{ "id": "c10f6c35-d411-4d9f-a161-eb96b0402fa5", "created_at": "2026-04-06T00:08:53.875894Z", "updated_at": "2026-04-10T03:38:03.363819Z", "deleted_at": null, "sha1_hash": "d384aa7f642429a1dc4a773685aa291cb486104a", "title": "Gaza cybergang, where’s your IR team?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2660942, "plain_text": "Gaza cybergang, where’s your IR team?\r\nBy Mohamad Amin Hasbini\r\nPublished: 2015-09-28 · Archived: 2026-04-05 15:17:39 UTC\r\nSummary information:\r\nGaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa)\r\nregion, targeting mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became\r\nparticularly active in Q2 2015.\r\nOne interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT (Information\r\nTechnology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which\r\nreflect the IT functions or IR tools used in cyber attack investigations.\r\nIT people are known for having more access and permissions inside their organizations than other employees, mainly\r\nbecause they need to manage and operate the infrastructure. This is why getting access to their devices could be worth a lot\r\nmore than for a normal user.\r\nIR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in\r\naddition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network…\r\nThe main infection modules used by this group are pretty common RATs: XtremeRAT and PoisonIvy\r\nSome more interesting facts about Gaza cybergang:\r\nAttackers take an interest in government entities, especially embassies, where security measures and IT operations\r\nmight not be well established and reliable\r\nUse of special file names, content and domain names (e.g. gov.uae.kim), has helped the group perform better social\r\nengineering to infect targets\r\nIncreasing interest in targeting IT and IR people, which is clear from most of the recent malware file names used\r\nOther operation names:\r\nDownExecute\r\nMoleRATs\r\nKaspersky Lab products and services successfully detect and block attacks by Gaza team.\r\nPolitical file names targeting Arabic countries\r\nexe.بوادر خالف جديد بني االمارات والسعودية :name File\r\nTranslation: Indications of disagreement between Saudi Arabia and UAE.exe\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 1 of 8\n\nFilename: “Wikileaks documents on Sheikh ******* *** *****.exe”\r\nexe.صور فاضحـــــة جدا لبعض العسكريني والقضاة والمستشاريني المصريني :name File\r\nTranslation: Scandalous pictures of Egyptian militants, judges and consultants\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 2 of 8\n\nexe.الرئيس الفلسطيين محمود عباس يشتم ماجد فرج \u003c- zip.Abaas-Majed :name File\r\nTranslation: President Mahmoud Abbas cursing Majed Faraj.exe\r\n“exe.مكالمة مسربة بني القائد العام للقوات المسلحة المصرية صدقي صبحي” :name File\r\nTranslation: Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe\r\nFile name: tasreb.rar\r\nIT and IR Malware File Names\r\nVCSExpress.exe Hex.exe\r\nMicrosoft Log.exe IMP.exe\r\nWin.exe Corss.exe\r\nWinRAR.exe AVR.exe\r\nccleaner.exe codeblocks.exe\r\nHelpPane.exe Hex_Workshop_Hex_Editor-o.exe\r\nHelp.exe Decoded.exe\r\nvmplayer.exe Decrypted.exe\r\nprocexp.exe crashreporter.exe\r\nRE.exe WindowsUpdate.exe\r\nPE.exe AVP.exe\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 3 of 8\n\nPE-Explorr.exe Kaspersky.exe\r\nPE-Explorr.exe Kaspersky.exe\r\nhworks32.exe Kaspersky Password Manager.exe\r\nOther malware file names\r\nabc.exe\r\nNews.exe\r\nSky.exe\r\nSkyC.exe\r\nSkype.exe\r\nSkypo.exe\r\nexe.وصية وصور الوالد ٔاتمىن الدعاء له بالرحمة والمغفرة\r\nSecret_Report.exe\r\nMilitary Police less military sexual offenses, drug offenses more.exe\r\nPhishing\r\nhttp://google.com.*****/new/index.php?Email=FL1-08-2015@gmail.com\r\nhttp://google.com.*****/new/g.htm?Email=sharq-2014-12-31@gmail.com\r\nhttp://google.com.*****/new/index.php?Email=2014-12-04@gmail.com\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 4 of 8\n\nhttp://googlecom*****/new/index.php?Email=yemen-22-01-2015@hotmail.com\r\nIP addresses and domain names used in the attacks\r\nDomains\r\nuae.kim natco1.no-ip.net\r\ngov.uae.kim natco3.no-ip.net\r\nup.uae.kim natco5.no-ip.net\r\nuptime.uae.kim nazer.zapto.org\r\ngoogle.