npilfering data, apparently for more than a year. The malware files that were found had been reported previously:\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nWhile traces of Android mobile malware have been spotted, attackers have continuously used the Downeks downloader and\r\nthe Quasar or Cobaltstrike RATs to target Windows devices, enabling them to obtain remote access spying and data\r\nexfiltration abilities. This is now achieved more efficiently using the CVE 2017-0199 vulnerability which enables direct\r\ncode execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft\r\nAccess database files has also enabled the attackers to maintain low levels of detection, as it’s not an uncommon method to\r\ndeliver malware.\r\nThese developments have helped the attackers continue their operations, targeting a variety of victims and organizations,\r\nsometimes even bypassing defences and persisting for prolonged periods.\r\n4.1. The extended use of humanitarian and political causes in social engineering attacks\r\nAttackers have continuously targeted victims and organizations in government entities/embassies, oil and gas, media/press,\r\nactivists, politicians, and diplomats.\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 3 of 12\n\nThe Gaza cybergang relies increasingly on advanced and up-to-date social engineering techniques with political and\r\nhumanitarian aspects that directly reflect regional incidents. Here is a short list of incidents that were each used multiple\r\ntimes:\r\nPalestinian Government not paying salaries to Gaza employees\r\nPalestinian prisoners’ hunger strike in Israeli jails\r\nThe political crisis in Qatar\r\nRecent targets for the group seem to be varied in nature, the attackers do not appear to be choosing targets selectively, but\r\nrather seeking any type of intelligence.\r\n4.1.1. Example lure\r\nMD5: 66f144be4d4ef9c83bea528a4cd3baf3\r\n????? ????? ??? ?????? ???????? ?? ?????? ????? ???????.exe\r\n(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)\r\nAttackers have recently used political events related to the Qatar political crisis in the Middle East in targeting their victims.\r\nOriginal filename: Qatar-27-5-2017.rar\r\nExtracts to 66f144be4d4ef9c83bea528a4cd3baf3\r\n????? ????? ??? ?????? ???????? ?? ?????? ????? ???????.exe\r\nSha256 7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04\r\nC2: moreoffer[.]life\r\nFirst seen: 27 May 2017\r\nTranslation: new details on the hack of the Qatar News Agency\r\n4.2. The use of Microsoft Access files with macros\r\nMicrosoft Access files with macro is another new development by the attacker group. MS Access database-embedded\r\nmacros are proving to have very low detection rates.\r\nMD5: 6d6f34f7cfcb64e44d67638a2f33d619\r\nFilename: GAZA2017.mdb\r\nC1: http://download.data-server.cloudns[.]club/GAZA2017.mdb\r\nDownloads and executes:\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 4 of 12\n\ndata-server.cloudns[.]club/wordindexer.exe\r\ndata-server.cloudns[.]club/indexer.exe\r\nTranslation: database of employees not receiving salaries, click “enable content” to see data\r\nDecrypted code\r\n4.3. Exploitation of the CVE 2017-0199 vulnerability\r\nMD5: 87a67371770fda4c2650564cbb00934d\r\nFirst seen: 20-06-2017\r\nFilenames:\r\ndoc\r\n???? ????? ???? ????? ??? ????????.doc (Translation: the points of agreement between Hamas and the reforment\r\nFateh movement)\r\n???? ?????? ?????? ??? ??????.doc (Translation: minutes of the tonight Fateh meeting)\r\n???? ?? ???? ???????? ??? ???????? ???????.doc (Translation: An advance on salary or full salary for employees next\r\nTuesday?)\r\nThe attacks are a typical exploitation of CVE-2017-0199, starting with an email that distributes a malicious RTF document.\r\nThe vulnerability is in the code that handles Ole2Link embedded objects, which allows Microsoft Office Word to run remote\r\nfiles, downloaded in this case from 138.68.242[.]68. The downloaded payload is Cobaltstrike, which then connects to\r\nlol.mynetav[.]org to receive commands from the attackers. Additional details on the Gaza cybergang’s use of CVE 2017-\r\n0199 with Cobaltstrike, can be found here: http://bobao.360.cn/learning/detail/4193.html\r\n4.4. Possible Android mobile malware\r\nTraces of APK files have been seen on one of the attackers’ command centers, starting from 23-04-2017.