{ "id": "0ef00147-e883-4506-911c-2573d253e4fb", "created_at": "2026-04-06T00:15:16.967153Z", "updated_at": "2026-04-10T03:37:50.14557Z", "deleted_at": null, "sha1_hash": "64a5fe84d6966af00822ce20d7a458b4e34ce563", "title": "ITG05 ops leverage Israel Hamas conflict lures to deliver Headlace malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8391867, "plain_text": "ITG05 ops leverage Israel Hamas conflict lures to deliver Headlace\r\nmalware\r\nBy Golo Mühr, Claire Zaboeva, Joe Fasulo\r\nPublished: 2023-12-08 · Archived: 2026-04-05 18:23:16 UTC\r\nClaire Zaboeva\r\nSenior Strategic Cyber Threat Analyst\r\nIBM\r\nAs of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the\r\nongoin Israel-Hgamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly\r\ndiscovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic\r\ndocuments created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from\r\na single specific country can receive the malware, indicating the highly targeted nature of the campaign.\r\nX-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing\r\noverlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard.\r\nThe contents of each lure contain themes relevant to a unique audience interested in research and policy creation.\r\nThe nature of the lures suggests activity is directed at entities with direct influence on the allocation of\r\nhumanitarian aid, primarily those based in Europe. Our discovery includes multiple legitimate documents\r\nassociated with finance, think tanks, educational organizations and government and nongovernment organizations\r\n(NGOs) leveraged as lure materials. These files are featured in larger infection chains associated with the delivery\r\nof the ITG05 exclusive Headlace backdoor capable of facilitating multiple malicious actions on objectives.\r\nIt is unclear precisely how many entities were impacted by the campaign, but our analysis indicates that\r\norganizations in the following countries were targeted: Hungary, Türkiye, Australia, Poland, Belgium, Ukraine,\r\nGermany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. Of note, all but one of the 13 nations\r\nfeatured in the geolocations perimeters for downloading Headlace are United Nations Human Rights Council\r\nmembers.\r\nIt is highly likely the compromise of any echelon of global foreign policy centers may aid officials’ interests with\r\nadvanced insight into critical dynamics surrounding the International Community’s (IC) approach to competing\r\npriorities for security and humanitarian assistance.\r\nKey findings\r\nThis is the first known use of the Israel-Hamas conflict by ITG05 to conduct campaigns delivering the\r\nexclusive Headlace backdoor.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 1 of 22\n\nThe campaign leverages documents associated with the United Nations, the Bank of Israel, the United\r\nStates Congressional Research Service, the European Parliament, a Ukrainian think tank and an\r\nAzerbaijan-Belarus Intergovernmental Commission.\r\nX-Force observed the deployment of Headlace and secondary payloads to be specifically targeted toward at\r\nleast 13 nations.\r\nSome of the uncovered lures are contained in a .RAR archive exploiting the CVE-2023-\r\n38831 vulnerability, others use DLL-hijacking to run Headlace.\r\nHeadlace is a multi-component malware including a dropper, a VBS launcher and a backdoor using\r\nMSEdge in headless mode to continuously download secondary payloads, likely to exfiltrate credentials\r\nand sensitive information.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nBackground\r\nIn early September 2023, CERT-UA reported APT28 was attempting to use new malware named Headlace to\r\naccess a critical energy infrastructure entity in Ukraine. This involved APT28 using the Mockbin and Mocky API\r\nwebsites to stage malicious archives retrieved by Javascript droppers. In late September 2023, Zscaler published a\r\nsimilar campaign targeting the theft of NTLM hashes from victims in Poland, Austria and Belgium by using adult-themed lures and the Mockbin API for data extraction.