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim noredirecto.redirectme.net\r\najaxo.zapto.org nrehcnthrtfmyi.strangled.net\r\nbackjadwer.bounceme.net ns2.negociosdesucesso.info\r\nbackop.mooo.com offeline.webhop.net\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 5 of 8\n\nbandao.publicvm.com orango.redirectme.net\r\nbypasstesting.servehalflife.com redirectlnk.redirectme.net\r\ncbbnews.tk removalmalware.servecounterstrike.com\r\ncccam.serveblog.net mailchat.zapto.org\r\nchromeupdt.tk mp4.servemp3.com\r\ncnaci8gyolttkgmguzog.ignorelist.com rgoyfuadvkebxhjm.ddns.net\r\ncyber18.no-ip.net rotter2.publicvm.com\r\ndeapka.sytes.net rotter2.sytes.net\r\ndepka.sytes.net safar.selfip.com\r\ndnsfor.dnsfor.me safara.sytes.net\r\ndownload.likescandy.com safari.linkpc.net\r\ndownloadlog.linkpc.net spreng.vizvaz.com\r\ndownloadmyhost.zapto.org store-legal.biz\r\ndownloadskype.cf su.noip.us\r\nduntat.zapto.org tango.zapto.org\r\nfastbingcom.sytes.net test.cable-modem.org\r\nfatihah.zapto.org test.ns01.info\r\ngaonsmom.redirectme.net testcom.strangled.net\r\ngoodday.zapto.org thenewupdate.chickenkiller.com\r\ngooglecombq6xx.ddns.net thenewupdatee.redirectme.net\r\ngq4bp1baxfiblzqk.mrbasic.com tvnew.otzo.com\r\nhaartezenglish.redirectme.net update.ciscofreak.com\r\nhaartezenglish.strangled.net updatee.hopto.org\r\nhelp2014.linkpc.net updatee.serveblog.net\r\nhttpo.sytes.net updato.ns01.info\r\ninternetdownloadr.publicvm.com use.mooo.com\r\njustded.justdied.com wallanews.publicvm.com\r\nkaliob.selfip.org wallanews.sytes.net\r\nkaswer12.strangled.net Wcf6f0nqvjtUP4uN.mooo.com\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 6 of 8\n\nkolabdown.sytes.net webfile.myq-see.com\r\nksm5sksm5sksm5s.zzux.com webfile.myq-see.com\r\nlastmoon.mooo.com ynet.ignorelist.com\r\nlilian.redirectme.net ynet.sytes.net\r\nlive.isasecret.com\r\nIP addresses\r\n192.52.166.115 131.72.136.28\r\n109.200.23.207 131.72.136.124\r\n66.155.23.36 172.227.95.162\r\n162.220.246.117 162.220.246.117\r\n192.253.246.169 192.99.111.228\r\n192.52.167.125 185.33.168.150\r\n198.105.117.37 185.45.193.4\r\n198.105.122.96 131.72.136.11\r\n131.72.136.171 84.200.17.147\r\nMalware Hashes\r\n302565aec2cd47bb6b62fa398144e0ad f94385be79ed56ef77c961aa6d9eafbf\r\nf6e8e1b239b66632fd77ac5edef7598d a347d25ed2ee07cbfe4baaabc6ff768b\r\n8921bf7c4ff825cb89099ddaa22c8cfd 674dec356cd9d8f24ef0f2ec73aaec88\r\n3bb319214d83dfb8dc1f3c944fb06e3b e20b5b300424fb1ea3c07a31f1279bde\r\n826ab586b412d174b6abb78faa1f3737 42fca7968f6de3904225445312e4e985\r\n5e255a512dd38ffc86a2a4f95c62c13f 3dcb43a83a53a965b40de316c1593bca\r\n058368ede8f3b487768e1beb0070a4b8 e540076f48d7069bacb6d607f2d389d9\r\n62b1e795a10bcd4412483a176df6bc77 699067ce203ab9893943905e5b76f106\r\n39758da17265a07f2370cd04057ea749 11a00d29d583b66bedd8dfe728144850\r\nf54c8a235c5cce30884f07b4a8351ebf d5b63862b8328fb45c3dabdcdf070d0d\r\n9ea2f8acddcd5ac32cfb45d5708b1e1e bc42a09888de8b311f2e9ab0fc966c8c\r\n948d32f3f12b8c7e47a6102ab968f705 c48cba5e50a58dcec3c57c5f7cc3332d\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 7 of 8\n\n868781bcb4a4dcb1ed493cd353c9e9ab 658f47b30d545498e3895c5aa333ecb1\r\n3c73f34e9119de7789f2c2b9d0ed0440 2b473f1f7c2b2b97f928c1fc497c0650\r\n9dccb01facfbbb69429ef0faf4bc1bda 46cf06848e4d97fb3caa47c17cdd7a9e\r\n4e8cbe3f2cf11d35827194fd016dbd7b 6eb17961e6b06f2472e4518589f66ab9\r\nb4c8ff21441e99f8199b3a8d7e0a61b9 b0f49c2c29d3966125dd322a504799c6\r\n4d0cbb45b47eb95a9d00aba9b0f7daad ca78b173218ad8be863c7e00fec61f2f\r\n18259503e5dfdf9f5c3fc98cdfac6b78 23108c347282ff101a2104bcf54204a8\r\n0b074367862e1b0ae461900c8f8b81b6 76f9443edc9b71b2f2494cff6d4a26a8\r\n89f2213a9a839af098e664aaa671111b\r\nPhishing Hashes\r\n1d18df7ac9184fea0afe26981e57c6a7\r\n57ab5f60198d311226cdc246598729ea\r\nAdditional references\r\nhttp://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\nhttps://github.com/kbandla/APTnotes/blob/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf\r\nhttp://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html\r\nSource: https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nhttps://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/" ], "report_names": [ "72283" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d384aa7f642429a1dc4a773685aa291cb486104a.pdf", "text": "https://archive.orkl.eu/d384aa7f642429a1dc4a773685aa291cb486104a.txt", "img": "https://archive.orkl.eu/d384aa7f642429a1dc4a773685aa291cb486104a.jpg" } }