{ "id": "46ecec94-a15f-45c7-a7d6-182e518355cb", "created_at": "2026-04-06T00:10:23.009279Z", "updated_at": "2026-04-10T13:12:19.845936Z", "deleted_at": null, "sha1_hash": "688621d6c1702abcc4d86a842386935422fe9077", "title": "Molerats, Extreme Jackal, Gaza Cybergang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88545, "plain_text": "Molerats, Extreme Jackal, Gaza Cybergang\r\nArchived: 2026-04-02 11:00:49 UTC\r\nHome \u003e List all groups \u003e Molerats, Extreme Jackal, Gaza Cybergang\r\n APT group: Molerats, Extreme Jackal, Gaza Cybergang\r\nNames\r\nMolerats (FireEye)\r\nExtreme Jackal (CrowdStrike)\r\nGaza Cybergang (Kaspersky)\r\nGaza Hackers Team (Kaspersky)\r\nTA402 (Proofpoint)\r\nAluminum Saratoga (SecureWorks)\r\nATK 89 (Thales)\r\nTAG-CT5 (Recorded Future)\r\nG0021 (MITRE)\r\nCountry [Gaza]\r\nSponsor Hamas\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\n(Kaspersky) The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and a\r\nGaza cybergang’s attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, m\r\nOne of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA regio\r\nyear.\r\nAn overlap has been found between Molerats and Operation Parliament and these may also be an association with The Big Ba\r\nObserved\r\nSectors: Aerospace, Defense, Embassies, Energy, Financial, Government, High-Tech, Media, Oil and gas, Telecommunication\r\nCountries: Afghanistan, Algeria, Canada, China, Chile, Denmark, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Le\r\nPalestine, Qatar, Russia, Saudi Arabia, Serbia, Slovenia, Somalia, South Korea, Syria, Turkey, UAE, UK, USA, Yemen and the\r\nTools used\r\nBadPatch, BrittleBush, Downeks, DropBook, DustySky, H-Worm, IronWind, JhoneRAT, KasperAgent, LastConn, Micropsia,\r\nIvy, QuasarRAT, Scote, SharpSploit, SharpStage, Spark, XtremeRAT.\r\nOperations performed\r\nJan 2012\r\nDefacement of Israel fire service website\r\nHackers claiming to be from the Gaza Strip defaced the website of the Israel Fire and Rescue services, postin\r\n\u003chttps://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website\u003e\r\nOct 2012\r\nOperation “Molerats”\r\nIn October 2012, malware attacks against Israeli government targets grabbed media attention as officials tem\r\nthe use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong\r\nand as discovered later, even the U.S. and UK governments.\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-Jun 2013\r\nWe observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropp\r\ninfrastructure used by the Molerats attackers.\r\n\u003chttps://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-Apr 2014\r\nBetween 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one m\r\norganizations.\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html\u003e\r\nSummer 2014\r\nAttacks against Israeli \u0026 Palestinian interests\r\nThe decoy documents and filenames used in the attacks suggest the intended targets include organizations wi\r\n\u003chttps://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b\r\nPage 1 of 3\n\n2014\nOperation “Moonlight”\nVectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in t\n200 samples of malware generated by the group over the last two years. These attacks are themed around Mi\nespionage, as opposed to opportunistic or criminal intentions.\nMay 2015\nOne interesting new fact about Gaza Cybergang activities is that they are actively sending malware files to IT\nalso obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used\nSep 2015\nOperation “DustySky”\nThese attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets r\nto each and every target. Dozens of targets may receive the exact same message. The email message and the\non the target audience. Targeted sectors include governmental and diplomatic institutions, including embassi\ninstitutions; journalists; software developers. The attackers have been targeting software developers in gener\nmanagement software, and linking to it in an online freelancing marketplace.\nDec 2015\nPalo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe ar\nMid-2017\nNew targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage\nOne of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in\napparently for more than a year.\nAnother interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsof\nreduce the likelihood of their detection. Traces of mobile malware that started to appear from late April 2017\nSep 2017\nOperation “TopHat”\nIn recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party serv\nThe attacks we found within the TopHat campaign began in early September 2017. In a few instances, origin\nFeb 2019\nNew Attack in the Middle East\nRecently, 360 Threat Intelligence Center captured a bait document designed specifically for Arabic users. It i\ndrop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword l\nwith C2, distributes control commands to further control the victim’s computer device. After investigation, w\nApr 2019\nOperation “SneakyPastes”\nThe campaign is multistage. It begins with phishing, using letters from one-time addresses and one-time dom\nattachments. If the victim executes the attached file (or follows the link), their device receives Stage One ma\nOct 2019\nBetween October 2019 through the beginning of December 2019, Unit 42 observed multiple instances of phi\n(AKA Gaza Hackers Team and Gaza Cybergang) targeting eight organizations in six different countries in th\nof which the latter two were quite peculiar.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b\nPage 2 of 3\n\nDec 2019\n“Pierogi” Campaign\nThis campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed\ndiscovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminisc\nand Kaperagent malware.\nMar 2020\nMolerats Delivers Spark Backdoor to Government and Telecommunications Organizations\nJul 2021\nNew espionage attack by Molerats APT targeting users in the Middle East\nJul 2023\nTA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b" ], "report_names": [ "showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/688621d6c1702abcc4d86a842386935422fe9077.pdf", "text": "https://archive.orkl.eu/688621d6c1702abcc4d86a842386935422fe9077.txt", "img": "https://archive.orkl.eu/688621d6c1702abcc4d86a842386935422fe9077.jpg" } }