{
	"id": "d619ea1c-c6d0-4f15-81b7-8bcfb3246798",
	"created_at": "2026-04-12T02:21:22.317568Z",
	"updated_at": "2026-04-12T02:22:41.460644Z",
	"deleted_at": null,
	"sha1_hash": "a6f2de3335c347ad8946641c360ef9d88408023f",
	"title": "Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131875,
	"plain_text": "Hamas-affiliated Threat Actor WIRTE Continues its Middle East\r\nOperations and Moves to Disruptive Activity\r\nBy samanthar@checkpoint.com\r\nPublished: 2024-11-12 · Archived: 2026-04-12 02:06:01 UTC\r\nKey findings:\r\nCheck Point Research has been tracking ongoing activity of WIRTE threat actor, previously associated\r\nwith the Hamas-affiliated group Gaza Cybergang, despite the ongoing war in the region.\r\nThe conflict has not disrupted the WIRTE’s activity, and they continue to leverage recent events in the\r\nregion in their espionage operations, likely targeting entities in the Palestinian Authority, Jordan, Iraq,\r\nEgypt, and Saudi Arabia.\r\nOur research indicates that WIRTE group has expanded beyond espionage to conduct disruptive attacks.\r\nWe have identified clear links between the custom malware used by the group and SameCoin, a wiper\r\nmalware targeting Israeli entities in two waves in February and October 2024.\r\nWhile WIRTE’s tools have evolved since the group emerged, key aspects of their operations remain\r\nconsistent: domain naming conventions, communication via HTML tags, responses limited to specific user\r\nagents, and redirection to legitimate websites.\r\nIntroduction\r\nWIRTE is a Middle Eastern Advanced Persistent Threat (APT) group active since at least 2018. The group is\r\nprimarily known for engaging in politically motivated cyber-espionage, focusing on intelligence gathering likely\r\nlinked to regional geopolitical conflicts. WIRTE is believed to be a subgroup connected to Gaza Cybergang, a\r\ncluster affiliated with Hamas.\r\nSince late 2023, Check Point Research has been monitoring a campaign conducted by the WIRTE group that\r\ntargets entities in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, and Saudi Arabia. This\r\ncampaign utilizes custom loaders like IronWind, first disclosed in November 2023 as part of a TA402 operation.\r\nIn addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel.\r\nUnique code overlaps reveals ties between the group’s custom malware and SameCoin, a custom wiper deployed\r\nin two waves in February and October 2024.\r\nUnlike other Hamas- associated threats, such as SysJoker, this cluster’s activity has persisted throughout the war\r\nin Gaza. On one hand, the group’s ongoing activity strengthens its affiliation with Hamas; on the other hand, it\r\ncomplicates the geographical attribution of this activity specifically to Gaza.\r\nIn this publication, Check Point Research reveals the activities of WIRTE in 2024, provides a technical analysis of\r\nits campaigns, and connects the group’s activities to previous activity of the group.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 1 of 17\n\nWIRTE – Espionage Campaigns\r\nAs tensions continue in the Middle East, multiple threat actors have exploited the conflict to create deceptive lures\r\nin recent months. Among them, one prominent group is WIRTE, which is believed to have ties to Hamas. WIRTE\r\nremains highly active throughout the war, carrying out attacks across the region. The group’s activities were\r\nfirst documented in 2019 by Lab52, with further analysis released in 2021. In 2023, Proofpoint researchers\r\nidentified a campaign associated with a threat actor they refer to as TA402. The campaign utilized IronWind, a\r\nloader that enables communication with command and control (C2) servers and executes malicious code hidden\r\nwithin HTML elements. Since then, we have observed multiple campaigns leveraging IronWind.