\r\nIn late 2023, X-Force uncovered eight lure documents created between early August and early December 2023\r\nlikely leveraged in phishing campaigns crafted to ultimately distribute ITG05’s Headlace backdoor. X-Force\r\nresearch confirmed the majority of the files are directly derived from publicly available official documents created\r\nby the Bank of Israel, the U.S. Congressional Research Service, the United Nations, the European Parliament, the\r\nFrench digital education service Cahier de Prépa and the Ukraine-based Razumkov Centre think tank.\r\nThe remaining lures appear to be internal documents belonging to, or associated with, what appears to be legal\r\namendments to a Turkish manual regarding technical installations, and interstate agreements facilitated by the\r\nJoint Intergovernmental Commission between the Republic of Azerbaijan and the Republic of Belarus on\r\nEconomic Cooperation. Of note, the majority of the lure documents contents feature news, updates or information\r\nregarding developments in Ukraine and the Levant.\r\nThe use of official documents as lure material is a departure from previously observed ITG05 activity featuring\r\nthe delivery of the Headlace backdoor, which featured adult-themed material to engender victim engagement. This\r\nchange in lure content may be indicative of ITG05’s increased emphasis on a unique target audience whose\r\ninterests would prompt interaction with material impacting emerging policy creation. State-sponsored cyber\r\ncapabilities will likely continue to be leveraged to furnish domestic decision-makers with exclusive access to the\r\npolitical resolve and resource priorities of the IC and individual states.\r\nAnalysis: From decoy documents to phishing lures\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 2 of 22\n\nPreviously, ITG05 operations featuring the Headlace backdoor were preceded by numerous decoy documents\r\nfeaturing adult themes. However, during the past month, X-Force observed a change in tactic with the threat actor\r\ninstead also using the decoys as lures to trick users into accessing the attachments. The majority of the uncovered\r\nlures feature English-language text except for a Turkish language and a single Russian-language document. The\r\ntext of each of the decoys contains themes that would likely not appear as alerting to a unique audience interested\r\nin research and policy creation. The following is a selection of uncovered lure documents used in conjunction with\r\nHeadlace:\r\nExample lure 1: Letter of invitation to the expert discussion on the Razumkov Centre\r\nThe earliest uncovered lure document titled “Letter of invitation to the expert discussion on\r\nthe Razumkov Centre,” dates from early September 2023 and was first  reported  by Google TAG. It leverages\r\na publicly available document uploaded one day preceding the presentation of the legitimate event hosted by\r\nthe Razumkov Centre in partnership with the United States Agency for International Development (USAID) under\r\nthe auspices of the USAID/ENGAGE pact. The invitation presents the findings of the paper “War of Attrition:\r\nComparison of Potentials and Assessment of Prospects” on current results of the conflict in Ukraine, combat\r\npotentials and policy approaches for avoiding stalemate. The campaign is directed at Romania-based targets based\r\non the geolocation of the targeted download.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 3 of 22\n\nFig. 1: Lure document “Letter of invitation to the expert discussion on the Razumkov Centre”\r\nNotably, this lure was contained in a .RAR archive exploiting CVE-2023-38831. If opened with WinRAR versions\r\nbelow 6.23, the exploit causes Headlace to silently execute if a user tries to open the benign PDF file.