{ "id": "12aa5d22-a9a2-421b-8f79-22b856b5eeb1", "created_at": "2026-04-06T00:17:41.634809Z", "updated_at": "2026-04-10T03:38:03.377108Z", "deleted_at": null, "sha1_hash": "7472f70d2b87ffa0c65832d3cd64eae9d677c113", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 237858, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy Tr1sa111\r\nArchived: 2026-04-05 17:48:16 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nPage 1 of 5\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nPage 2 of 5\n\n181 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nPage 3 of 5\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nPage 4 of 5\n\n17 Subscribers\r\nAuthor Url\r\nDowneks and Quasar RAT Used in Recent Targeted Attacks Against Governments\r\nFileHash-SHA256: 101 | Domain: 14 | Hostname: 20\r\nDustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets\r\ngovernment interests in the region. The initial infection vector in this attack is not clear, but it results in installing\r\nthe “Downeks” downloader, which in turn infects the victim computer with the “Quasar” RAT. Downeks uses\r\nthird party websites to determine the external IP of the victim machine, possibly to determine victim location with\r\nGeoIP. It also drops decoy documents in an attempt to camouflage the attack. Quasar is a .NET Framework-based\r\nopen-source RAT. The attackers invested significant effort in attempting to hide the tool by changing the source\r\ncode of the RAT and the RAT server, and by using an obfuscator and packer.\r\n373,953 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Downeks\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:Downeks" ], "report_names": [ "pulses?q=tag:Downeks" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434661, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7472f70d2b87ffa0c65832d3cd64eae9d677c113.pdf", "text": "https://archive.orkl.eu/7472f70d2b87ffa0c65832d3cd64eae9d677c113.txt", "img": "https://archive.orkl.eu/7472f70d2b87ffa0c65832d3cd64eae9d677c113.jpg" } }