\r\nCheck Point Research’s analysis suggests that this tool is primarily deployed by the WIRTE group, which\r\nProofpoint identifies as a subgroup of TA402.\r\nSeptember 2024 campaign – Havoc delivery\r\nIn September, we identified a new infection chain that began with a PDF file showing an error and containing an\r\nembedded URL  https://theshortner[.]com/fxT1j , which mimics a URL shortener service.\r\nFigure 1 – Lure PDF (SHA-256:b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785).\r\nThis link redirected users to a RAR archive named  RAR 1178 - 2لبنان في الحرب تطورات - بريوت  )translated from\r\nArabic:  RAR 1178 - Beirut - Developments of the War in Lebanon 2 ). The archive contained three files\r\nintended to employ DLL-Sideloading:\r\nPinEnrollmentBroker.exe, a legitimate executable that has been renamed to match the name of the\r\narchive.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 2 of 17\n\nA PDF lure.\r\npropsys.dll, which serves as the first stage of the infection process.\r\nFigure 2 – Havoc Infection Chain.\r\nFigure 3 – Contents of the malicious archive.\r\nUpon executing the legitimate executable file, the propsys.dll is side loaded. The execution is divided into two\r\nthreads:\r\n1. The first thread searches for a file named “Document,” appends a PDF extension to the found file, and then\r\nopens it using the command line. All strings in this process are XOR encrypted with the key  01-01-1900 .\r\n2. The second thread reads the long list of embedded IP addresses and decodes them by calling\r\nthe  RtlIpv4StringToAddressA  API, which converts an IP-formatted string to a byte array and\r\nconcatenates the decoded bytes to create the next-stage payload.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 3 of 17\n\nFigure 4 – IP addresses that are converted into bytes of the payload.\r\nThe next-stage payload delivered by propsys.dll is Havoc Demon, the agent of an open-source framework\r\nconfigured to communicate with the domain  master-dental[.]com . Havoc is an open-source post-exploitation\r\nframework designed for advanced cyber operations. Havoc allows attackers to maintain persistent access to\r\ncompromised systems, facilitating various malicious activities such as data exfiltration, lateral movement, and\r\nremote control.\r\nEarlier 2024 activity – IronWind loader\r\nSince October 2023, multiple cases observed use the IronWind loader as the infection vector. The infection chain\r\nstarts with a RAR archive which includes three files: a legitimate executable setup_wm.exe renamed to  لقاء\r\nؤساء األركان لالتفاق على هيكل األمن اإلقليمي\r\nلر الوطنيون الممثلون.exe (National Representatives of Chiefs of Staff Meet\r\nto Agree on Regional Security Architecture), a lure PDF and version.dll, which serves as the first stage of the\r\ninfection process.\r\nFigure 5 – RAR archive.\r\nThe malware execution starts by saving the lure document as a PDF file and opening it via CMD (Command\r\nPrompt). It then sends an HTTP request containing the victim’s Office version, OS version, computer name,\r\nusername, and list of programs to  requestinspector.com  to inform the attackers about a new victim.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 4 of 17\n\nFigure 6 – Translated lure, allegedly written by Egypt Representative in Ramallah about PA budget\r\nNext, the malware decrypts the next-stage payload, propsys.dll, using Base64 decoding and an XOR operation\r\nwith the key “53.” The primary function of this payload (internally named stagerx64) is to send HTTP requests\r\nwith a hardcoded user agent to the C2 and scan for the encrypted payload embedded within HTML tags.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 5 of 17\n\nFigure 7 – Basae64 encoded payload embedded between HTML tags.