{ "id": "295ce0f1-73a0-4759-bb98-06090aeee96a", "created_at": "2026-04-06T00:18:28.588056Z", "updated_at": "2026-04-10T03:38:03.492261Z", "deleted_at": null, "sha1_hash": "54651db80cdb7441221f11b1ee164080a6ff6302", "title": "Middle East users targeted by Molerats APT | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2684589, "plain_text": "Middle East users targeted by Molerats APT | Zscaler Blog\r\nBy Sahil Antil, Sudeep Singh\r\nPublished: 2022-01-20 · Archived: 2026-04-05 18:32:35 UTC\r\nIntroduction\r\nIn December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from\r\nMiddle Eastern countries such as Jordan to OSINT sources such as VT. These files contained decoy themes related\r\nto geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns\r\nwaged by the Molerats APT.\r\nDuring our investigation we discovered that the campaign has been active since July 2021. The attackers only\r\nswitched the distribution method in December 2021 with minor changes in the .NET backdoor. In this blog, we\r\nwill share complete technical analysis of the attack chain, the C2 infrastructure, threat attribution, and data\r\nexfiltration.\r\nThe targets in this campaign were chosen specifically by the threat actor and they included critical members of\r\nbanking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and\r\njournalists in Turkey.\r\nThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and\r\nthe previous campaigns attributed to the Molerats APT group.\r\nAdditionally, we discovered multiple samples that we suspect are related to Spark backdoor. We have not added\r\nthe analysis of these samples in this blog, but they were all configured with the same C2 server, which we have\r\nincluded in the IOCs section.\r\n \r\nThreat attribution\r\nWe have attributed the attack to Molerats APT group based on following observations:\r\n1. Use of open-source as well as commercial packers for the backdoor (ConfuserEx, Themida)\r\n2. Targeting middle-east region\r\n3. Using Dropbox API for entire C2 communication\r\n4. Using RAR files for backdoor delivery as well as in later stages\r\n5. Using other legit cloud hosting services like Google Drive to host the payloads\r\n6. Overlap of domain SSL Certificate thumbprint observed on current attack infrastructure with domains used by\r\nMolerats APT group in the past\r\n7. Overlap of Passive DNS resolution of domain observed on current attack infrastructure with the IP used by\r\nMolerats APT group in the past\r\n \r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 1 of 22\n\nAttack flow\r\nFigure 1 below illustrates the new attack chain.\r\nFigure 1: Attack chain\r\n \r\nDecoy content\r\nMD5: 46e03f21a95afa321b88e44e7e399ec3\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 2 of 22\n\nNote: Please refer Appendix section for additional decoy contents\r\n \r\nTechnical analysis\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 3 of 22\n\nFor the purpose of technical analysis we will use the document with MD5: 46e03f21a95afa321b88e44e7e399ec3\r\n[+] Stage-1: Macro code\r\nThe macro code is not complex or obfuscated. It simply executes a command using cmd.exe which in turn\r\nperforms the following operations:\r\n1. Executes a PowerShell command to download and drop the Stage-2 payload from the URL\r\n“http://45.63.49[.]202/document.html” to the path “C:\\ProgramData\\document.htm”.\r\n2. Renames document.htm to servicehost.exe\r\n3. Executes servicehost.exe\r\nFigure 2 below shows the relevant macro code\r\nFigure 2: Macro code\r\n[+] Stage-2: servicehost.exe\r\n# Static analysis\r\nBased on static analysis, we can see that the binary is .NET-based  and is obfuscated using the ConfuserEx packer.\r\nIt masquerades itself as a WinRAR application by using the icon and other resources (which also contains static\r\nstrings) from the legit WinRAR application.\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 4 of 22\n\nFigure 3: Shows the binary icon and other static information\r\n# Dynamic analysis\r\nThe main function of the binary is the standard ConfuserEx function which is responsible for loading the runtime\r\nmodule \"koi'' that is stored in encrypted form using a byte array. Once the module is loaded, the main function\r\nresolves the module's entry point function using the metadata token and invokes it by providing required\r\nparameters.