{ "id": "845c9c43-48b3-4ae8-b24f-40d4e8497061", "created_at": "2026-04-06T00:21:17.434693Z", "updated_at": "2026-04-10T03:38:03.403294Z", "deleted_at": null, "sha1_hash": "adca4d7ca7cb7877452b0d645908e5321bc2ba23", "title": "The Big Bang - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44826, "plain_text": "The Big Bang - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:36:44 UTC\n APT group: The Big Bang\nNames The Big Bang (Check Point)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2017\nDescription\n(Talos) Talos continuously monitors malicious emails campaigns. We identified one specific\nspear phishing campaign launched against targets within Palestine, and specifically against\nPalestinian law enforcement agencies. This campaign started in April 2017, using a spear\nphishing campaign to deliver the MICROPSIA payload in order to remotely control infected\nsystems. Although this technique is not new, it remains an effective technique for attackers.\nThe malware itself was developed in Delphi; in this article, we describe the features and the\nnetwork communication to the command and control server used by the attackers. The threat\nactor has chosen to reference TV show characters and include German language words within\nthe attack. Most significantly, the attacker has appeared to have used genuine documents stolen\nfrom Palestinian sources as well as a controversial music video as part of the attack.\n(Check Point) While the APT has gone through significant upgrades over the past year, the\nconductors of these campaigns maintained evident fingerprints, both in the delivery methods\nand malware development conventions. These unique traces assisted us in correlating the\ncurrent wave to past attacks, and may also have some resemblance to attacks related to the\nMolerats, Extreme Jackal, Gaza Cybergang APT group.\nObserved\nSectors: Law enforcement and others.\nCountries: Palestine and Middle East.\nTools used Micropsia.\nInformation\nLast change to this card: 15 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=28f87cac-ce5e-4c5a-be4c-e0db7a70faef\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=28f87cac-ce5e-4c5a-be4c-e0db7a70faef\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=28f87cac-ce5e-4c5a-be4c-e0db7a70faef\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=28f87cac-ce5e-4c5a-be4c-e0db7a70faef" ], "report_names": [ "showcard.cgi?u=28f87cac-ce5e-4c5a-be4c-e0db7a70faef" ], "threat_actors": [ { "id": "9198aefa-3da6-4605-bb52-923df20a7fce", "created_at": "2023-01-06T13:46:38.766848Z", "updated_at": "2026-04-10T02:00:03.093153Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "MISPGALAXY:The Big Bang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f7d9b02d-d294-422b-adf7-4b3adfac9d9a", "created_at": "2022-10-25T16:07:23.392241Z", "updated_at": "2026-04-10T02:00:04.577887Z", "deleted_at": null, "main_name": "The Big Bang", "aliases": [], "source_name": "ETDA:The Big Bang", "tools": [ "Micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434877, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/adca4d7ca7cb7877452b0d645908e5321bc2ba23.pdf", "text": "https://archive.orkl.eu/adca4d7ca7cb7877452b0d645908e5321bc2ba23.txt", "img": "https://archive.orkl.eu/adca4d7ca7cb7877452b0d645908e5321bc2ba23.jpg" } }