{ "id": "9e225db2-b276-472d-b3ca-e8ecb425d220", "created_at": "2026-04-06T00:06:11.987109Z", "updated_at": "2026-04-10T03:35:21.448835Z", "deleted_at": null, "sha1_hash": "96b8d77d433e35c974d6c5a71f183e8ea212f03a", "title": "2023 Recap - Cyber Activity in the Gaza Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2968212, "plain_text": "2023 Recap - Cyber Activity in the Gaza Conflict\r\nBy The Hivemind\r\nArchived: 2026-04-02 12:16:20 UTC\r\nExecutive Summary\r\nWhile tension in the Gaza region has existed for years, the all-out war that ignited\r\nin October 2023 brought with it a variety of cyber activity targeting both sides of\r\nthe conflict. In this report, PolySwarm provides the highlights of cyber activity\r\nassociated with the Gaza conflict in 2023.\r\nKey Takeaways\r\nThe Gaza conflict has created a large-scale cyber battleground. \r\nThe majority of the cyber activity observed surrounding the Gaza conflict appears to be perpetrated by\r\nhacktivists rather than nation-state threat actors.\r\nThere are an estimated 48 anti-Israel and 10 pro-Israel hacktivist groups involved in related cyber activity. \r\nSamples of the Rust variant of SysJoker, a backdoor used by a Hamas-linked threat actor, are featured in\r\nthe IOCs section.  \r\nBackground\r\nhttps://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nPage 1 of 5\n\nWhile tension in the Gaza region has existed for years, the all-out war that ignited in October 2023 brought with it\r\na variety of cyber activity. It is interesting to note that the majority of the cyber activity observed surrounding the\r\nGaza conflict appears to be perpetrated by hacktivists rather than nation-state threat actors. There are an estimated\r\n48 anti-Israel and 10 pro-Israel hacktivist groups involved in some sort of cyber activity or influence operations\r\nactivity surrounding the conflict.\r\nGeneral hacktivist shenanigans have included DDoS attacks, website defacements, both real and unsubstantiated\r\nclaims of breaches and leaks, targeting of individuals on social media and communications apps, and doxxing.\r\nIn addition to cyberattacks, a myriad of threat actors on both sides of the conflict have allegedly been using social\r\nmedia and communications apps to spread disinformation, including false reports of cyber attacks and false\r\nreports of real-world events.\r\nIn this report, PolySwarm provides the highlights of cyber activity associated with the Gaza conflict in 2023. The\r\nnumerous cyberattacks affecting the region prior to October 2023, thereby pre-dating the kinetic conflict, are not\r\nincluded in this report.\r\nHighlights\r\nBiBi-Linux\r\nIn October, a pro-Hamas hacktivist group was observed using BiBi-Linux to target entities in Israel.  The attacks\r\nwere targeted, with sabotage and data destruction as the motive. BiBi-Linux is an x64 ELF executable. While the\r\nmalware fakes file encryption, reminiscent of ransomware, it does not otherwise attempt to disguise its true\r\npurpose. It does not drop a ransom note, exfiltrate files, or use reversible encryption algorithms. It also does not\r\nestablish communication with a remote C2, indicating no data was exfiltrated. Espionage does not seem to be part\r\nof the threat actor’s intent. BiBi-Linux allows threat actors to target specific folders and can wipe an operating\r\nsystem if run with root permissions. It corrupts files by overwriting them with useless data, damaging both the\r\ndata and the operating system. BiBi-Linux uses multiple threads and a queue system, increasing speed.\r\nBiBi-Windows\r\nA Windows variant of the BiBi wiper was also discovered. It is thought to be created by the same group\r\nresponsible for the BiBi-Linux wiper. If compile dates were not timestamped, BiBi-Windows was compiled in\r\nOctober. It is capable of corrupting all files except those with .exe, .dll, and .sys extensions. It also deletes system\r\nshadow copies to prevent file recovery. BiBi-Windows runs 12 threads with eight processor cores for a fast and\r\neffective means of destruction.\r\nESET dubbed the responsible threat actor group BiBiGun, although few industry researchers have attempted to\r\nlink the activity to a particular known threat actor. Security Joe identified TTP overlaps with Moses Staff but did\r\nnot definitively attribute the activity to the group. Moses Staff is thought to be of Iran nexus.\r\nCyberToufan\r\nCyberToufan, an anti-Israel hacktivist group, hacked an Israeli storage company known as Signature-it, which\r\ncontains state archives and data from around 40 other Israeli websites. The group leaked databases stolen from the\r\nhttps://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nPage 2 of 5\n\nNature and Parks Authority and the Academic College of Tel Aviv and threatened to leak the data of an Israeli\r\nmedical device company. The group stated political ideology as the motivation for the attacks.\r\nAnonGhost\r\nPro-Palestine hacktivist group AnonGhost was observed using a malicious clone of the RedAlert Android app to\r\ntarget users in Israel. The genuine RedAlert app allows users to receive alerts about incoming airstrikes,\r\npotentially saving lives. At the time of the original reporting, over 5000 rockets had been launched into Israel\r\nsince October 7th, and the app was widely used. AnonGhost reportedly used the malicious clone of RedAlert to\r\ncollect sensitive user data from victim devices.\r\nAnonymous Sudan\r\nAnonymous Sudan claimed a DDoS attack against the genuine version of the above-mentioned RedAlert app in\r\nOctober. They also reportedly took down the Jerusalem Post website for a brief period of time. More recently, the\r\ngroup has been targeting organizations in Kenya due to the Kenyan government’s support for Israel.\r\nMoroccan Black Cyber Army\r\nMoroccan Black Cyber Army claimed an attack on an Israeli gaming site and purportedly stole sensitive Israeli\r\ndocuments.