{
	"id": "e091dfab-bbbe-4b61-89dc-7f68d4d44673",
	"created_at": "2026-04-06T00:22:11.067305Z",
	"updated_at": "2026-04-10T03:38:03.411235Z",
	"deleted_at": null,
	"sha1_hash": "67273766b923ab786de32ff9554c634f1574ebe4",
	"title": "Operation Electric Powder - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46323,
	"plain_text": "Operation Electric Powder - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:20:43 UTC\r\nHome \u003e List all groups \u003e Operation Electric Powder\r\n APT group: Operation Electric Powder\r\nNames Operation Electric Powder (ClearSky)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(ClearSky) From April 2016 until at least February 2017, attackers have been spreading\r\nmalware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based\r\nwebsites. Various artifacts indicate that the main target of this campaign is IEC – Israel\r\nElectric Company. These include domains, file names, Java package names, and Facebook\r\nactivity. We dubbed this campaign “Operation Electric Powder“.\r\nIsrael Electric Company (also known as Israel Electric Corporation) “is the largest supplier of\r\nelectrical power in Israel. The IEC builds, maintains, and operates power generation stations,\r\nsub-stations, as well as transmission and distribution networks. The company is the sole\r\nintegrated electric utility in the State of Israel. It installed generating capacity represents about\r\n75% of the total electricity production capacity in the country.”\r\nIt is notable that the operational level and the technological sophistication of the attackers are\r\nnot high. Also, they are having hard time preparing decoy documents and websites in Hebrew\r\nand English. Therefore, in most cases a vigilant target should be able to notice the attack and\r\navoid infection. We do not have indication that the attacks succeeded in infecting IEC related\r\ncomputers or stealing information.\r\nCurrently we do not know who is behind Operation Electric Powder or what its objectives are.\r\nAlso see WildCard.\r\nThis actor is reported as potentially linked to the threat actor known as Molerats, Extreme\r\nJackal, Gaza Cybergang, but no strong evidence has been found.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=34997eb0-9e4f-4a2f-8a2b-dccc60fdc098\r\nPage 1 of 2\n\nObserved\nSectors: Energy.\nCountries: Israel.\nTools used SysJoker.\nInformation Last change to this card: 30 November 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=34997eb0-9e4f-4a2f-8a2b-dccc60fdc098\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=34997eb0-9e4f-4a2f-8a2b-dccc60fdc098\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=34997eb0-9e4f-4a2f-8a2b-dccc60fdc098"
	],
	"report_names": [
		"showcard.cgi?u=34997eb0-9e4f-4a2f-8a2b-dccc60fdc098"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cd402658-d63c-40bc-b6ce-bb3d742904c5",
			"created_at": "2023-12-01T02:02:33.960041Z",
			"updated_at": "2026-04-10T02:00:04.804676Z",
			"deleted_at": null,
			"main_name": "Operation Electric Powder",
			"aliases": [],
			"source_name": "ETDA:Operation Electric Powder",
			"tools": [
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f",
			"created_at": "2022-10-25T15:50:23.756782Z",
			"updated_at": "2026-04-10T02:00:05.324924Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"Molerats",
				"Operation Molerats",
				"Gaza Cybergang"
			],
			"source_name": "MITRE:Molerats",
			"tools": [
				"MoleNet",
				"DustySky",
				"DropBook",
				"SharpStage",
				"PoisonIvy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c",
			"created_at": "2023-01-06T13:46:38.508262Z",
			"updated_at": "2026-04-10T02:00:03.006018Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"Gaza Cybergang",
				"Operation Molerats",
				"Extreme Jackal",
				"ALUMINUM SARATOGA",
				"G0021",
				"BLACKSTEM",
				"Gaza Hackers Team",
				"Gaza cybergang"
			],
			"source_name": "MISPGALAXY:Molerats",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4",
			"created_at": "2022-10-25T16:07:23.875541Z",
			"updated_at": "2026-04-10T02:00:04.768142Z",
			"deleted_at": null,
			"main_name": "Molerats",
			"aliases": [
				"ATK 89",
				"Aluminum Saratoga",
				"Extreme Jackal",
				"G0021",
				"Gaza Cybergang",
				"Gaza Hackers Team",
				"Molerats",
				"Operation DustySky",
				"Operation DustySky Part 2",
				"Operation Molerats",
				"Operation Moonlight",
				"Operation SneakyPastes",
				"Operation TopHat",
				"TA402",
				"TAG-CT5"
			],
			"source_name": "ETDA:Molerats",
			"tools": [
				"BadPatch",
				"Bladabindi",
				"BrittleBush",
				"Chymine",
				"CinaRAT",
				"Darkmoon",
				"Downeks",
				"DropBook",
				"DustySky",
				"ExtRat",
				"Gen:Trojan.Heur.PT",
				"H-Worm",
				"H-Worm RAT",
				"Houdini",
				"Houdini RAT",
				"Hworm",
				"Iniduoh",
				"IronWind",
				"Jenxcus",
				"JhoneRAT",
				"Jorik",
				"KasperAgent",
				"Kognito",
				"LastConn",
				"Micropsia",
				"MoleNet",
				"Molerat Loader",
				"NeD Worm",
				"NimbleMamba",
				"Njw0rm",
				"Pierogi",
				"Poison Ivy",
				"Quasar RAT",
				"QuasarRAT",
				"SPIVY",
				"Scote",
				"SharpSploit",
				"SharpStage",
				"WSHRAT",
				"WelcomeChat",
				"Xtreme RAT",
				"XtremeRAT",
				"Yggdrasil",
				"dinihou",
				"dunihi",
				"njRAT",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775792283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67273766b923ab786de32ff9554c634f1574ebe4.pdf",
		"text": "https://archive.orkl.eu/67273766b923ab786de32ff9554c634f1574ebe4.txt",
		"img": "https://archive.orkl.eu/67273766b923ab786de32ff9554c634f1574ebe4.jpg"
	}
}