\r\nThe only final stage artifact we identified is donut shellcode loading a .NET DLL named exit-DN4-core.dll. The\r\nsole function of this DLL is to terminate the executing process, likely as a cleanup tactic pushed to infected\r\nmachines that the actors chose not to exploit.\r\nFigure 8 – exit-DN4-core.dll.\r\nSameCoin and WIRTE – Disruptive Operations\r\nIn October 2024, a malicious email campaign was sent from the email address of a legitimate email of\r\nIsraeli ESET reseller, targeting multiple Israeli organizations, including hospitals and municipalities. The email\r\ncontained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier\r\nthis year. In addition to minor changes in the malware, the newer version introduces a unique encryption function\r\nthat has only been seen in WIRTE malware.\r\nESET Reseller SameCoin Wiper\r\nThe email alerts on alleged attack, and prompts recipients to click on the link which directs victims to a ZIP file\r\nnamed  ESETUnleashed_081024.zip , which contains 4 legitimate DLLs and a malicious file  Setup.exe .\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 6 of 17\n\nFigure 9 – Malicious email delivering the wiper\r\nWhen launched,  Setup.exe  tries to connect to the Israel Home Front Command site  oref.org.il . It then uses\r\nthe first bytes of the response as its XOR key. This website is accessible only from inside Israel; by using the\r\nresponse, the malware additionally verifies that the target is indeed Israeli.\r\nFigure 10 – Wiper Infection Chains.\r\nThe malware then drops and decrypts the next files to be executed:\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 7 of 17\n\nimage.jpg  – A wallpaper.\r\nFigure 11 – Translated wallpaper mentioning Al-Qassam Brigades, the military wing of Hamas.\r\nvideo.mp4  – Hamas propaganda video showing graphic attacks from October 7.\r\nMicrosoftEdge.exe  – A wiper component.\r\ncsrs.exe  – An Infector component implementing two functions:\r\nInfectOutlook: Sends  Setup.exe  as an attachment to other addresses in the same organization.\r\nInfectAD: Copies the wiper file to remote machines within the same Active Directory and\r\nschedules it for execution using a Scheduled Task.\r\nThe wiper begins by listing all system files outside specified protected directories (e.g., Program Files, Windows,\r\nand Users). If a file’s name doesn’t contain “desktop.ini” or “conf.conf,” it is overwritten with random bytes.\r\nThe complete analysis of the malware components was published by other researchers.\r\nCode overlaps with IronWind loader\r\nThe XOR function used in the above wiper component ( MicrosoftEdge.exe ) is unique. It can only be found in a\r\nnewer IronWind loader variant ( propsys.dll ). The IronWind variant uses the key  msasn1.dll , and the wiper\r\nuses the key  Saturday, October 07, 2023, 6:29:00 AM :\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 8 of 17\n\nFigure 12 – Comparison of the encryption function in the IronWind sample and MicrosoftEdge.exe wiper.\r\nThis function implementation suggests that the same actor developed both tools and possibly were compiled in the\r\nsame environment.\r\nINCD SameCoin Wiper\r\nThis ESET wiper is a newer version of a previously reported Samecoin wiper, which was deployed on February\r\n24 in a malicious campaign impersonating the Israeli National Cyber Directorate (INCD). SameCoin is a multi-platform wiper with Android and Windows versions, and in both cases, it impersonated an INCD security update.\r\nThe Windows variant starts by checking if the system language is configured to Hebrew, and if so, it drops 4 four\r\nadditional files:\r\nVideo.mp4 – Pro-Hamas propaganda video.\r\nMicrosoft Connection Agent.jpg – Hamas wallpaper.