\r\nExample lure 2: SEDE-PV-2023-10-09-1_EN.docx\r\nUploaded in mid-October 2023, the lure document titled “SEDE-PV-2023-10-09-1_EN.docx” features the\r\npublicly available Minutes of the 9 October 2023 meeting of the Subcommittee on Security and Defence of the\r\nEuropean Parliament. Included in the adopted agenda is the question of “The security situation after the attack by\r\nHamas against Israel, exchange of views with the EU’s Police Mission for the Palestinian Territories\r\n(EUPOLCOPPS) and the EU’s Border Assistance Mission in Rafah (EUBAM Rafah).”\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 4 of 22\n\nFig. 2: Lure document “SEDE-PV-2023-10-09-1_EN.docx”\r\nExample lure 3: war.docx\r\nUploaded in early November 2023, the document titled “war.docx” features an authentic copy of the publicly\r\navailable Advance Unedited Version of the “Report of the Special Committee to Investigate Israeli Practices\r\nAffecting the Human Rights of the Palestinian People and Other Arabs of the Occupied Territories” presented at\r\nthe seventy-eighth session of the General Assembly of the United Nations. The contents feature policy questions\r\nand historical context related to the Levant between September 2022 to September 2023, preceding the\r\nsurprise October 2023 attacks.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 5 of 22\n\nFig. 3: Lure document “war.docx”\r\nExample lure 4: Roadmap.docx\r\nIn mid-November 2023, a 15-page document titled “roadmap” was uploaded by multiple Azerbaijan-based users\r\nfeaturing what appears to be the internal mark-up version of a proposed “Roadmap on the development of\r\ncooperation between the Republic of Belarus and the Republic of Azerbaijan until 2025” associated with the Joint\r\nIntergovernmental Commission between the Republic of Azerbaijan and the Republic of Belarus on Economic\r\nCooperation. The document features two lines for signatures of approval by the respective state ministers,\r\nfollowed by a fillable date pre-populated with the year 2023. The document appears to be authentic given the\r\nmetadata associated with user modifications.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 6 of 22\n\nFig. 4: Lure document “Roadmap.docx”\r\nExample lure 5: 2023-12-bois-position-on-accessing-capital-pr.docx\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 7 of 22\n\nFig. 5: Lure document “2023-12-bois-position-on-accessing-capital-pr.docx”\r\nIn early December 2023, X-Force uncovered an ITG05 lure leveraging the authentic 5 December 2023 press\r\nrelease published by the Bank of Israel. The document titled 2023-12-bois-position-on-accessing-capital-pr.docx details the “Main Points of the Bank of Israel’s Position Presented to the Knesset Economics Committee\r\nRegarding Nonbank Entities Accessing Sources of Capital to Expand their Provision of Loans Due to the War.”\r\nExample lure 6: IN11897.pdf\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 8 of 22\n\nFig. 6: Lure document “IN11897.pdf”\r\nIn early December 2023, X-Force uncovered the ITG05 lure titled IN11897.pdf, which leverages the 20\r\nNovember 2023 CRS update on “Russia’s War Against Ukraine: European Union Responses and U.S.-EU\r\nRelations.” The publicly available document features key updates informing policymakers regarding the War in\r\nUkraine distributed by the public policy research institute of the United States Congress.\r\nInfection chain\r\nThe following represents X-Force’s detailed analysis of the multiple infection chains associated with the lures\r\nabove, ultimately delivering Headlace malware.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 9 of 22\n\nFig. 7: Headlace full infection graph\r\nThe diagram above is a high-level depiction of the Headlace infection flow. A deep dive into the different\r\ncomponents impacting delivery including the abuse of commercial hosting services, multi-stage malware,\r\nexploitation, and command and control are explored in the following sections.