\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 5 of 22\n\nFigure 4: Code snippet loading the runtime module and invoking it’s entry point function\r\nThe runtime module (\"koi\") on analysis is found to be a backdoor. Before calling the main function of the module,\r\nthe code from within the constructor is called which creates a new thread that regularly monitors the presence of a\r\ndebugger.\r\nFigure 5: Code snippet of debugger monitoring function\r\nOnce the debugger monitor thread is created we get the code execution flow to the main function of the module\r\nwhich ultimately leads to the backdoor execution. Within the main function the backdoor performs following\r\noperations:\r\n1. Collects the machine manufacture and machine model information using WMI which is used for execution\r\nenvironment checks and is later exfiltrated to C2 server.\r\n2. Checks if it should execute in the current execution environment.\r\n3. Creates a mutex with the name of executing binary.\r\n4. Checks if the mutex is created successfully.\r\n5. Determines if it is executed for the first time using the registry key value\r\n\"HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}\". \r\n6. If the registry key doesn't exist, the code flow goes via a mouse check function which executes the code further\r\nonly if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also\r\ncreates the same registry key.\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 6 of 22\n\nFigure 6: Main function of backdoor\r\n[+] Network communication\r\nFrom the main function the final code flow reaches the function which starts the network communication. Since\r\nthe backdoor uses Dropbox API for entire C2 communication and data exfiltration, it first extracts the primary\r\nDropbox account token which is stored in encoded form within the binary. Figure 7 below describes the format\r\nand shows the encoded string that contains the Dropbox account token.\r\nFigure 7: Encoded string\r\nExecuting further the backdoor collects the following information from victim machine:\r\n1. Machine IP address: By making a network request to “https://api.ipify.org”\r\n2. UserName: From the environment variable\r\n3. HostName: Using the API call Dns.GetHostName()\r\nThe collected information is then processed and stored inside a variable named “UserInfo” by performing\r\nfollowing operations:\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 7 of 22\n\n1. Concatenation (IP+UserName+HostName)\r\n2. Base64 string encode\r\n3. Substitution (Substitute “=” with “1”)\r\n4. String reverse\r\nNext the backdoor sends following network requests in the specified sequence using the Dropbox API and\r\ncorrespondingly performs any required operations:\r\n1. Create Folder:\r\n  Create a folder inside the root directory where the folder name is the value of UserInfo variable\r\nNote: The created folder acts as a unique identifier for a machine considering the fact that the machine IP remains\r\nstatic.\r\n2. Create File:\r\nCreate a file inside the newly created folder where the file name is the Machine IP and the data it stores is the\r\ninformation collected in Step-1 of the main function.\r\n3. List Content:\r\nList the content of victim specific folder and delete files where the file name length is 15\r\n4. List Content:\r\nList the content of root directory (which is attacker controlled) and extract the following information:\r\na) File name of any hosted RAR archive\r\nb) File name of any hosted exe (Which is found to be the legitimate RAR command-line utility and is used to\r\nextract the downloaded RAR archive in case the machine doesn't already have any RAR archive supporting\r\napplication)\r\nc) File name of any hosted pdf or doc file (Used as decoy document)\r\nd) File name of any non specific file type (Based on our analysis it contains the secondary Dropbox account token\r\nthat is used for file exfiltration from victim machine)\r\n    Note: The above extracted information is stored locally and is used wherever required.\r\nFinally, if the backdoor executed for the first time, it downloads and opens the hosted pdf or doc file and then calls\r\ntwo other functions where the first function creates a thread that continuously communicates with the Dropbox\r\naccount to fetch and execute the C2 commands while the second function creates a thread that downloads and\r\nexecutes the RAR archive using the information extracted earlier.