{ "id": "b78b2f3b-ca38-45c0-9b12-30038e48006b", "created_at": "2026-04-06T00:15:22.099939Z", "updated_at": "2026-04-10T13:12:23.737751Z", "deleted_at": null, "sha1_hash": "8db43ba7cce0b280bf6a81da28e0dc819bb92001", "title": "Hacking group\u0026rsquo;s new malware abuses Google and Facebook services", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1723852, "plain_text": "Hacking group\u0026rsquo;s new malware abuses Google and Facebook\r\nservices\r\nBy Ionut Ilascu\r\nPublished: 2020-12-14 · Archived: 2026-04-05 15:37:26 UTC\r\nMolerats cyberespionage group has been using in recent spear-phishing campaigns fresh malware that relies on Dropbox,\r\nGoogle Drive, and Facebook for command and control communication and to store stolen data.\r\nThe hackers have been active since at least 2012 and are considered to be the low-budget division of a larger group called\r\nthe Gaza Cybergang.\r\nTwo backdoors and a downloader\r\nThe Molerats threat actor used in recent operations two new backdoors - called SharpStage and DropBook, and one\r\npreviously undocumented malware downloader named MoleNet.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nDesigned for cyberespionage, the malware attempts to avoid detection and takedown efforts by using Dropbox and\r\nFacebook services to steal data and receive instructions from the operators. Both backdoors implement Dropbox to extract\r\nstolen data.\r\nThe attack starts with an email luring political figures or government officials in the Middle East (Palestinian Territories,\r\nUAE, Egypt, Turkey) to download malicious documents.\r\nOne of the lures in campaigns delivering the new malware was a PDF file referencing the recent talks between Israeli Prime\r\nMinister Benjamin Netanyahu and His Royal Highness Mohammed bin Salman, Saudi Crown Prince.\r\nThe document showed only a summary of the content and instructed the recipient to download password-protected archives\r\nstored in Dropbox or Google Drive for the full information.\r\nTwo of these files were SharpStage and DropBook backdoors, which called a Dropbox storage controlled by the attacker to\r\ndownload other malware. A third one was another backdoor, Spark, also used by Molerats in previous campaigns.\r\nCommands over Facebook\r\nA technical report from Cybereason’s Nocturnus Team [PDF] notes that the Python-based DropBook backdoor\r\ndistinguishes from other tools in Molerats’ arsenal because it receives instructions only through fake accounts on Facebook\r\nand Simplenote, the note-taking app for iOS.\r\nThe hackers control the backdoor through commands published in a post on Facebook. They used the same method to\r\nprovide the token necessary to connect to the Dropbox account. Simplenote acts as a backup in case the malware cannot\r\nretrieve the token from Facebook.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 3 of 6\n\nWith commands coming from multiple sources on a legitimate service, taking down the malware’s communication with the\r\nattacker becomes a more difficult task.\r\nDropBook’s capabilities include checking installed programs and file names for reconnaissance, executing shell commands\r\nreceived from Facebook or Simplenote, and fetching additional payloads from Dropbox and running them.\r\nThe researchers believe that DropBook is the work of the same developer that made JhoneRAT, a remote access tool written\r\nin Python that uses legitimate services (Google Drive, Twitter, ImgBB, and Google Forms) for command and control, to\r\nstore malicious documents, or exfiltrate data.\r\nSharpStage and MoleNet\r\nUnlike DropBook, the SharpStage backdoor is written in .NET depends on a traditional command and control (C2) server.\r\nCybereason discovered three variants of this malware, with compilation timestamps between October 4 and November 29.\r\nAll are under constant development.\r\nAll variants share similar functionalities, including taking screenshots, executing arbitrary commands (to run PowerShell,\r\nthe command line, WMI), and decompress data received from the C2 (payload, persistence module). SharpStage also comes\r\nwith a Dropbox API for data download and exfiltration.\r\nBoth backdoors target Arabic-speaking users. They use code that checks if the compromised machine has the Arabic\r\nlanguage installed. This way, the attacker avoids systems belonging to non-relevant individuals as well as most sandboxes,\r\nCybereason researchers note.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 4 of 6\n\nMoleNet, the third malware that Cybereason discovered, can run WMI commands to profile the operating system, check for\r\ndebuggers, restart the machine from the command line, upload details about the OS, fetch new payloads, and create\r\npersistence.\r\nWhile the researchers found it only recently, MoleNet has been under development since at least 2019 and relies on\r\ninfrastructure that has been in use since at least 2017. Yet, it remained unnoticed.\r\nEven if they skimp on resources by using free services for their operations, Molerats shows that it can create new malware\r\nfor stealthy operations.\r\nCybereason provides comprehensive details about the new tools leveraged by Molerats in recent campaigns, covering the\r\nattack chain, infrastructure, and connections with other malware that the threat group used in the past.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" ], "report_names": [ "hacking-group-s-new-malware-abuses-google-and-facebook-services" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8db43ba7cce0b280bf6a81da28e0dc819bb92001.pdf", "text": "https://archive.orkl.eu/8db43ba7cce0b280bf6a81da28e0dc819bb92001.txt", "img": "https://archive.orkl.eu/8db43ba7cce0b280bf6a81da28e0dc819bb92001.jpg" } }