\r\nAbusing commercial hosting services\r\nIn September 2023, CERT-UA reported spear phishing emails containing URLs that led recipients to malicious\r\narchives hosted on abused, publicly available, commercial infrastructure; like the Mocky and Mockbin APIs and\r\nthe Infinityfreeapp service.\r\nIn early campaigns, the threat actors used the Mockbin service to deliver malicious ZIP files containing decoy\r\nimages, as well as a .CMD file which was identified as Headlace malware.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 10 of 22\n\nExample URLs:\r\nhttps://run.mocky[.]io/v3/027fab50-2478-4dd2-962f-bb525b36810d\r\nhttps://mockbin[.]org/bin/229f6d51-f534-466f-b642-e86811631083/\u003cresult_of_whoami\u003e\r\nLater, in late October through November 2023, X-Force observed a second legitimate service\r\n“infinityfreeapp.com” used to host malicious payloads.\r\nIn the same timeframe, CERT-FR reported malicious activity by APT28 that included the use of Mocky, Mockbin\r\nand infinityfreeapp services in attacks targeting French government systems.\r\nThe threat actor created several subdomains over the course of the campaigns. The phishing URL would contain a\r\nunique hardcoded URL parameter “id”. This ID is necessary to be able to download the lure archive as well as\r\nHeadlace’s secondary payloads and likely allows ITG05 to track infections through all stages. Once a victim visits\r\nthe URL and passes the browser check, the site redirects to its filedwn.php script using the same “id” parameter.\r\nThis causes the download of a ZIP file, again containing the Headlace payload. Instead of the Mocky service, the\r\nHeadlace backdoor uses the hardcoded id parameter to download the next payload via a URL calling the\r\nhosted execdwn.php file.\r\nExample URLs:\r\nhttps://downloadingdoc[.]infinityfreeapp[.]com/?id=61726832-e715-4f79-99e8-1587300c1035\r\nhttps://downloadingdoc[.]infinityfreeapp[.]com/filedwn.php?id=61726832-e715-4f79-99e8-1587300c103\r\nhttps://downloadingdoc[.]infinityfreeapp[.]com/execdwn.php?id=61726832-e715-4f79-99e8-1587300c1035\r\nBrowser checker\r\nBefore payloads are downloaded from the legitimate staging services, a Javascript-based browser enumeration\r\nscript verifies the user agent and in some cases the geolocation of the victim. Different versions of the script are\r\nused up to three times within a single infection. Infections start with the phishing URL, which redirects to the first\r\ndownload site after a first check. There, the second check takes place, which involves a user agent and geolocation\r\ncheck via the “https://ipapi[.]co/json“ service (see screenshot below). After a successful lure download, the\r\nvictim is redirected to www.msn.com.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 11 of 22\n\nFig. 8: Browser enumeration script verifying a geolocation in Germany, before dropping an archive payload\r\nAs visible in the screenshot above, the browser script drops one of two different payloads, depending on the result\r\nof the location check. Should the request originate from a different country other than the one targeted, ITG05 will\r\ndrop a non-weaponized version of the archive. This version would only contain the benign lure. In the case of the\r\ncampaign above, it contains a .CMD file only faking a Windows update, but without installing the malicious\r\nHeadlace backdoor.\r\nThis campaign was active from late September until the end of November, targeting Kazakhstan, Hungary,\r\nGermany, Saudi Arabia, Ukraine and Azerbaijan. Later campaigns using policy-themed lures employed the same\r\ntechnique of dropping only benign lures should any of the checks fail.