\r\n[+] C2 Commands\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 8 of 22\n\nThe backdoor creates a file inside the victim specific folder on Dropbox which is used to fetch C2 commands. The\r\nfile name is a random string of 15 characters.\r\nThe C2 commands have following format:\r\n[command code]=[Command arguments separated using “^”]\r\nThe backdoor uses command codes instead of plaintext strings to determine the action to be performed.\r\nTable below summarizes the supported command codes:\r\n \r\nCommand code Action performed\r\n1 Run specified command\r\n2 Take snapshot and upload\r\n3 Send list of files from specified directories\r\n4 Upload files\r\n5 Download and execute the RAR archive\r\nC2 infrastructure analysis\r\nWhile monitoring the IPs used during the current attack we observed the domain \"msupdata.com\" started to\r\nresolve to the IP 45.63.49[.]202 from 27-12-2021. We found two Historical SSL Certificates associated with this\r\ndomain. Pivoting on the SSL Certificate with thumbprint \"ec5e468fbf2483cab74d13e5ff6791522fa1081b\" we\r\nfound domains like \"sognostudio.com\", \"smartweb9.com\" and others which were all attributed to Molerats APT\r\ngroup during past attacks.\r\nAdditionally, the subdomain “www.msupdata.com” also has a Passive DNS resolution to IP 185.244.39[.]165\r\nwhich is also associated with Molerats APT group in the past. \r\nNote: We didn't observe any activity related to the domain \"msupdata.com\" or it’s subdomain\r\n“www.msupdata.com” until this blog release.\r\n \r\nPivot on the Dropbox accounts\r\nBased on our analysis at least five Dropbox accounts are being used by the attacker. While investigating the\r\nDropbox accounts we found that the attacker used following information during account registration.\r\nNote: Dropbox has confirmed the takedown of these accounts associated with the Molerats APT group.\r\nAccount 1:\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 9 of 22\n\nName: Adham gherbawi\r\nCountry: NL (Netherlands)\r\nEmail: adham.gharbawi@gmail[.]com\r\nAccount 2:\r\nName: alwatan voice\r\nCountry: NL (Netherlands)\r\nEmail: alwatanvoiceoffice@gmail[.]com\r\nAccount 3:\r\nName: adham gharbawi\r\nCountry: NL (Netherlands)\r\nEmail: adham.ghar.bawi@gmail[.]com\r\nAccount 4:\r\nName: pal leae\r\nCountry: PS (Palestine)\r\nEmail: palinfoarabic@gmail[.]com\r\nAccount 5:\r\nName: pla inod\r\nCountry: PS (Palestine)\r\nEmail: palinfo.arabic@gmail[.]com\r\nAlso, while analyzing the exfiltrated data from Dropbox accounts we found a screenshot of the attacker machine\r\nwhich was likely uploaded while the attacker was testing the malware. We correlated a number of artifacts and\r\npatterns with the file names visible from the snapshot to those used during the real attack. Moreover, from the\r\nsnapshot the attacker seems to be using a simple GUI application to sync with the Dropbox account and display\r\nthe victims list. In the victims list, the user name \"mijda\" is also present which matches with the name of\r\ndocument creator “mij daf” for all the documents we found during this attack.\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 10 of 22\n\nFigure 8: Screenshot of attacker machine\r\nAdditionally, we discovered that the attacker machine was configured with the IP 185.244.39[.]105 which is\r\nlocated in the Netherlands and is associated with the VPS service provider \"SKB Enterprise B.V.\".\r\nInterestingly, this IP (185.244.39[.]105) is also located in the same subnet as the IP 185.244.39[.]165 which was\r\nused for C2 communication and domain hosting in the past by Molerats APT group.\r\n \r\nPivot on Google drive link\r\nSince the attacker also used Google Drive to host the payload in one of the attack chains, we tried to identify the\r\nassociated Gmail account. Based on our analysis the attacker used following information for Gmail account:\r\nAccount name: Faten Issa\r\nEmail: issafaten584@gmail[.]com\r\n \r\nOld attack chain\r\nAs per our analysis the old attack chain was used from 13th July 2021(Start of campaign) to 13th Dec 2021.\r\nFigure 9 below illustrates the old attack chain.\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 11 of 22\n\nFigure 9: Attack chain\r\nThe major difference between the new attack chain and the old attack chain is seen in the backdoor delivery.