{ "id": "828b5b23-b4b3-4478-af56-6400c6a529ab", "created_at": "2026-04-06T00:21:52.936661Z", "updated_at": "2026-04-10T13:12:57.444543Z", "deleted_at": null, "sha1_hash": "8a4ccc119701f810142234300c8360cd92a89346", "title": "The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97354, "plain_text": "The Israel-Hamas War | Cyber Domain State-Sponsored Activity of\r\nInterest\r\nBy Tom Hegel\r\nPublished: 2023-10-24 · Archived: 2026-04-05 16:02:54 UTC\r\nBy Tom Hegel and Aleksandar Milenkoski \r\nSince the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways\r\nthe world may not have expected. Immediately following the attacks from Hamas on October 7th, social media\r\nbecame a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion.\r\nUnfortunately, leading social media platforms continue to fail at stopping the spread of disinformation regarding\r\nthis war. We will continue to see it abused as a go-to method to sway public perception of events with no signs of\r\nit ending soon.\r\nHowever, outside of social media information abuse and opportunistic-hacktivism, we must not forget the\r\nlikelihood of targeted attacks originating from specific, state-sponsored threat actors. Understanding and closely\r\nmonitoring all-aspects of the quickly evolving conflict within the digital domain is critical as such targeted attacks\r\nwill translate into real-world consequences. While we continue to collaborate privately with partners, we also seek\r\nto bolster the wider industry knowledge about where to place our efforts.\r\nThis is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch\r\nclosely. These actors have potential for significant involvement as the war continues, including APTs across\r\nHamas, Hezbollah, and Iran-based clusters of activity. While state-sponsored APTs should remain a strong focus,\r\nwe must also carefully monitor the increasingly common use of hacktivist personas used to cloak state-sponsored\r\noperations.\r\nIn this post, we share recommended and publicly accessible information in effort to streamline the community’s\r\nunderstanding of relevant actors across historical reports for reference. In addition, we are sharing our perspective\r\nof public actor naming overlaps. Please note that each source of public reporting may perform attribution and\r\nactor clustering uniquely from their perspective. Nonetheless, these sources should serve as starting points for\r\nreaders looking to catch up on relevant open-source intelligence for your own defense posturing and analysis\r\nneeds.\r\nHamas -Aligned Clusters\r\nArid Viper\r\nAliases:\r\nAPT-C-23\r\nGrey Karkadann\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 1 of 7\n\nDesert Falcon\r\nMantis\r\nDescription:\r\nArid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017,\r\npredominantly against targets in the Middle East. Based primarily on the geopolitical context of its activities, Arid\r\nViper is suspected to operate on behalf of Hamas with further conclusive information needed to solidify this\r\nassessment. For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers\r\nstationed near the Gaza border, which is suspected to be orchestrated by Hamas. This campaign has been\r\nseparately attributed with medium confidence to Arid Viper based on victimology and similarities with previous\r\nactivities attributed to this actor such as overlaps in initial infection techniques.\r\nTargeting individuals is a common practice of Arid Viper. This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government\r\norganizations, law enforcement, and political parties or movements. Common initial infection vectors include\r\nsocial engineering and phishing attacks using themed lure documents. The latter often involves establishing\r\nrapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently used\r\ntechnique.\r\nArid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware\r\napplications for the iOS and Android platforms. Arid Viper’s malware is actively maintained and upgraded to meet\r\nthe group’s operational requirements. This threat actor has consistently demonstrated innovation by adopting new\r\nmalware development practices across a range of programming and scripting languages, such as Delphi, Go,\r\nPython, and C++.