\r\nAfter the successful execution of the Headlace dropper, the backdoor uses a second download site to stage\r\nsecondary payloads. These are downloaded in MS Edge headless mode, so the corresponding browser scripts\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 12 of 22\n\ncheck if the user agent contains the string “edge”. Often the second download site performs another geolocation\r\ncheck:\r\nFig. 9: Browser enumeration script verifying geolocation in Turkey before dropping a payload disguised as a .CSS\r\nfile\r\nX-Force observed large numbers of browser enumeration scripts specifically targeting the following countries:\r\nHungary\r\nTürkiye\r\nAustralia \r\nPoland \r\nBelgium \r\nUkraine\r\nGermany\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 13 of 22\n\nAzerbaijan\r\nSaudi Arabia\r\nKazakhstan\r\nItaly\r\nLatvia\r\nRomania\r\nLater variants of the enumeration and verification scripts are likely implemented server-side with a specific\r\nhardcoded ID, which is provided in the first phishing URL and is required during all later stages as a URL\r\nparameter.\r\nHeadlace\r\nX-Force observed three possible execution chains implemented by ITG05 for executing the Headlace malware:\r\nExecution via WinRAR vulnerability\r\nIn this chain, a victim is targeted via the CVE-2023-38831 WinRAR vulnerability. If the victim has a vulnerable\r\nWinRAR application and opens the archive, the lure document is presented while the Headlace dropper is\r\nexecuted in the background.\r\nExecution via DLL hijacking\r\nThe DLL-hijacking chain involves delivering a legitimate Microsoft Calc.exe binary that is susceptible to DLL-hijacking. This involves the victim clicking on Calc.exe to load a malicious DLL that is packaged alongside Calc\r\nin the malicious archive. The DLL then executes the Headlace CMD dropper file. In order to trick victims into\r\nrunning the executable, Calc.exe is renamed and contains whitespace padding before its extension, which may\r\nprevent users from spotting the suspicious .EXE extension.\r\nDirect Execution\r\nIn this chain, the threat actor directs the victim to execute the Headlace CMD dropper directly by disguising it as a\r\nWindows update script and reporting fake update status messages in the console.\r\nHeadlace is a new backdoor discovered by CERT-UA in September 2023. It consists of three components: a\r\n.CMD dropper, a .VBS launcher and a .BAT backdoor. The initial dropper starts by writing both other components\r\ninto the %PROGRAMDATA% directory. It then runs the .VBS launcher and after a short timeout it displays the\r\nlure as a decoy and deletes its traces from the directory it was started in.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 14 of 22\n\nFig. 10: Headlace dropper script\r\nThe .VBS launcher uses the Wscript.Shell object to execute the .BAT file, which acts as a backdoor. In regular\r\nintervals, it runs msedge in headless mode to download another payload from a hardcoded URL, execute it and\r\nsubsequently delete it:\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 15 of 22\n\nFig. 11: Headlace backdoor script\r\nDuring the last campaign, X-Force observed a new infection chain leading to Headlace. The malicious ZIP file\r\nwould contain several hidden files and only one visible executable, with a long whitespace-padded filename, in\r\norder to hide the extension. The binary is a copy of the legitimate calc.exe, which is vulnerable to DLL hijacking.\r\nOnce executed, it searches the current directory for WindowsCodecs.dll, one of the hidden files, and loads it. The\r\nDLL’s main function was overwritten to execute the hidden .CMD file that is the Headlace payload. By using\r\nindirect execution, the malicious activity is more difficult to detect.\r\nAnother variant of Headlace would disguise itself as a Windows update. When launching the script, right after\r\ndropping and launching its malicious components, Headlace would print out fake status messages at regular\r\nintervals, imitating an update mechanism to an untrained user.\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 16 of 22\n\nFig. 12: Headlace dropper faking a Windows update\r\nActions on objective\r\nAccording to observations of CERT-UA, once a foothold has been established on the system, several follow-up\r\npayloads are used to capture NTLM credentials or SMB hashes of user accounts and attempt to exfiltrate them via\r\nthe TOR network. X-Force has observed variants of Nishang’s “Start-CaptureServer.ps1” script, which were\r\nmodified to exfiltrate credentials through Mockbin. This activity was also reported on by Zscaler in the “Steal-It”\r\ncampaign. In addition, ITG05 is also known to leverage custom exfiltration tools such as Graphite and Credomap.