{ "id": "b486f154-07a7-41b5-8b19-7649790629e9", "created_at": "2026-04-06T00:12:29.882136Z", "updated_at": "2026-04-10T03:38:03.478235Z", "deleted_at": null, "sha1_hash": "85fd3c90c1e6689979e048592c363a2a8c2361ea", "title": "New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 328162, "plain_text": "New Malware Arsenal Abusing Cloud Platforms in Middle East\r\nEspionage Campaign\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 12:05:10 UTC\r\nThe Cybereason Nocturnus Team has identified an active espionage campaign employing three previously\r\nunidentified malware variants that use Facebook, Dropbox, Google Docs and Simplenote for command \u0026 control\r\nand the exfiltration of data from targets across the Middle East. The full report can be downloaded here (ungated)\r\nand the Indicators of Compromise can be downloaded using the link in the header at the top of this blog.\r\nIn February 2020, Cybereason researchers reported the discovery of the Spark and Pierogi backdoors that were\r\nassessed to be part of targeted attacks against Palestinian officials. The attacks were attributed to Molerats (aka\r\nThe Gaza Cybergang), an Arabic-speaking, politically-motivated APT group that has operated in the Middle East\r\nsince 2012.\r\nThe Cybereason Nocturnus Team has continued tracking the group, and in recent months detected a new campaign\r\nleveraging two previously unidentified backdoors dubbed SharpStage, DropBook, as well as a downloader dubbed\r\nMoleNet.\r\nThis latest campaign leverages phishing documents that include various themes related to current Middle Eastern\r\nevents, including a reportedly clandestine meeting between His Royal Highness Mohammed bin Salman, Crown\r\nPrince of Saudi Arabia, the U.S. Secretary of State Mike Pompeo and Israeli PM Benjamin Netanyahu.\r\nhttps://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign\r\nPage 1 of 4\n\nContent of the MBS-Israel.pdf document\r\nKey Research Findings:\r\nNew Espionage Tools Developed by Molerats: Cybereason identified two new backdoors dubbed SharpStage\r\nand DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute\r\narbitrary code and collect sensitive data for exfiltration from infected computers.\r\nAbuse of Facebook, Google Docs, Dropbox and Simplenote Platforms: The newly discovered DropBook\r\nbackdoor used fake Facebook accounts or Simplenote for command and control (C2), and both SharpStage and\r\nDropBook abuse a Dropbox client in order to exfiltrate stolen data as well as for storing their espionage tools.\r\nPolitical Phishing Themes: Themes used to lure the victims included the Israeli-Saudi relations, Hamas elections,\r\nPalestinian politicians as well as other regional events including a secretive meeting between His Royal Highness\r\nMohammed bin Salman, Crown Prince of Saudi Arabia, the U.S. Secretary of State and the Israeli Prime Minister\r\nConnections to Previous Middle Eastern Campaigns: The newly discovered backdoors have been observed\r\nbeing used in conjunction with the Spark backdoor previously attributed to Molerats. The attackers also used the\r\nnew espionage tools to download additional payloads including the infamous open-source Quasar RAT that was\r\nused previously by Molerats.\r\nTargeting Across the Middle East: The operation was primarily observed targeting the Palestinian Territories,\r\nUAE, Egypt as well as Turkey. Given the nature of the phishing content, Cybereason assesses that the campaign\r\noperators seek to target high ranking political figures and government officials in the Middle East.\r\nhttps://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign\r\nPage 2 of 4\n\nMolerats’ latest campaign Infection Chain\r\nThe full report, titled Molerats in the Cloud: New Malware Arsenal Abuses Cloud Platforms in Middle East\r\nEspionage Campaign, is available for download here. Open the chatbot on the lower right-hand side of this blog\r\nto download your copy of the Indicator's of Compromise, which includes C2 Domains, IP addresses, Docx files\r\nSHA-1 hashes, and Msi files.\r\nhttps://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign\r\nPage 3 of 4\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign\r\nhttps://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "report_names": [ "new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434349, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85fd3c90c1e6689979e048592c363a2a8c2361ea.pdf", "text": "https://archive.orkl.eu/85fd3c90c1e6689979e048592c363a2a8c2361ea.txt", "img": "https://archive.orkl.eu/85fd3c90c1e6689979e048592c363a2a8c2361ea.jpg" } }