\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 5 of 12\n\nURL: http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse[.]com/Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk\r\nThe file name (Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk), is an Android application file hiding as a popular\r\ngame. We believe the android Trojan could be related to a previously investigated Android Trojan around the Gaza strip:\r\nhttps://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/\r\n5. Conclusion\r\nThe Gaza Cybergang has demonstrated a large number of attacks and advanced social engineering, in addition to active\r\ndevelopment of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving\r\ntheir toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of\r\nattacks to intensify in the near term, both in terms of quality and quantity.\r\nIn order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following\r\nmeasures:\r\nEducate staff to be able to distinguish spear-phishing emails or a phishing link from legitimate emails and links\r\nUse proven corporate grade security solution in combination with anti-targeted attacks solutions capable of catching\r\nattacks by analyzing network anomalies\r\nProvide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for\r\ntargeted attacks prevention and discovery, such as indicators of compromise and YARA rules\r\nMake sure enterprise grade patch management processes are well established and executed.\r\nMore information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com\r\n6. Appendix 1: malware files description and decoys\r\nIn the following, we list the description of malware files found from March 2017, including decoys used, first dates files\r\nseen, parent files…\r\n6.1. b7390bc8c8a9a71a69ce4cc0c928153b\r\nParent file: 970e6188561d6c5811a8f99075888d5f 5-4-2017.zip\r\nC2: moreoffer[.]life\r\nFirst seen: 5 April 2017\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 6 of 12\n\nTranslation: Get to know the women wearing niqab and talking bad about the kingdom\r\n6.2. f43188accfb6923d62fe265d6d9c0940\r\nFilename: Gcc-Ksa-uae.exe\r\nC2: moreoffer[.]life (185.11.146[.]68)\r\nFirst Seen: 21 March 2017\r\nTranslation: the permanent delegation of the cooperation council for the Arab states of the Gulf (GCC) to the United Nation\r\nand other international organizations, Geneva\r\n6.3. 056d83c1c1b5f905d18b3c5d58ff5342\r\n?????? ????? ?????? ????? ???????.Filename: exe\r\nTranslation: Correspondence regarding the meeting of Heads of Missions (Saudi related)\r\nParent file: fb549e0c2fffd390ee7c4538ff30ac3e\r\nC2: moreoffer[.]life\r\nFirst Seen: 16 March 2017\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 7 of 12\n\nTranslation: The fourth foreign meeting of the Kingdom’s head of missions under the title “message of the embassador”.\r\n6.4. 0ee4757ab9040a95e035a667457e4bc6\r\nFilename: 27-4-2017 Fateh Gaza plo.exe\r\nC2: signup.updatesforme[.]club\r\nFirst seen 27 April 2017\r\nTranslation: Clarification report\r\n6.5. 7bef124131ffc2ef3db349b980e52847\r\n???? ??????? ???? -???? ???? ?????? ??????? .exe\r\n(Translation: Brother Ismail Haniyah – Deputy Head of the Political Bureau)\r\nC2: ping.topsite[.]life\r\nFirst seen: 14 March 2017\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 8 of 12\n\nTranslation: Brother Ismail Haniyah – Deputy Head of the Political Bureau\r\n6.6. 70d03e34cadb0f1e1bc6f4bf8486e4e8\r\ndownload-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe\r\nC1: download-file.duckdns[.]org\r\nC2: ping.topsite[.]life\r\nFirst seen: 30 March 2017\r\nTranslation: methods to apply the palestinian national agreement pact.\r\n6.7. 67f48fd24bae3e63b29edccc524f4096\r\nC1: http://alasra-paper.duckdns[.]org/send/?????_???_?????? ???????_?????_?? ????_???.rar\r\nC2: ping.topsite[.]life\r\nRAR extracts to: 5d74487ea96301a933209de3d145105d\r\n?????_???_??????? ???????_?????_?? ????_???.exe\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 9 of 12\n\nFirst seen: 17 April 2017\r\nTranslation: a severely threatening message from Abbas’s delegation to Hamas\r\n6.8. 7b536c348a21c309605fa2cd2860a41d\r\nC1: http://alasra-paper.duckdns[.]org/send/????_??????_???????_???