{ "id": "3858c230-63d2-4b30-8a94-8fd3f2f4507a", "created_at": "2026-04-06T00:09:33.460358Z", "updated_at": "2026-04-10T03:38:03.455415Z", "deleted_at": null, "sha1_hash": "a97a984900cb2cfaea2cf7b0f7fc0faa0316cfc6", "title": "Operation Parliament - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55987, "plain_text": "Operation Parliament - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:35:09 UTC\r\nHome \u003e List all groups \u003e Operation Parliament\r\n APT group: Operation Parliament\r\nNames Operation Parliament (Kaspersky)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2017\r\nDescription\r\n(Kaspersky) Based on our findings, we believe the attackers represent a previously unknown\r\ngeopolitically motivated threat actor. The campaign started in 2017, with the attackers doing\r\njust enough to achieve their goals. They most likely have access to additional tools when\r\nneeded and appear to have access to an elaborate database of contacts in sensitive\r\norganizations and personnel worldwide, especially of vulnerable and non-trained staff. The\r\nvictim systems range from personal desktop or laptop systems to large servers with domain\r\ncontroller roles or similar. The nature of the targeted ministries varied, including those\r\nresponsible for telecommunications, health, energy, justice, finance and so on.\r\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East\r\nregion. The attackers have taken great care to stay under the radar, imitating another attack\r\ngroup in the region. They have been particularly careful to verify victim devices before\r\nproceeding with the infection, safeguarding their command and control servers. The targeting\r\nseems to have slowed down since the beginning of 2018, probably winding down when the\r\ndesired data or access was obtained. The targeting of specific victims is unlike previously seen\r\nbehavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an\r\nelaborate information-gathering exercise that was carried out before the attacks (physical\r\nand/or digital).\r\nWith deception and false flags increasingly being employed by threat actors, attribution is a\r\nhard and complicated task that requires solid evidence, especially in complex regions such as\r\nthe Middle East.\r\nAn overlap has been found between Operation Parliament and Molerats, Extreme Jackal, Gaza\r\nCybergang.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8fc014f7-042d-4cfe-a5e2-0822b17a7e7b\r\nPage 1 of 2\n\nObserved\nSectors: Defense, Education, Energy, Financial, Government, Healthcare, Media, Research,\nShipping and Logistics, Telecommunications and Sports.\nCountries: Afghanistan, Canada, Chile, Denmark, Djibouti, Egypt, Germany, India, Iran, Iraq,\nIsrael, Jordan, Kuwait, Lebanon, Morocco, Oman, Palestine, Qatar, Russia, Saudi Arabia,\nSerbia, Somalia, South Korea, Syria, UAE, UK, USA.\nTools used Remote CMD/PowerShell terminal.\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8fc014f7-042d-4cfe-a5e2-0822b17a7e7b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8fc014f7-042d-4cfe-a5e2-0822b17a7e7b\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8fc014f7-042d-4cfe-a5e2-0822b17a7e7b" ], "report_names": [ "showcard.cgi?u=8fc014f7-042d-4cfe-a5e2-0822b17a7e7b" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a97a984900cb2cfaea2cf7b0f7fc0faa0316cfc6.pdf", "text": "https://archive.orkl.eu/a97a984900cb2cfaea2cf7b0f7fc0faa0316cfc6.txt", "img": "https://archive.orkl.eu/a97a984900cb2cfaea2cf7b0f7fc0faa0316cfc6.jpg" } }