\r\nConclusion\r\nX-Force assesses with high confidence that ITG05 will continue to leverage attacks against diplomatic and\r\nacademic centers to provide the adversary with advanced insight into emergent policy decisions. Given recent\r\noperations, ITG05 remains adaptable to changes in opportunity within the cyber threat landscape by exploiting\r\npublic CVEs and leveraging commercially available infrastructure.\r\nRecommendations\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 17 of 22\n\nX-Force recommends all individuals and entities engaged in or informing policy creation to remain in a\r\nheightened state of defensive security and to:\r\nStay abreast of newly published exploits likely to be used by APT actors.\r\nHunt for regularly spawned processes containing “msedge –headless-new –disable-gpu”.\r\nHunt for headless MS Edge processes downloading .CSS files.\r\nMonitor for downloaded archives containing .CMD files.\r\nMonitor for DLL hijacking via modified WindowsCodecs.dll files.\r\nMonitor for filenames containing an unusually large number of consecutive whitespaces.\r\nMonitor network traffic for unusual or unsanctioned commercial service use.\r\nMonitor for suspicious use of browsers in headless mode.\r\nInstall and configure endpoint security software.\r\nUpdate relevant network security monitoring rules.\r\nEducate staff on the potential threats to the organization.\r\nIndicators of compromise\r\nMD5, SHA1, SHA256, File Path, File Name, Command, Registry Key, Registry Value, Scheduled Task, Service\r\nName\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\nhttps://mockbin[.]org/bin/902ca47f-644d-4d44-\r\n88ec-060fdb7acaa4\r\nURL JS Dropper URL\r\nhttps://mockbin[.]org/bin/229f6d51-f534-466f-b642-e86811631083\r\nURL JS Dropper URL\r\nhttps://downloadingdoc.infinityfreeapp[.]com/\r\nfiledwn.php\r\nURL JS Dropper URL\r\nhttps://document-c.infinityfreeapp[.]com/execdwn.php?\r\nid=aec02d48-92f3-45a5-a003-051369b51928\r\nURL JS Dropper URL\r\nhttps://downloaddoc.infinityfreeapp[.]com/execdwn.php?\r\nid=488354ce-01ce-4d45-b47a-88701d40c52a\r\nURL JS Dropper URL\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 18 of 22\n\nhttps://mockbin[.]org/bin/7cc44695-0c31-4620-bed4-\r\n2e60adf0a4b6\r\nURL JS Dropper URL\r\nhttps://mockbin[.]org/bin/92354a6a-ba1f-4a1a-abea-fba269cabd66\r\nURL JS Dropper URL\r\nhttps://downloaddoc.infinityfreeapp[.]com/execdwn.php?\r\nid=6a98168f-f14f-4014-8b28-8329b0118936\r\nURL JS Dropper URL\r\n68bfa69cdbf947eac31e736b2e54244e829e302ea8d\r\nafd65edc6e0f879257a53\r\nsha256 archive\r\n0db8cd7f349afe5a85cd3fd798e2cf4dcb7d2cbbdea3\r\nc312f2c7108c4347ada4\r\nsha256 malicious batch script\r\na706778508af9e507d6d4b509276e9b82ce94f8a2e\r\nc913cc2deadba5aaa7d538\r\nsha256 malicious batch script\r\ned982645d677c04cb5846251924a12e0e2c9ed16d8\r\nfa800a628189faf5009c9f\r\nsha256 malicious batch script\r\n896ca8488c9d8792bd0197646d857e0c2ae0312bbc\r\n6d812c12da45016f019264\r\nsha256 malicious batch script\r\n595590fdfa9618b7f7aab5b8795f9336d71c8918f60aa\r\n88dce5d4b07c7071a5a\r\nsha256 malicious batch script\r\n726af8cd2d92691045ebe659d77acf4ae19b7172e383\r\n556befb79719fb78d7ce\r\nsha256 malicious batch script\r\nab5aef93ffe694970374af638b407dbd56ea5a54823\r\n5973f51cba67cd7baa07e\r\nsha256 malicious batch script\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 19 of 22\n\n19e95b32b77d8dfd294c085793cd542d82eddac8e77\r\n2818fea2826fa02a5cc54\r\nsha256 malicious batch script\r\nf5b7a2d9872312e000acbe3dc8153707acecc5ba184f97\r\nad6014327db16549c7\r\nsha256 malicious batch script\r\nd281a1fa09e7810a4a9e13750d227f557e54370689fd8\r\n6216332534bc9214918\r\nsha256 