\r\nMicrosoft System Manager.exe – A Wiper component.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 9 of 17\n\nWindows Defender Agent.exe – A Tasks Spreader: A component that tries to copy the loader to other\r\nmachines in the network and executes tasks using remote schedule tasks.\r\nThe Android variant deployed as  INCD-SecurityUpdate-FEB24.apk  displays the same propaganda video as the\r\nWindows version. The wiper’s functionality lies within the native library  libexampleone.so . It starts by listing\r\nthe files to be deleted, filling them with zeros, and then deleting them from the file system.\r\nFigure 13 - Android Wiper main function.\r\nFigure 13 – Android Wiper main function.\r\nInfrastructure\r\nC2 Redirects\r\nEach malware sample we observed is configured with a unique user agent string. If this specific user agent is\r\ndetected, the C2 server responds, otherwise, the C2 redirects the request to a legitimate website. Among the\r\nredirection chains we identified are:\r\nsaudiday[.]org  —\u003e  saudi.org\r\njordansons[.]com  —-\u003e  jordantimes.com\r\negyptican[.]com  —\u003e  dailynewsegypt.com\r\ninclusive-economy[.]com  —\u003e  inclusiveeconomy.us\r\nhealthcarb[.]com  —\u003e  healthline.com\r\nPhishing activity\r\nSome domains observed in the infrastructure were set up with phishing pages designed to mimic the Docdroid\r\nfile-uploading service.\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 10 of 17\n\nFigure 14 -WIRTE phishing page\r\nThese legitimate-looking websites contain specific URLs designed for phishing. When a victim accesses certain\r\nURLs, they are directed to phishing content or legitimate documents, possibly depending on the victim’s IP\r\naddress.\r\nFigure 15 – https://suppertools[.]com/s/?uid=181b9056-7420-4cde-8523-5c609aface73\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 11 of 17\n\nFigure 16 – https://healthscratches[.]com/s/?uid=06d32218-178c-49d77-b3cf-59df77c93469.\r\nWIRTE Attribution\r\nWe assess that WIRTE is likely connected to Hamas, based on the messaging observed in disruptive attacks, its\r\nconsistent targeting of the Palestinian Authority (PA), and historical ties to groups associated with Hamas.\r\nThe most recent version of the SameCoin wiper alters the victim’s background to display an image bearing the\r\nname of Hamas’s military wing, the Al-Qassam Brigades. While this could be a potential false flag operation, we\r\nhave not observed similar mentions in wiper attacks linked to other actors, including prominent Iranian groups.\r\nThe group’s victims align strongly with Hamas’s interests, focusing on Palestinian issues and frequently targeting\r\nthe Palestinian Authority, Hamas’s rival in the Palestinian political sphere.\r\nHistorically, WIRTE has been associated with the Molerats and the Gaza Cyber Gang, both of which have\r\npreviously been connected to Hamas. This association was first identified by Kaspersky and further supported by\r\nreports from Proofpoint. In earlier WIRTE campaigns, the threat actor employed various tools, such as VBS and\r\nPowerShell scripts, while the signature techniques remained the same in the attacks discussed in this report:\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 12 of 17\n\nThe C2 server responds only to specific user agents unique to each sample; otherwise, it redirects to a\r\nlegitimate site.\r\nRetrieval of next-stage payloads embedded within HTML tags.\r\nUtilization of CloudFlare services.\r\nA consistent domain-naming theme focused on health, finance and countries in the region.