{
	"id": "b3cba67b-1f53-4fed-8135-69519c1d8455",
	"created_at": "2026-04-10T03:21:34.254885Z",
	"updated_at": "2026-04-10T03:22:18.003568Z",
	"deleted_at": null,
	"sha1_hash": "7d9d89d612ea6acf9702ba6a01dc1e3b42548755",
	"title": "Hacking group POLONIUM uses \u0026lsquo;Creepy\u0026rsquo; malware against Israel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4214606,
	"plain_text": "Hacking group POLONIUM uses \u0026lsquo;Creepy\u0026rsquo; malware\r\nagainst Israel\r\nBy Bill Toulas\r\nPublished: 2022-10-11 · Archived: 2026-04-10 02:44:11 UTC\r\nSecurity researchers reveal previously unknown malware used by the cyber espionage hacking group\r\n'POLONIUM,' threat actors who appear to target Israeli organizations exclusively.\r\nAccording to ESET, POLONIUM uses a broad range of custom malware against engineering, IT, law,\r\ncommunications, marketing, and insurance firms in Israel. The group's campaigns are still active at the time of\r\nwriting.\r\nMicrosoft's Threat Intelligence team first documented the group's malicious activities in June 2022, linking\r\nPOLONIUM threat actors in Lebanon with ties to Iran's Ministry of Intelligence and Security (MOIS).\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/\r\nPage 1 of 4\n\nThe POLONIUM toolset\r\nESET reports that POLONIUM is solely interested in cyberespionage and does not deploy data wipers,\r\nransomware, or other file-damaging tools.\r\nSince September 2021, the hackers have used at least seven variants of custom backdoors, including four new\r\nundocumented backdoors known as 'TechnoCreep', 'FlipCreep', 'MegaCreep',, and 'PapaCreep.'\r\nThe seven backdoors deployed by POLONIUM since September 2021 (ESET)\r\nSome backdoors abuse legitimate cloud services, such as OneDrive, Dropbox, and Mega, to act as command and\r\ncontrol (C2) servers. Other backdoors utilize standard TCP connections to remote C2 servers or get commands to\r\nexecute from files hosted on FTP servers.\r\nWhile not all backdoors have the same features, their malicious activity includes the ability to log keystrokes, take\r\nscreenshots of the desktop, take photos with the webcam, exfiltrate files from the host, install additional malware,\r\nand execute commands on the infected device.\r\nThe most recent backdoor, PapaCreep, spotted in September 2022, is the first one in C++, whereas the hackers\r\nwrote older versions either in PowerShell or C#.\r\nPapaCreep is also modular, breaking its command execution, C2 communication, file upload, and file download\r\nfunctions into small components.\r\nThe advantage is that the components can run independently, persist via separate scheduled tasks in the breached\r\nsystem, and make the backdoor harder to detect.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/\r\nPage 2 of 4\n\nPapaCreep's encrypted request to C2 (ESET)\r\nBesides the ‘Creepy’ variants, POLONIUM also uses various open source tools, either custom or off-the-shelf, for\r\nreverse proxying, screenshot taking, keylogging, and webcam snapping, so there’s a level of redundancy in the\r\noperations.\r\nAn elusive hacking group\r\nESET couldn't discover POLONIUM's tactics used to initially compromise a network, but Microsoft previously\r\nreported that the group was using known VPN product flaws to breach networks.\r\nThe threat actor's private network infrastructure is hidden behind virtual private servers (VPS) and legitimate\r\ncompromised websites, so mapping the group's activities remains murky.\r\nPOLONIUM is a sophisticated and highly targeted threat whose crosshairs are fixed at Israel right now, but this\r\ncould change any moment if the priorities or interests change.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/"
	],
	"report_names": [
		"hacking-group-polonium-uses-creepy-malware-against-israel"
	],
	"threat_actors": [],
	"ts_created_at": 1775791294,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d9d89d612ea6acf9702ba6a01dc1e3b42548755.pdf",
		"text": "https://archive.orkl.eu/7d9d89d612ea6acf9702ba6a01dc1e3b42548755.txt",
		"img": "https://archive.orkl.eu/7d9d89d612ea6acf9702ba6a01dc1e3b42548755.jpg"
	}
}