{ "id": "e4ca9fd6-21f4-4788-8f14-5e2425770fab", "created_at": "2026-04-06T00:17:16.290258Z", "updated_at": "2026-04-10T03:38:03.380455Z", "deleted_at": null, "sha1_hash": "a67fda1804e2f2257028bc2c9a1dcbd712e26c60", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47286, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:36:09 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool LastConn\r\n Tool: LastConn\r\nNames LastConn\r\nCategory Malware\r\nType Backdoor, Info stealer, Downloader\r\nDescription\r\n(Proofpoint) Based on Proofpoint visibility, the campaigns occurred on a weekly basis\r\nthroughout early 2021 before abruptly stopping in March for a two-month hiatus. TA402,\r\nalso known as Molerats and GazaHackerTeam, resumed email threat campaigns in early\r\nJune 2021 with continued use of malware Proofpoint dubbed LastConn. Researchers\r\nassess with high confidence LastConn is an updated version of SharpStage malware first\r\nreported by Cybereason in December 2020.\r\nLastConn malware is specifically targeted at computers with an Arabic language pack\r\ninstalled to ensure it only infects specific targets. It uses Dropbox for all command and\r\ncontrol (C2) capabilities and infrastructure. Proofpoint researchers assess LastConn is\r\nvery actively developed and maintained malware. It features multiple capabilities that\r\nattempt to prevent both automated and manual malware analysis.\r\nInformation\r\n\u003chttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/global/pulses?q=tag:LastConn\u003e\r\nLast change to this tool card: 10 August 2021\r\nDownload this tool card in JSON format\r\nAll groups using tool LastConn\r\nChanged Name Country Observed\r\nAPT groups\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8b102e75-19fe-4e04-98f7-4260ce4b4b4e\r\nPage 1 of 2\n\nMolerats, Extreme Jackal, Gaza Cybergang [Gaza] 2012-Jul 2023  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8b102e75-19fe-4e04-98f7-4260ce4b4b4e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8b102e75-19fe-4e04-98f7-4260ce4b4b4e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8b102e75-19fe-4e04-98f7-4260ce4b4b4e" ], "report_names": [ "listgroups.cgi?u=8b102e75-19fe-4e04-98f7-4260ce4b4b4e" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a67fda1804e2f2257028bc2c9a1dcbd712e26c60.pdf", "text": "https://archive.orkl.eu/a67fda1804e2f2257028bc2c9a1dcbd712e26c60.txt", "img": "https://archive.orkl.eu/a67fda1804e2f2257028bc2c9a1dcbd712e26c60.jpg" } }