{ "id": "a64e95e7-fadf-4e9a-a392-8c00b0dfc624", "created_at": "2026-04-06T00:21:32.801373Z", "updated_at": "2026-04-10T13:11:52.232976Z", "deleted_at": null, "sha1_hash": "8a2f1f90762edbafcb8d72348e03408f15d8e961", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48115, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:38:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool NimbleMamba\r\n Tool: NimbleMamba\r\nNames NimbleMamba\r\nCategory Malware\r\nType Backdoor, Info stealer, Downloader, Exfiltration\r\nDescription\r\n(Proofpoint) Each variant of TA402’s attack chain led to a RAR file containing one or multiple\r\nmalicious compressed executables. These executables include a TA402 implant Proofpoint\r\ndubbed NimbleMamba and oftentimes an additional trojan Proofpoint named BrittleBush.\r\nNimbleMamba is almost certainly meant to replace LastConn, which Proofpoint reported\r\nabout in June 2021.\r\nNimbleMamba uses guardrails to ensure that all infected victims are within TA402’s target\r\nregion. NimbleMamba uses the Dropbox API for both command and control as well as\r\nexfiltration. The malware also contains multiple capabilities designed to complicate both\r\nautomated and manual analysis.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.nimblemamba\u003e\r\nLast change to this tool card: 27 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool NimbleMamba\r\nChanged Name Country Observed\r\nAPT groups\r\n  Molerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1c33ff97-c5eb-4c51-a72e-31ad07abf8cd\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1c33ff97-c5eb-4c51-a72e-31ad07abf8cd\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1c33ff97-c5eb-4c51-a72e-31ad07abf8cd\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1c33ff97-c5eb-4c51-a72e-31ad07abf8cd" ], "report_names": [ "listgroups.cgi?u=1c33ff97-c5eb-4c51-a72e-31ad07abf8cd" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434892, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a2f1f90762edbafcb8d72348e03408f15d8e961.pdf", "text": "https://archive.orkl.eu/8a2f1f90762edbafcb8d72348e03408f15d8e961.txt", "img": "https://archive.orkl.eu/8a2f1f90762edbafcb8d72348e03408f15d8e961.jpg" } }