Molerats, Extreme Jackal, Gaza Cybergang Archived: 2026-04-02 11:00:49 UTC Home > List all groups > Molerats, Extreme Jackal, Gaza Cybergang APT group: Molerats, Extreme Jackal, Gaza Cybergang Names Molerats (FireEye) Extreme Jackal (CrowdStrike) Gaza Cybergang (Kaspersky) Gaza Hackers Team (Kaspersky) TA402 (Proofpoint) Aluminum Saratoga (SecureWorks) ATK 89 (Thales) TAG-CT5 (Recorded Future) G0021 (MITRE) Country [Gaza] Sponsor Hamas Motivation Information theft and espionage First seen 2012 Description (Kaspersky) The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and a Gaza cybergang’s attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, m One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA regio year. An overlap has been found between Molerats and Operation Parliament and these may also be an association with The Big Ba Observed Sectors: Aerospace, Defense, Embassies, Energy, Financial, Government, High-Tech, Media, Oil and gas, Telecommunication Countries: Afghanistan, Algeria, Canada, China, Chile, Denmark, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Le Palestine, Qatar, Russia, Saudi Arabia, Serbia, Slovenia, Somalia, South Korea, Syria, Turkey, UAE, UK, USA, Yemen and the Tools used BadPatch, BrittleBush, Downeks, DropBook, DustySky, H-Worm, IronWind, JhoneRAT, KasperAgent, LastConn, Micropsia, Ivy, QuasarRAT, Scote, SharpSploit, SharpStage, Spark, XtremeRAT. Operations performed Jan 2012 Defacement of Israel fire service website Hackers claiming to be from the Gaza Strip defaced the website of the Israel Fire and Rescue services, postin Oct 2012 Operation “Molerats” In October 2012, malware attacks against Israeli government targets grabbed media attention as officials tem the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong and as discovered later, even the U.S. and UK governments. Summer 2014 Attacks against Israeli & Palestinian interests The decoy documents and filenames used in the attacks suggest the intended targets include organizations wi https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b Page 1 of 3 2014 Operation “Moonlight” Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in t 200 samples of malware generated by the group over the last two years. These attacks are themed around Mi espionage, as opposed to opportunistic or criminal intentions. May 2015 One interesting new fact about Gaza Cybergang activities is that they are actively sending malware files to IT also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used Sep 2015 Operation “DustySky” These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets r to each and every target. Dozens of targets may receive the exact same message. The email message and the on the target audience. Targeted sectors include governmental and diplomatic institutions, including embassi institutions; journalists; software developers. The attackers have been targeting software developers in gener management software, and linking to it in an online freelancing marketplace. Dec 2015 Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe ar Mid-2017 New targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in apparently for more than a year. Another interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsof reduce the likelihood of their detection. Traces of mobile malware that started to appear from late April 2017 Sep 2017 Operation “TopHat” In recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party serv The attacks we found within the TopHat campaign began in early September 2017. In a few instances, origin Feb 2019 New Attack in the Middle East Recently, 360 Threat Intelligence Center captured a bait document designed specifically for Arabic users. It i drop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword l with C2, distributes control commands to further control the victim’s computer device. After investigation, w Apr 2019 Operation “SneakyPastes” The campaign is multistage. It begins with phishing, using letters from one-time addresses and one-time dom attachments. If the victim executes the attached file (or follows the link), their device receives Stage One ma Oct 2019 Between October 2019 through the beginning of December 2019, Unit 42 observed multiple instances of phi (AKA Gaza Hackers Team and Gaza Cybergang) targeting eight organizations in six different countries in th of which the latter two were quite peculiar. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b Page 2 of 3 Dec 2019 “Pierogi” Campaign This campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminisc and Kaperagent malware. Mar 2020 Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations Jul 2021 New espionage attack by Molerats APT targeting users in the Middle East Jul 2023 TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities MITRE ATT&CK Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a9903bb-0925-4715-83cf-f058c03a003b Page 3 of 3