_??????? .rar\r\nExtracts to: d973135041fd26afea926e51ce141198, named (RTLO technique):\r\n???? ?????? ??????? ??? ??????? .exe\r\nTranslation: captives paper submitted to stop the strike\r\nC2:ping.topsite[.]life\r\nFirst seen: 17 April 2017\r\nTranslation: The primary demands of the captives in the strike of freedom and dignity\r\n6.9. cf9d89061917e9f48481db80e674f0e9\r\n????? ???? ???? ??? ?? ??? ???? ????? ??? .exe c11516cd8c797f0182d63cdf343d08ed\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 10 of 12\n\nTranslation: Documents published for the first time on Hamas ruling of Gaza Strip\r\nC1: http://hamas-wathaq.duckdns[.]org/send/?????_????_????_???_??_???_????_?????_???.rar\r\nC2:ping.topsite[.]life\r\nFirst seen: 16 April 2017\r\nTranslation: Scandals and facts published for the first time on Hamas’s ruling of Gaza Strip\r\n7. Appendix 2: List of IOCs\r\n7.1. Malicious domain names\r\nmoreoffer[.]life\r\nsignup.updatesforme[.]club\r\nping.topsite[.]life\r\nalasra-paper.duckdns[.]org\r\nhamas-wathaq.duckdns[.]org\r\ndownload.data-server.cloudns[.]club\r\nupgrade.newshelpyou[.]com\r\nmanual.newphoneapp[.]com\r\nhnoor.newphoneapp[.]com\r\nlol.mynetav[.]org\r\n7.2. IP addresses\r\n138.68.242[.]68\r\n185.86.149[.]168\r\n185.11.146[.]68\r\n45.32.84[.]66\r\n45.32.71[.]95\r\n107.161.27[.]158\r\n46.246.87[.]74\r\n7.3. Hashes\r\nMD5\r\n87a67371770fda4c2650564cbb00934d\r\n4f3b1a2088e473c7d2373849deb4536f\r\nc078743eac33df15af2d9a4f24159500\r\n3ff60c100b67697163291690e0c2c2b7\r\na3de096598e3c9c8f3ab194edc4caa76\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 11 of 12\n\n7d3426d8eb70e4486e803afb3eeac14f\r\n3f67231f30fa742138e713085e1279a6\r\n552796e71f7ff304f91b39f5da46499b\r\n6fba58b9f9496cc52e78379de9f7f24e\r\neb521caebcf03df561443194c37911a5\r\nb68fcf8feb35a00362758fc0f92f7c2e\r\nd87c872869023911494305ef4acbd966\r\n66f144be4d4ef9c83bea528a4cd3baf3\r\nB7390bc8c8a9a71a69ce4cc0c928153b\r\nF43188accfb6923d62fe265d6d9c0940\r\n056d83c1c1b5f905d18b3c5d58ff5342\r\n0ee4757ab9040a95e035a667457e4bc6\r\n7bef124131ffc2ef3db349b980e52847\r\n70d03e34cadb0f1e1bc6f4bf8486e4e8\r\n67f48fd24bae3e63b29edccc524f4096\r\n7b536c348a21c309605fa2cd2860a41d\r\ncf9d89061917e9f48481db80e674f0e9\r\n6d6f34f7cfcb64e44d67638a2f33d619\r\n86a89693a273d6962825cf1846c3b6ce\r\n5472d0554a0188c0ecebd065eddb9485\r\nSHA256\r\n0b6fe466a3ba36895208e754b155a193780c79ba8b5c1c9f02c4f7e479116e5f\r\n0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a\r\n0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa\r\n1f2b128d26a58a572ea1faee2c4d9dc759eb8add16d9ad0547b3f0305fea212a\r\n205f32cc717c2d82baeff9ff5aa9fc31967b6ae5cde22fafe14aec9c9ec62acc\r\n284af7a2fafdbff3bbc28b9075f469d2352758b62d182b0e056d29ee74688126\r\n344dc6ece5a6dacce9050a65305d4b34865756051a6f414477b6fa381e1c1b63\r\n42e4298f5162aba825309673187e27121e3f918238e81f3a6e021c03f3455154\r\n44a8d0561a9cc6e24d6935ff4c35b7b7db50c4001eb01c48ea1cfd13253bc694\r\n57a12f20c6bbd69b93e76d6d5a31d720046b498aa880b95b85a4f3fda28aac4f\r\n72b039550d31afaeee11dedf7d80333aeda5c504272d426ae0d91bc0cd82c5b0\r\n72d2ad8f38e60c23c96698149507fc627664a5706a4431b96014fbf25495b529\r\n788f7fd06030f87d411c61efbc52a3efca03359570353da209b2ce4ccf5b4b70\r\n7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04\r\n84adba3c81ad1c2a8285c31d1171f6f671492d9f3ed5ee2c7af326a9a8dc5278\r\n852ccc491204f227c3da58a00f53846296454d124b23021bdb168798c8eee2fb\r\n86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806\r\n9347a47d63b29c96a4f39b201537d844e249ac50ded388d66f47adc4e0880c7e\r\nb597d7b5b9c2f1962257f912e911961ad0da4c28fc6a90a0b7db4e242aa007d8\r\nbfb88878a22c23138a67cc25872e82d77e54036b846067ddc43e988c50379915\r\nc23f715c8588c8d8725352ed515749389d898996107132b2d25749a4efc82a90\r\nc47bc2c15f08655d158bb8c9d5254c804c9b6faded526be6879fa94ea4a64f72\r\ndb53b35c80e8ec3f8782c4d34c83389e8e9b837a6b3cc700c1b566e4e4450ec2\r\ndd9debe517717552d7422b08a477faa01badbcc4074830c080a1a1c763e1a544\r\nb800d29d6e1f2f85c5bc036e927c1dae745a3c646389599b0754592d76b5564b\r\nSource: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nhttps://securelist.com/gaza-cybergang-updated-2017-activity/82765/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/" ], "report_names": [ "82765" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3816c046dc3492252cc07d6a4d3f02c1f05fb0a5.pdf", "text": "https://archive.orkl.eu/3816c046dc3492252cc07d6a4d3f02c1f05fb0a5.txt", "img": "https://archive.orkl.eu/3816c046dc3492252cc07d6a4d3f02c1f05fb0a5.jpg" } }