{ "id": "2c459a63-55b5-46da-85d5-981df304c3f2", "created_at": "2026-04-06T00:17:14.310109Z", "updated_at": "2026-04-10T03:38:03.263949Z", "deleted_at": null, "sha1_hash": "9051204c61a640cd5d23908716a93edc88d2b9ec", "title": "Hackers Hide Malware C2 Communication By Faking News Site Traffic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1592107, "plain_text": "Hackers Hide Malware C2 Communication By Faking News Site Traffic\r\nBy Ionut Ilascu\r\nPublished: 2020-03-18 · Archived: 2026-04-05 23:20:36 UTC\r\nA cyber-espionage group active since at least 2012 used a legitimate tool to shield their backdoor from analysis attempts to\r\navoid detection. In their effort, the hackers also used a fake host header named after a known news site.\r\nThe backdoor is referred to by the names Spark and EnigmaSpark and was deployed in a recent phishing campaign that\r\nappears to have been the work of the MoleRATs group, the low-budget division of the Gaza Cybergang. This is the actor\r\nresponsible for operation SneakyPastes, detailed by Kaspersky, which relied on malware hosted on free sharing services like\r\nGitHub and Pastebin.\r\nThere are strong indications that the group used this backdoor since March 2017, deploying dozens of variants that\r\ncontacted at least 15 command and control domains.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nResearchers from multiple cyber security tracked the campaigns from this threat actor and analyzed the malware, tactics,\r\nand infrastructure used in the attacks.\r\nEvasion tactics\r\nThe threat actor tried to hide signs of compromise using the Enigma Protector software - a legitimate tool for “protecting\r\nexecutable files from illegal copying, hacking, modification, and analysis.”\r\nBased on the targets observed and the theme in the documents used for lures, this looks like a politically-motivated\r\nattack aimed at Arabic speakers interested in Palestine’s potential acceptance of the peace plan.\r\n“Adversaries using EnigmaSpark likely relied on recipients’ significant interest in regional events or anticipated fear\r\nprompted by the spoofed content, illustrating how adversaries may exploit ongoing geopolitical events to enable malicious\r\ncyber activity” - IBM X-Force Incident Response and Intelligence Services (IRIS)\r\nThe infection chain leading to installing the EnigmaSpark backdoor started with the delivery of a malicious Microsoft Word\r\ndocument. The file is written in Arabic and prompts the recipient to enable editing to view the content.\r\nThe researchers found that the document gets from a Google Drive link a malicious Word template embedded with a macro\r\nfor delivering the final payload ‘runawy.exe.’\r\nTo protect the operation, the hackers added some defenses such as protecting the macro with a password and applying\r\nbase64 encoding scheme on the backdoor, which was also stored on Google Drive.\r\nAdditionally, the malware binary was packed with Enigma Protector that adds some resistance to hacking and cracking\r\nattempts.\r\nAnother precaution from the hackers is the use of a fake host header in the HTTP POST request that delivers victim system\r\ninfo to the command and control (C2) server, which was ‘nysura].[com.’ However, the header shows ‘cnet].[com’ as the\r\ndestination.\r\nCommon denominator\r\nAn X-Force (IRIS) investigation revealed that the attacker used this technique with other binaries. After unpacking\r\n‘runawy.exe,’ they noticed that the resulting file was the same as ‘blaster.exe,’ a binary delivered by an executable packed by\r\nThemida, another legitimate tool that adds protection against inspecting or modifying a compiled application.\r\nMultiple files were discovered because they had in common the unique string “S4.4P” and the cryptographic certificate\r\nsigner “tg1678A4”: Wordeditor.exe, Blaster.exe (the unpacked version of runawy.exe and soundcloud.exe), HelpPane.exe,\r\nand taskmanager.exe.\r\nIn the case of Blaster, the same trick with the fake host header was used as in the case of ‘runawy,’ but the real destination\r\nserver was different (’webtutorialz[.]com’).\r\nPrevious research\r\nThe ‘runawy.exe’ binary file, its C2 server, and the unique string have been previously documented by researchers at other\r\ncyber security companies.\r\nCybereason’s Nocturnus team on February 12 published a technical analysis of the Spark backdoor, detailing the capabilities\r\nof the malware:\r\nCollect information about the victim host\r\nEncrypt collected data and sending it to the attackers over the HTTP protocol\r\nDownload other payloads\r\nLog keystrokes Record audio using the system’s built-in microphone\r\nhttps://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/\r\nPage 3 of 4\n\nExecute commands on the infected machine\r\nAt the beginning of the month, Palo Alto Networks detailed the same Enigma-packed runawy payload that was delivered\r\nwith the help of a Word document on October 31 and November 2, 2019.\r\nThe Spark backdoor was initially documented by researchers at Beijing-based Qi An Xin cyber security company, with an\r\nEnglish version of the research published on February 14, 2019.\r\nResearchers from all these companies attribute the Spark backdoor to the MoleRATs group, known for using malware\r\navailable on hacker forums. However, they also develop custom tools, such as Spark.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/" ], "report_names": [ "hackers-hide-malware-c2-communication-by-faking-news-site-traffic" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434634, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9051204c61a640cd5d23908716a93edc88d2b9ec.pdf", "text": "https://archive.orkl.eu/9051204c61a640cd5d23908716a93edc88d2b9ec.txt", "img": "https://archive.orkl.eu/9051204c61a640cd5d23908716a93edc88d2b9ec.jpg" } }