\r\nAlthough we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were\r\nlikely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted\r\nthe primary Dropbox account token. In the old attack chain the backdoor fetched the encoded string containing the\r\nprimary Dropbox account token from attacker-hosted content on “justpaste.it”. Figure 10 below shows the\r\nattacker-hosted encoded string that contains the Dropbox account token and also describes the corresponding\r\nformat.\r\nFigure 10: Attacker-hosted encoded string\r\nZscaler Sandbox Detection\r\n[+] Detection of the macro-based Document\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 12 of 22\n\n[+] Detection of the macro-based PowerPoint file\r\n[+] Detection of the payload\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 13 of 22\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to\r\nMolerats APT group at various levels.\r\nWin32.Trojan.MoleratsAPT\r\nPDF.Trojan.MoleRatsAPT\r\nMITRE ATT\u0026CK TTP Mapping\r\nID Tactic Technique\r\nT1566.001  Spear phishing Attachment  Uses doc based attachments with VBA macro\r\nT1204.002 User Execution: Malicious File User opens the document file and enables the VBA macro \r\nT1059.001\r\nCommand and Scripting\r\ninterpreter: PowerShell\r\nVBA macro launches PowerShell to download and execute\r\nthe payload\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nStrings and other data are obfuscated in the payload\r\nT1082 System Information Discovery Sends processor architecture and computer name\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 14 of 22\n\nT1083 File and Directory Discovery Upload file from the victim machine\r\nT1005 Data from Local System Upload file from victim machine\r\nT1567.002 Exfiltration to Cloud Storage Data is uploaded to Dropbox via api\r\nT1113 Screen capture\r\nThe C2 command code \"2\" corresponds to taking a\r\nscreenshot and uploading to attacker-controlled Dropbox\r\naccount\r\nIndicators of compromise\r\n[+] Hashes\r\n \r\nMD5 File Name Description\r\n46e03f21a95afa321b88e44e7e399ec3 15-12.doc Document\r\n5c87b653db4cc731651526f9f0d52dbb 11-12.docx Document\r\n105885d14653932ff6b155d0ed64f926 report2.dotm Template\r\n601107fc8fef440defd922f00589e2e9 4-1.doc Document\r\n9939bf80b7bc586776e45e848ec41946 19-12.pptm PPT\r\n054e18a1aab1249f06a4f3e661e3f38a األحرار وفاء صفقة أجندة.pptm PPT\r\ne72d18b78362e068d0f3afa040df6a4c wanted persons.ppt PPT\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 15 of 22\n\nebc98d9c96065c8f1c0f4ce445bf507b servicehost.exe\r\nExe (Confuser\r\npacked)\r\nc7271b91d190a730864cd149414e8c43 su.exe\r\nExe (Themida\r\npacked)\r\n00d7f155f1a9b29be2c872c6cad40026 servicehost.exe\r\nExe (Confuser\r\npacked)\r\n2dc3ef988adca0ed20650c45735d4160 cairo hamas office.rar RAR\r\nexe. شروح حركة حماس لفتح مقر دامئ لها في القاهرة 3e5ee96f9356e4483479ee4e1574f52a\r\nExe (Confuser\r\npacked)\r\nb9ad53066ab218e40d61b299bd2175ba details.rar RAR\r\nf054f1ccc2885b45a71a1bcd0dd711be\r\nتفاصيل صادمة لعملية هروب األسرى الستة من سجن\r\nexe.جلبوع\r\nExe (Themida\r\npacked)\r\nb7373b976bbdc5356bb89e2cba1540cb emergency.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nمتابعة الحالة الصحية للرئيس الفلسطيين ابو مازن -16\r\n2021-09.exe\r\nExe (Confuser\r\npacked)\r\n8884b0d29a15c1b6244a6a9ae69afa16 excelservice.rar RAR\r\n270ee9d4d22ca039539c00565b20d2e7 idf.rar RAR\r\n8debf9b41ec41b9ff493d5668edbb922\r\nMinistry of the Interior statement 26-9-\r\n2021.exe\r\nExe (Themida\r\npacked)\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 16 of 22\n\nd56a4865836961b592bf4a7addf7a414 images.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nشاهد ما التقطه كامريات المراقبة أحداث التحرش الجنيس\r\nexe.ألشهر 100 اعالمي في العالم\r\nExe (Confuser\r\npacked)\r\n59368e712e0ac681060780e9caa672a6 meeting.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nمحضر اجتماع نائبة الرئيس األمريكي ووزير الخارجية\r\nexe. االسرائيلي\r\nExe (Confuser\r\npacked)\r\n99fed519715b3de0af954740a2f4d183 ministry of the interior 23-9-2021.rar RAR\r\n8debf9b41ec41b9ff493d5668edbb922\r\nMinistry of the Interior statement 23-9-\r\n2021.exe\r\nExe (Themida\r\npacked)\r\nbd14674edb9634daf221606f395b1e1d moi.