\r\nVictimology\r\nThe threat actor focused on various entities across the Middle East, mainly targeting the Palestinian Authority and\r\nJordan, based on volumes of samples from those countries and the lures content Additional activity Indicators,\r\nincluding file submissions, lures, and domain references, also suggest likely targeting related to, Iraq, Saudi\r\nArabia, and Egypt.\r\nSamples in this campaign were uploaded from several major cities in the Middle East, including Ramallah,\r\nBaghdad, and Amman, with the following names:\r\nOriginal Sample Name Sample Name Translation\r\nلقاء الممثلون الوطنيون لر ؤساء األركان\r\nلالتفاق على هيكل األمن اإلقليمي\r\nNational Representatives of Chiefs of Staff Meet to\r\nAgree on Regional Security Architecture\r\nتقرير عن الوضع المالي للسلطة الفلسطينية\r\nReport on the financial situation of the Palestinian\r\nAuthority\r\nسري – موافقة االردن عل اجراء حوار12 \r\nامين مع ايران\r\n12 Secret – Jordan agrees to hold security dialogue with\r\nIran\r\nبريوت – تطورات الحرب في – 1178\r\nلبنان2\r\n1178 – Beirut – Developments of the war in Lebanon 2\r\nAdditionally, the majority of the phishing URLs were initially submitted to Virus Total from Jordan.\r\nFigure 17 – Phishing Urls submissions\r\nSome of the domains associated with this operation referenced specific countries, which likely hints targeting of\r\nthose :\r\nsaudiarabianow[.]org\r\nsaudiday[.]org\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 13 of 17\n\njordanrefugees[.]com\r\nbankjordan[.]com\r\njordansons[.]com\r\negyptican[.]com\r\negyptskytours[.]com\r\negypttourism-online[.]com\r\nOn the disruptive side, the group solely focuses on Israel. The Wiper activity utilized propaganda content and\r\nthemes aimed explicitly at Israeli audiences, with phishing emails targeting Israeli recipients. Additionally, the\r\nWiper activates only if the target country is Israel or the system language is set to Hebrew.\r\nThe distinct techniques and payloads deployed against Israel differ from those employed in other Middle Eastern\r\ncountries, indicating a dual purpose: to cause disruption in Israel and to conduct espionage in other Middle\r\nEastern nations.\r\nConclusion\r\nWe revealed the activities and tools deployed by the longstanding WIRTE APT group over the past year. Despite\r\nongoing conflict in the Middle East, the group has persisted with multiple campaigns, showcasing a versatile\r\ntoolkit that includes Wipers, Backdoors, and Phishing pages used for both espionage and sabotage.\r\nOur investigation also highlights WIRTE’s continued reliance on tactics such as user agent filtering, payload\r\nbuilding with HTML tags, redirection to news sites, and a consistent infrastructure style.\r\nDespite previous analyses lacking definitive conclusions, our evaluation suggests that WIRTE is likely aligned\r\nwith Hamas. This assessment is drawn from a close examination of WIRTE’s operational history, which reveals\r\npatterns that resonate with Hamas’s activities. Additionally, WIRTE’s selection of targets, coupled with the nature\r\nof the content it distributes, further reinforces the connection between the conclusion.\r\nProtections:\r\nThreat Emulation:\r\nAPT.Wins.Wirte.ta.A/B/C/D/E/F\r\nHarmony End Point:\r\nransom.win.honey\r\ninfoastealer.win.blackguard.d\r\nIOCs\r\nPE files:\r\n2700142c0b78fdbf3df30125a72443e2317d5079a01ff26022a66d0b7bd4c5b1\r\n3fc92e8a440ca16172f7d93bd9de3c6f9391e26d3a1cb964e966ee1ee31770df\r\n5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 14 of 