\r\nMuslim Cyber Army\r\nMuslim Cyber Army, a pro-Palestine hacktivist group, claimed to breach the personal data of Israeli citizens.\r\nAslanNeferler Tim\r\nAslanNeferler Tim, a Turkish hacktivist group, claimed to hack an Israeli weapons manufacturer and the Israeli\r\nAir Force.\r\nGhosts of Palestine\r\nGhosts of Palestine claimed to have hacked an Israeli government site and the Israeli Ministry of Education.\r\nMalek Team\r\nMalek Team, an Iran-linked hacktivist group, claimed to have hacked Israel's Ziv Medical Center and leaked what\r\nreportedly included the medical records of IDF soldiers.\r\nCyberAv3ngers\r\nCyberAv3ngers, another Iran-linked hacktivist group, has made claims of engaging in cyber activity throughout\r\nthe Gaza conflict. One of their most recent claims is that they are actively targeting US facilities that are utilizing\r\nIsraeli-made computer systems. The affected devices are Unitronics Vision Series programmable logic controllers,\r\nwhich are often used by water and wastewater systems as well as by entities in the energy, food and beverage, and\r\nhealthcare verticals. CISA has confirmed that several entities have been breached.\r\nWildCard\r\nhttps://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nPage 3 of 5\n\nA Hamas-linked threat actor group has been observed using a Rust-based variant of SysJoker to target Israeli\r\nentities. SysJoker is a backdoor that was originally written in C++. It is capable of infecting Windows, MacOS,\r\nand Linux systems. The newer variant uses OneDrive for dynamic C2. Industry researchers have attributed the\r\nactivity to a group dubbed WildCard.  \r\nOther Activity\r\nThe websites of two relief groups providing aid to the region were victims of DDoS attacks by unnamed\r\nthreat actors. The affected entities included United Hatzalah and Medical Aid for Palestinians. An unknown\r\nthreat actor or scammer also created a website impersonating United Hatzalah in an attempt to obtain\r\ndonations under false pretenses. \r\nOver 100 Israeli websites have been the victim of a DDoS attack or defacement since the conflict began. \r\nMultiple Israeli government and financial entities were reportedly targeted by DDoS attacks or attempted\r\nintrusions in October. \r\nTwo smart billboards in Israel were reportedly hacked to display pro-Hamas messages. The threat actors\r\nresponsible for the hack were not named. \r\nOno Academic College near Tel Aviv was targeted by a hacktivist group claiming to be from Jordan.\r\nEmployee and student records were reportedly stolen. \r\nAn official associated with the Israel National Cyber Directorate stated hackers affiliated with Hezbollah\r\nhad hacked private security cameras in Israel in an attempt to track Israeli troop movements. The official\r\nalso noted that Iranian hackers may play a role in attacks on Israeli assets. \r\nUnknown threat actors reportedly targeted Mekorot, Israel’s national water company. \r\nVarious hacktivist groups have either made threats toward Israel and its allies or have made unsubstantiated\r\nclaims of hacking Israeli entities. These groups include but are not limited to Solomon’s Ring, KillNet\r\nPalestine, Team Insane Pakistan, Electronic Quds Force, SS Cyber Team, 1915 Team, Haghjhoyan,\r\nElectronic Tigers Unit, Soldiers of Solomon, DragonForce Malaysia, X7root, Cyb3r Drag0nz Team, Irox\r\nTeam, and Dark Storm Team.\r\nAnalyst Commentary\r\nIt is interesting to note that activity definitively attributed to Arid Viper, a Hamas-linked threat actor group with a\r\nlong history of targeting Israeli military personnel, has not been observed in relation to the Gaza conflict. While\r\nthe group has been actively engaged in other campaigns throughout 2023, none have been officially linked to the\r\ncurrent conflict.\r\nOur analysts assess with a low degree of confidence that Arid Viper likely conducted espionage activities in\r\nsupport of Hamas prior to the beginning of the kinetic conflict, which was said to be calculated. It is likely that\r\nArid Viper is choosing to either lie low during the brunt of the conflict or to continue more stealthy operations,\r\nstrategically using the noise generated by ongoing hacktivist activity as a distraction to help them remain\r\ninconspicuous.\r\nSysJoker (Rust Variant) IOCs\r\nSysJoker’s Rust variant is one of the most recently reported malware families used in the Gaza conflict. As such,\r\nwe have chosen to feature SysJoker samples in this report.\r\nhttps://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nPage 4 of 5\n\nPolySwarm has multiple samples of SysJoker\r\n0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba\r\n67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706\r\n6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95\r\n96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f\r\nD4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72\r\nE076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836\r\nYou can use the following CLI command to search for all SysJoker samples in our portal:\r\n$ polyswarm link list -f SysJoker\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.\r\nContact us at\r\n hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.\r\nSource: https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nhttps://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict" ], "report_names": [ "2023-recap-cyber-activity-in-the-gaza-conflict" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "1da809aa-9ae8-4641-807c-032ac827711d", "created_at": "2023-12-21T02:00:06.081556Z", "updated_at": "2026-04-10T02:00:03.499192Z", "deleted_at": null, "main_name": "BiBiGun", "aliases": [], "source_name": "MISPGALAXY:BiBiGun", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433971, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96b8d77d433e35c974d6c5a71f183e8ea212f03a.pdf", "text": "https://archive.orkl.eu/96b8d77d433e35c974d6c5a71f183e8ea212f03a.txt", "img": "https://archive.orkl.eu/96b8d77d433e35c974d6c5a71f183e8ea212f03a.jpg" } }