malicious batch script\r\na760b01841a120eccc22856af1c9a8e513871366ef32950\r\n2f42f9648708720ca\r\nsha256 malicious batch script\r\n103adb71848a31021692f5ba2ef1691eb29f3ded81b8695\r\n4753f2f2fbeda08a7\r\nsha256 malicious batch script\r\n47074a6d033966d07e4587705401533ad6c5fa2b11303\r\nc520a37999337d1a1eb\r\nsha256 malicious DLL\r\n79fe0b155cf5d2b45d28946ad6ba47f7282b468af064\r\nc29346dcd1dcd0aec507\r\nsha256 malicious DLL\r\n9a798e0b14004e01c5f336aeb471816c11a62af851b1a0\r\nf36284078b8cf09847\r\nsha256 malicious DLL\r\n290b63be4b81ee8a569cb3298eac089b775acc07c82a\r\n2d9ea800de8314c6f342\r\nsha256\r\nmalicious javascript\r\ndropper\r\ned56740c66609d2bbd39dc60cf29ee47743344a9a68\r\n61bee7c08ccfb27376506\r\nsha256 malicious lnk\r\na37140d97600573ace4fc31a9d289adcedb5c9cbfb920\r\n59b7184e46b635aaf57\r\nsha256\r\nmalicious visual basic\r\nscript\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 20 of 22\n\n9f5846193f545341b0c897947e07bc068712e396fe7c086\r\n3d43420bbd633aab1\r\nsha256 news_week_6.docx\r\nf983d786f4dc2d1793f6b28907c4035c96b6b5c8765ba1\r\n2dc4510dab0fceabf5\r\nsha256 news_week_6.zip\r\n84638698fdcf2e9e45e7dd560c8d00fb4da6fa32dabaac\r\nd31b3538d38755dad4\r\nsha256 news_week_6.zip\r\n5b8c240083cba4442fb6bbb092efd430ce998530cc10f\r\nd181b3f71845ec190ce\r\nsha256 news_week_6.zip\r\n16bcd167162e4ded71b8c7e9a2587be821d3a752c71fc\r\nbb2ae64cf1088b62fc0\r\nsha256 news_week_6.zip\r\n1f4792dadaf346969c5e4870a01629594b6c371de21f8\r\n635c95aa6aba24ef24c\r\nsha256 war.docx\r\n8cc664ff412fc80485d0af61fb0617f818d37776e5a06b7\r\n99f74fe0179b31768\r\nsha256 war.zip\r\n2ac6735e8e0b23b222161690adf172aec668894d17029\r\n9e9ff2c54a4ec25b1f4\r\nsha256 war.zip\r\nd37779e16a92da7bd05eae50c64b36e2e2022eb4413\r\n82be686fda4dbd1800e90\r\nsha256 war.zip\r\n45e44afeb8b890004fd1cb535978d0754ceaa7129082c\r\nb72386a80a5532700d1\r\nsha256 Zeyilname.zip\r\n22ed5c5cd9c6a351398f1e56efdfb16d52cd33cb4b2062\r\n37487a03443d3de893\r\nsha256 Zeyilname.zip\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 21 of 22\n\n243bab79863327915c315c188c0589202f64b3500a3\r\nfee3e2c9f3d34e8e1f154\r\nsha256 Zeyliname.docx\r\n5a58e99a0ecdc461ce11c8253df9ea410076d56abc25462\r\n8ed5ff4e5622acfde\r\nsha256 Razumkov Centre pdf\r\ne699a7971a38fe723c690f37ba81187eb8ed78e51846aa8\r\n6aa89524c325358b4\r\nsha256 EU Parliament doc\r\n1cfa9dbc91e3d136cbd42670f5a587963dab5898e7bd6\r\n8684966d6e07bcb23e2\r\nsha256 Roadmap.docx\r\n3cc52ef447578f4ab549f692013d7f2e849aba8cad8\r\n3a8d63bf1569d874f38fa \r\nsha256 \r\n2023-12-bois-position-on-accessing-capital-pr.docx \r\na50e32f52c249129655a9cb7be28b4efc32244c70f5e\r\nd1b4c4925b1b8f41199e \r\nsha256  IN11897.pdf \r\nTo learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat\r\nintelligence or offensive security services schedule a meeting here.\r\nIf you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 |\r\nGlobal hotline (+001) 312-212-8034.\r\nSource: https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nhttps://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/\r\nPage 22 of 22\n\nFig. 5: Lure https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ document “2023-12-bois-position-on-accessing-capital-pr.docx” \nIn early December 2023, X-Force uncovered an ITG05 lure leveraging the authentic 5 December 2023 press\nrelease published by the Bank of Israel. The document titled 2023-12-bois-position-on-accessing-capital\u0002 \npr.docx details the “Main Points of the Bank of Israel’s Position Presented to the Knesset Economics Committee\nRegarding Nonbank Entities Accessing Sources of Capital to Expand their Provision of Loans Due to the War.”\nExample lure 6: IN11897.pdf \n Page 8 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "report_names": [ "itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64a5fe84d6966af00822ce20d7a458b4e34ce563.pdf", "text": "https://archive.orkl.eu/64a5fe84d6966af00822ce20d7a458b4e34ce563.txt", "img": "https://archive.orkl.eu/64a5fe84d6966af00822ce20d7a458b4e34ce563.jpg" } }