17\n\n5fa809c0e5dff03bd202b86cd334e80c7ed5dbad9aed7b12a3799ea0800e5f31\r\n0a4397f7d5da024b10c778910d6db84a6ba0fc3375fe6fe9b470f7e269ddc716\r\n26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47\r\n75c2fb3ae08502a57c8c96ea788ef946a8bb35fb4a16e76deefae4c94fd03fd7\r\n86791aa96bac086330bf927ea5c2725ff73aaedfadc2571f4f393aa4d3a6b690\r\n8ce87eefded0713c9258f8f2086dcc51028fb404ceb526f832df4c93108c8146\r\n8818c7c2cbd60521b8eb59ff9a720840535651343b30c1b279515d42d8036a8a\r\n7e0d0f77fe1dcb1e7a0a0a2fc0c25a68eee551c7045935449ae64dcbd1310958\r\n795b997c248b2f344f813cd0c15d3d435e6218c91d0f0f54a464d739feead4c5\r\n9fc4c7cdcaa3c3c03ba65f138386e875d02f7fcaf10de720dfde20167e393f38\r\n7c0a8d3dec1675fd8ba0a73fb5b8eee3bef0214aa78a7aab73b8ba9814651f9f\r\nb447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7\r\n9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47\r\nc51952f2caf55b455e7c7eb8048422bb477e3a616cb68f6fa524e15892b9f328\r\nd3a53be1f64325c566bb71222b3747da81439dea8fc9a458fb459355cfa9e7f2\r\nac227dd5c97a36f54e4fa02df4e4c0339b513e4f8049616e2a815a108e34552f\r\nc068b9e7130f6fb5763beb9564e92a89644755f223b2f65dc762ed5c77c5b8e3\r\nc22f0544e29c803d2cacbca3a57617496e3691389e9b65da84c374c90e699433\r\n76a543a49e46ad9163b2a06f6cea7a5e8eb5183cd3213e64446a8c66310fac3a\r\ne2ba2d3d2c1f0b5143d1cd291f6a09abe1c53e570800d8ae43622426c1c4343c\r\n02902a5e07a80aa56c24c6a8d4cca9fcfb32f32bb074f9c449cad5b3b18a070c\r\ne6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89\r\n3b4ee3d5c1a7202b053159becac4d0b622641e2e4a7b27f339c03a90f287d381\r\nf2de8a5daed043ef3ab1f52156a4f7ff8f9a382f7f58ace6abb463f5cbab060c\r\nfca0b3e57b3f9a14d18c435e564fe6db3620ba446e1b863737a9b36cbcc7251a\r\neddd40d457088d8384784ce80eaf0aefb1485776e0916e60781befbd739d4608\r\n6ab5a0b7080e783bba9b3ec53889e82ca4f2d304e67bd139aa267c22c281a368\r\n2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a\r\nArchives:\r\n9fe7b2f4c17dd0c7a00aaa6a779c30e2cb3faa4b14766e02f616d00e6f6e9007\r\n3d2409c7834287178f61116c9b653e3520172a10ebef58f58f99d27a34b839bd\r\n5b7e8e685f6ee6b4810ed94b4420e08a10a977516b47fea356173cfaec2c41a0\r\n41112f36fc17f57f0e476c9ffa9e1ecbff796dc31a7ff0372d0d8708a5e9c50b\r\n2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232\r\nPDF:\r\nb7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785\r\nInfrastructure:\r\nDomain Backend Server IP\r\nsaudiday[.]org 185.158.248[.]161\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 15 of 17\n\njordansons[.]com 193.168.141[.]29\r\negyptican[.]com 140.99.164[.]56\r\nhealthcarb[.]com 160.119.251[.]181\r\ninclusive-economy[.]com 188.92.78[.]148\r\nking-pharmacy[.]com 185.165.169[.]76\r\nmicrosoftwindowshelp[.]com 45.134.9[.]202\r\neconomystocking[.]com 37.120.247[.]22\r\nwellhealthtech[.]com 195.123.210[.]42\r\nmicrosoftliveforums[.]com 140.99.164[.]86\r\nmaster-dental[.]com 213.252.244[.]234\r\ndentalaccord[.]com 5.42.221[.]151\r\neconomymentor[.]com 37.221.65[.]254\r\nbankjordan[.]com 80.77.25[.]49\r\negyptskytours[.]com 193.168.141[.]61\r\nmicrosoftteams365[.]com 185.247.224[.]28\r\nfinance-analyst[.]com 185.158.248[.]201\r\ntrendingcharts.finance-analyst[.]com\r\nfinances-news[.]com 185.165.169[.]117\r\npushservice_api.finances-news[.]com\r\nsupport-api.financecovers[.]com 45.59.118[.]145\r\njordanrefugees[.]com 37.120.247[.]100\r\negypttourism-online[.]com 185.225.70[.]168\r\nhealthoptionstoday[.]com 80.77.25[.]216\r\nellemedic[.]com 38.180.151[.]206\r\neasybackupcloud[.]com\r\nfinanceinfoguide[.]com\r\nhealthscratches[.]com\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 16 of 17\n\nprintspoolerupdates[.]com\r\nsaudiarabianow[.]org\r\nsuppertools[.]com\r\ntheshortner[.]com\r\nSource: https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nhttps://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/"
	],
	"report_names": [
		"hamas-affiliated-threat-actor-expands-to-disruptive-activity"
	],
	"threat_actors": [],
	"ts_created_at": 1775960482,
	"ts_updated_at": 1775960561,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6f2de3335c347ad8946641c360ef9d88408023f.pdf",
		"text": "https://archive.orkl.eu/a6f2de3335c347ad8946641c360ef9d88408023f.txt",
		"img": "https://archive.orkl.eu/a6f2de3335c347ad8946641c360ef9d88408023f.jpg"
	}
}