\r\nGaza Cybergang\r\nAliases:\r\nMolerats\r\nTA402\r\nGaza Hackers Team\r\nMoonlight\r\nExtreme Jackal\r\nAluminum Saratoga\r\nJEA/Jerusalem Electronic Army (Low to Medium Confidence)\r\nDescription:\r\nGaza Cybergang is a threat actor that has been active since at least 2012. The group primarily targets throughout\r\nthe Middle East, including Israel and Palestine, while also less-observed in the EU and US. Targeted entities\r\ninclude government, defense, energy, financial, media, technology, telecommunication, and civil society. Current\r\nassessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 2 of 7\n\nThe group has historically used a variety of custom and publicly available tools in their attacks, showing a notable\r\npreference for spear phishing as a method of initial access. They have been known to use malicious documents\r\nand email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence\r\non compromised systems. Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi,\r\nPoisonIvy, and many others observed uniquely over the years.\r\nThe overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage. They seek\r\nto gather intelligence, monitor political developments in the region, and support their cause through cyber\r\nactivities. The group has been active for many years, and their persistence and adaptability in the face of evolving\r\ntensions make it a notable actor in the cyber threat landscape moving forward.\r\nHezbollah-Aligned Clusters\r\nPlaid Rain\r\nAliases:\r\nAqua Dev 1\r\nPolonium\r\nDescription:\r\nPlaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a\r\nbroad range of verticals, including defense, government, manufacturing, and financial organizations. Plaid Rain is\r\nconsidered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors\r\naffiliated with Iran’s Ministry of Intelligence and Security (MOIS). Some indicators supporting this assessment\r\ninclude observed overlaps in targeting and TTPs. The potential collaboration between MOIS and Plaid Rain\r\npositions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the\r\ngovernment of Iran, such as Cobalt Sapling.\r\nFor initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream\r\ncompromises, and stolen credentials. The group’s arsenal consists of a wide range of well-maintained custom\r\ntooling exemplified by the Creepy malware toolset. Plaid Rain’s malware supports a broad range of\r\ncomplementing functionalities following the latest trends in the malware landscape. For example, the CreepyDrive\r\nmalware uses Cloud services for command and control purposes, likely in an attempt to evade detection by\r\nmaking malicious traffic look legitimate.\r\nLebanese Cedar\r\nAliases:\r\nVolatile Cedar\r\nDeftTorero\r\nDescription:\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 3 of 7\n\nLebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine,\r\nEgypt, United States, United Kingdom, and more. The group was first observed in 2015 and has since maintained\r\nlimited security industry attention. Similar to Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite\r\nmilitant group Hezbollah attribution as well as potential coordination with Iran-nexus actors affiliated with the\r\nMinistry of Intelligence and Security (MOIS).\r\nInitial access methods best observed have been centered around the compromise of victim web servers via n-day\r\nvulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar. Further use of\r\nMeterpreter and their custom Explosive RAT have been associated with objectives around maintaining access\r\nthrough theft of legitimate network credentials, ultimately pursuing espionage objectives.\r\nRelevant Iranian Clusters\r\nIran hosts a diverse array of state-sponsored threat actors whose activities quickly expand past the specific focus\r\non the Israel-Hamas war. These threat actors exhibit variability in terms of size, capability, and motivation, and\r\nthey have been responsible for a wide spectrum of cyber operations. While some have clear affiliations with the\r\nIranian government, many Iranian hacktivist personas claim to operate independently. It is crucial to acknowledge\r\nthat emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion\r\nand concealing attribution of offensive actions. We strongly recommend that media outlets and industry colleagues\r\nexercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their\r\nclaims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to\r\ntheir success.Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and\r\nmultifaceted component of the global threat landscape moving forward. As we monitor the evolving situation in\r\nthe Middle East, it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and\r\nproxy operations supported by Iran-linked groups like Hamas and Hezbollah.\r\nShroudedSnooper\r\nAliases:\r\nStorm-0861\r\nScarred Manticore\r\nDescription:\r\nShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel within the\r\npast two months, and elsewhere since at least 2020. Most recent observations and activity we can confirm, center\r\naround intrusions across the telecommunication and government sectors. The group is attributed to Iran’s Ministry\r\nof Intelligence and Security (MOIS).\r\nOur current understanding of the group is that they operate for intelligence collection and initial access to other\r\nMOIS entities. Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished\r\nthrough the compromise of publicly accessible web servers via n-day vulnerabilities. As observed in the recent\r\nIsraeli telecom intrusions, the group has then made use of backdoors mimicking enterprise security software.\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 4 of 7\n\nCobalt Sapling\r\nAliases:\r\nMoses Staff\r\nAbraham’s Ax\r\nMarigold Sandstorm\r\nDescription:\r\n‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric,  disruptive and data\r\nexfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of\r\nvideos or imagery. Moses Staff and Abraham’s Ax are potentially distinct groups. Since the emergence of Moses\r\nStaff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah, the groups have continued to\r\nseparately maintain their online presence. However, they share iconography, content editing and infrastructure\r\nmanagement practices. This, and the alignment of their activities with the geopolitical interests of Iran, suggests\r\nthat the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups\r\nproviding plausible deniability to Iran.\r\nMoses Staff has traditionally focused its efforts on business and government organizations primarily within Israel.\r\nIn contrast, Abraham’s Ax has asserted responsibility for attacks on entities located outside of Israel but with\r\ngeopolitical relevance to the country. For example, the alleged intrusions into Saudi Arabian government entities\r\nby Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi\r\nArabia previously conditioned by resolving the Israeli-Palestinian issue.\r\nAlthough the threat intelligence research community has identified custom offensive tooling observed in Moses\r\nStaff attacks, such as StrifeWater, PyDCrypt and DCSrv, we do not exclude the possibility of Moses Staff and\r\nAbraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time.\r\nOperations attributed to Moses Staff have involved RATs and ransomware with no indications of financial\r\nmotivations, but rather disruption, destruction, and concealment of cyber espionage activities.\r\nAPPENDIX: Recommended Public Reporting\r\nArid Viper\r\n02/2015: Operation Arid Viper: Bypassing the Iron Dome – Trend Micro\r\n02/2015: The Desert Falcons targeted attacks – GReAT\r\n2017: Delphi Used To Score Against Palestine – Cisco TALOS\r\n04/2021: Taking Action Against Arid Viper – Meta\r\n02/2022: Arid Viper APT targets Palestine with new wave of politically themed phishing attacks, malware\r\n– Cisco TALOS\r\n03/2022: What is Arid Gopher? – Deep Instinct\r\n04/2022: Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials – Cybereason\r\n04/2023: Mantis: New Tooling Used in Attacks Against Palestinian Targets – Symantec\r\n10/2023: Arid Viper Disguising Mobile Spyware as Updates for Non-Malicious Android Applications\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 5 of 7\n\nGaza Cybergang\r\n11/2012: Systematic cyber attacks against Israeli and Palestinian targets going on for a year – Norman\r\n08/2013: Operation Molerats: Middle East Cyber Attacks Using Poison Ivy – FireEye\r\n06/2014: Molerats, Here for Spring! – FireEye\r\n04/2015: Attacks against Israeli \u0026 Palestinian interests – PwC\r\n09/2015: Gaza cybergang, where’s your IR team? – GReAT\r\n01/2016: Operation DustySky – Clearsky\r\n06/2016: Operation DustySky Part 2 – Clearsky\r\n10/2016: Moonlight – Targeted attacks in the Middle East – Vectra\r\n11/2016: MoleRats: there’s more to the naked eye – Pwc\r\n01/2017: Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments – Unit42\r\n10/2017: Gaza Cybergang – updated activity in 2017 – GReAT\r\n01/2018: The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party\r\nServices – Unit42\r\n04/2018: Operation Parliament, who is doing what? – GReAT\r\n04/2019: The Gaza cybergang and its SneakyPastes campaign – GReAT\r\n05/2019: Israel Defense Force bombing of alleged operations center\r\n11/2019: Report on the attack on the Palestinian government by the APT organization “Pat the Bear”\r\n(Translated) – Rising\r\n01/2020: Analysis of Threat Groups Molerats and APT-C-37 – AT\u0026T\r\n02/2020: New Cyber Espionage Campaigns Targeting Palestinians – Part 1: The Spark Campaign –\r\nCybereason\r\n03/2020: Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations –\r\nUnit42\r\n12/2020: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign –\r\nCybereason\r\n12/2020: Molerats APT: New Malware and Techniques in Middle East Espionage Campaign – Cybereason\r\n04/2021: Threat Group Uses Voice Changing Software in Espionage Attempt – Cado\r\n06/2021: New TA402 Mole Rats Malware Targets Governments in the Middle East – Proofpoint\r\n01/2022: New espionage attack by Molerats APT targeting users in the Middle East – Zscaler\r\n02/2022: Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage\r\n10/2022: Analysis of a Management IP Address linked to Molerats APT – Team Cymru\r\nPlaid Rain\r\n06/2022: Exposing POLONIUM activity and infrastructure targeting Israeli organizations – Microsoft\r\n10/2022: Polonium Targets Israel With Creepy Malware – ESET\r\n12/2022: Polonium APT Group: Uncovering New Elements – Deep Instinct \r\nLebanese Cedar\r\n03/2015: Volatile Cedar Technical Report – Checkpoint\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 6 of 7\n\n03/2015: Sinkholing Volatile Cedar DGA Infrastructure – GReAT\r\n06/2015: New Data: Volatile Cedar Malware Campaign – Checkpoint\r\n01/2021: “Lebanese Cedar” APT – Global Lebanese Espionage Campaign Leveraging Web Servers –\r\nClearsky\r\n10/2022: DeftTorero: tactics, techniques and procedures of intrusions revealed – Kaspersky\r\nShroudedSnooper\r\n09/2023: New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel\r\nImplants – Talos\r\n10/2023: From Albania to the Middle East: The Scarred Manticore Is Listening\r\nCobalt Sapling\r\n02/2022: StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations –\r\nCybereason\r\n02/2022: Moses Staff Campaigns Against Israeli Organizations Span Several Months – Fortinet\r\n01/2023: Abraham’s Ax Likely Linked to Moses Staff – Secureworks\r\n11/2021: Uncovering MosesStaff Techniques: Ideology Over Money – Checkpoint\r\nSource: https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nhttps://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" ], "report_names": [ "the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest" ], "threat_actors": [ { "id": "5e034014-1f6e-424d-adfa-49557e655e08", "created_at": "2024-02-06T02:00:04.118601Z", "updated_at": "2026-04-10T02:00:03.572699Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [ "Piwiks" ], "source_name": "MISPGALAXY:Karkadann", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "8f6bd9b8-e46e-4c3b-9a08-41fee319f273", "created_at": "2022-10-25T16:07:23.747959Z", "updated_at": "2026-04-10T02:00:04.735963Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [], "source_name": "ETDA:Karkadann", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-10T02:00:03.382078Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9d63303c-817c-40d7-b703-c6d62f0dbddc", "created_at": "2023-10-14T02:03:14.471787Z", "updated_at": "2026-04-10T02:00:04.891855Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "ETDA:ShroudedSnooper", "tools": [ "HTTPSnoop", "PipeSnoop", "TOFULOAD", "TOFUPIPE" ], "source_id": "ETDA", "reports": null }, { "id": "1ddad928-ad5f-4885-9abd-e8965dd793df", "created_at": "2023-11-08T02:00:07.129402Z", "updated_at": "2026-04-10T02:00:03.421623Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "MISPGALAXY:ShroudedSnooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434912, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a4ccc119701f810142234300c8360cd92a89346.pdf", "text": "https://archive.orkl.eu/8a4ccc119701f810142234300c8360cd92a89346.txt", "img": "https://archive.orkl.eu/8a4ccc119701f810142234300c8360cd92a89346.jpg" } }