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3 لقاءها عباس الرئيس طلب على ترد شاكيد أيليت.exe\r\nExe (Confuser\r\npacked)\r\n04d17caf8be87e68c266c34c5bd99f48 namso.rar RAR\r\nc7271b91d190a730864cd149414e8c43 namso.exe\r\nExe (Themida\r\npacked)\r\n217943eb23563fa3fff766c5ec538fa4 rafah passengers.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3 الربي رفح معرب عرب السفر تنسيقات كشف .exe\r\nExe (Confuser\r\npacked)\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 17 of 22\n\nfef0ec9054b8eff678d3556ec38764a6 sa.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nوعودات عربية وأمريكية بالتحرك لإلفراج عن معتقلي\r\nexe.حماس في السعودية\r\nExe (Confuser\r\npacked)\r\n32cc7dd93598684010f985d1f1cea7fd shahid.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nشاهد ما التقطه كامريات المراقبة أحداث التحرش الجنيس\r\nexe.ألشهر 100 اعالمي في العالم\r\nExe (Confuser\r\npacked)\r\n1dc3711272f8e9a6876a7bccbfd687a8 sudan details.rar RAR\r\nf054f1ccc2885b45a71a1bcd0dd711be\r\nقيادي فلسطيين شارك في محاولة االنقالب في السودان\r\n.exe\r\nExe (Themida\r\npacked)\r\nda1d640dfcb2cd3e0ab317aa1e89b22a tawjihiexam.rar RAR\r\n31d07f99c865ffe1ec14c4afa98208ad\r\nIsrael-Hamas Prisoner Exchange\r\nProgress.exe\r\nExe (Confuser\r\npacked)\r\nb5e0eb9ca066f5d97752edd78e2d35e7 المتوقع االجتماع أجندة.rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nأجندة االجتماع المزمع عقده األسبوع القادم - ملفات\r\nexe.شائكة تنتظر االجتماع المتوقع\r\nExe (Confuser\r\npacked)\r\nb65d62fcb1e8f7f06017f5f9d65e30e3 االجتماع مجريات .rar RAR\r\na52f1574e4ee4483479e9356f96ee5e3\r\nمجريات االجتماع الثنائي وأهم النقاط اليت تمس األمن\r\nexe.القومي المصري\r\nExe (Confuser\r\npacked)\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 18 of 22\n\n933ffc08bcf8152f4b2eeb173b4a1e26 israelian attacks.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3\r\nIsraelians Attacks during the years 2020 to\r\n2021.exe\r\nExe (Confuser\r\npacked)\r\n1478906992cb2a8ddd42541654e9f1ac patient satisfaction survey.zip ZIP\r\n31d07f99c865ffe1ec14c4afa98208ad\r\nPatient Satisfaction Survey Patient\r\nSatisfaction Survey.exe\r\nExe (Confuser\r\npacked)\r\n33b4238e283b4f6100344f9d73fcc9ba الثانية الجلسة.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3\r\nتمر مسارات السنويتفاصيل الجلسة الثانية من مؤ\r\nexe.العاشر\r\nExe (Confuser\r\npacked)\r\n1f8178f9d82ac6045b6c7429f363d1c5 لحماس طالبان رسائل.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3\r\nرسائل طالبان لحماس فيما يخص الشأن الرتكي\r\nexe.وحساسية الموقف بني كل منهم\r\nExe (Confuser\r\npacked)\r\nc7d19e496bcd81c4d16278a398864d60 سياسية اتجاهات مجلة.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3 والعشرون الخامس العدد سياسية اتجاهات مجلة.exe\r\nExe (Confuser\r\npacked)\r\n1bae258e219c69bb48c46b5a5b7865f4 مقرتح.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3\r\nمقرتح احياء ذكرى أبو علي مصطفى ـ مقرتح احياء ذكرى\r\nexe.أبو علي مصطفى\r\nExe (Confuser\r\npacked)\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 19 of 22\n\n547334e75ed7d4eea2953675b07986b4 المنظمة تمر\r\nمؤ.zip ZIP\r\n4ae0048f67e878fcedfaff339fab4fe3 لبنان في المنظمة تمرتمر المنظمة في لبنان - مؤexe.مؤ\r\nExe (Confuser\r\npacked)\r\n[+] Download URLs\r\n \r\nComponent URL\r\nTemplate\r\nhttps://drive.google[.]com/uc?export=download\u0026id=1xwb99Q7duf6q7a-7be44pCk3dU9KwXam\r\nExe\r\nhttp://45.63.49[.]202/document.html\r\nhttp://23.94.218[.]221/excelservice.html\r\nhttp://45.63.49[.]202/doc.html\r\nhttp://45.63.49[.]202/gabha.html\r\n[+] Molerats associated IPs\r\n45.63.49[.]202\r\n23.94.218[.]221\r\n185.244.39[.]165\r\n[+] Molerats associated domains\r\nmsupdata[.]com\r\nwww.msupdate[.]com\r\n# Spark backdoor\r\nbundanesia[.]com\r\n[+] File system artifacts\r\n# Dropped binary\r\nC:\\ProgramData\\servicehost.exe \r\n{current_working_directory}\\su.exe\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 20 of 22\n\nAppendix\r\nMD5: 5c87b653db4cc731651526f9f0d52dbb\r\nMD5: 105885d14653932ff6b155d0ed64f926\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 21 of 22\n\nMD5: e72d18b78362e068d0f3afa040df6a4c\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east" ], "report_names": [ "new-espionage-attack-molerats-apt-targeting-users-middle-east" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54651db80cdb7441221f11b1ee164080a6ff6302.pdf", "text": "https://archive.orkl.eu/54651db80cdb7441221f11b1ee164080a6ff6302.txt", "img": "https://archive.orkl.eu/54651db80cdb7441221f11b1ee164080a6ff6302.jpg" } }