{ "id": "c0499048-1609-420a-8715-dd7e541cd852", "created_at": "2026-04-06T00:22:17.492871Z", "updated_at": "2026-04-10T03:38:03.392498Z", "deleted_at": null, "sha1_hash": "e75e2d78cfc4870431912c982e67218f35fa1429", "title": "New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1666196, "plain_text": "New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The\r\nDiscovery of the New, Mysterious Pierogi Backdoor\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 18:35:48 UTC\r\nResearch by: Cybereason Nocturnus Team\r\nBackground\r\nSince December 2019, the Cybereason Nocturnus team has been investigating a campaign targeting Palestinian individuals\r\nand entities in the Middle East, mostly within the Palestinian territories. This campaign uses social engineering and decoy\r\ndocuments related to geopolitical affairs and relations between the Palestinian government, and references Egypt, Hezbollah,\r\nand Iran.\r\nPart one of this research investigates the Spark campaign, where attackers use social engineering to infect victims, mainly\r\nfrom the Palestinian territories, with the Spark backdoor. For more information about part one, click here.\r\nDuring the attacks, victims are infected with a previously undocumented backdoor, dubbed Pierogi by Cybereason. This\r\nbackdoor allows attackers to spy on targeted victims. Cybereason suspects that the backdoor may have been obtained in\r\nunderground communities rather than home-grown, as the evidence found in the code of the backdoor suggests it may have\r\nbeen developed by Ukranian-speaking hackers.\r\nThe tactics, techniques, and procedures (TTPs), content, and theme of the decoy documents, as well as the victimology\r\nobserved in the campaign, resemble previous attacks that have targeted Palestinians. In particular, these campaigns appear to\r\nbe related to attacks carried out by a group called MoleRATs (aka, Gaza Cyber Gang, Moonlight), an Arabic-speaking,\r\npolitically motivated group that has been operating in the Middle East since 2012.\r\nKey Points\r\nCyber Espionage with a New Malware: The Cybereason Nocturnus team has discovered recent, targeted attacks in\r\nthe Middle East to deliver the Pierogi backdoor for politically-driven cyber espionage.\r\nTargeting Palestinians: The campaigns seems to target Palestinian individuals and entities, likely related to the\r\nPalestinian government.\r\nUsing Geopolitically-charged Lure Content: The attackers use specially crafted lure content to trick their targets\r\ninto opening malicious files that infect the victim’s machine with the Pierogi backdoor. The decoy content of the\r\nmalicious files revolves around various political affairs in the Middle East, specifically targeting the tension between\r\nHamas and other entities in the region.\r\nPerpetrated by an Arabic-speaking APT, MoleRATs: The modus-operandi of the attackers as well as the social\r\nengineering decoy content seem aligned with previous attacks carried out by an Arabic-speaking APT group called\r\nMoleRATs (aka Gaza Cybergang). This group has been operating in the Middle East since 2012.\r\nFor a synopsis of this research, check out the Molerats \u0026 Pierogis Threat Alert.\r\nTable of Contents\r\nInfection Vector via Social Engineering\r\nDecoy Content\r\nInfection Vector: Analysis of the Malicious Word Document\r\nAnalysis of the Pierogi Backdoor\r\nPersistence Mechanism\r\nC2 Communication by the Pierogi Backdoor\r\nRecent Infrastructure\r\nConclusion\r\nMITRE ATT\u0026CK Breakdown\r\nIndicators of Compromise\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 1 of 13\n\nInfection Vector via Social Engineering\r\nSimilar to previous attacks, this campaign starts with social engineering. In one instance, it lures victims to open an email\r\nattachment. In others, it persuades victims to download a report about a recent political affair pertaining to the Middle East\r\nand specifically to Palestinian matters. In most cases, the downloaded file is either an executable that masquerades as a\r\nMicrosoft Word document or a weaponized Microsoft Word document. \r\nMalicious file named “Reports on major developments__347678363764”,  uploaded to VirusTotal from the Palestinian\r\nterritories.\r\nBackdoor  Dropper File Name SHA-256\r\nexe.تقرير حول أهم المستجدات_347678363764\r\nTranslation: Report on major developments_347678363764.exe\r\n4e77963ba7f70d6777a77c158fab61024f384877d78282d31ba7bbac\r\nEntelaqa_hamas_32_1412_847403867_rar.exe\r\nTranslation: Hamas_32th_Anniversary__32_1412_847403867_rar.exe\r\n094e318d14493a9f56d56b44b30fd396af8b296119ff5b82aca01db9a\r\nfinal_meeting_9659836_299283789235_rar.exe 050a45680d5f344034be13d4fc3a7e389ceb096bd01c36c680d8e7a7\r\nEmployee-entitlements-2020.doc b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e\r\nCongratulations_Jan-7_78348966_pdf.exe 4be7b1c2d862348ee00bcd36d7a6543f1ebb7d81f9c48f5dd05e19d6\r\nDecoy Content \r\nAs soon as the victim double-clicks on the dropper, they are presented with the decoy document. The document lowers the\r\nvictim’s suspicions by distracting them with a real document while the dropper installs the backdoor. However, some of the\r\ndocuments also play an additional role in the attack. While some are more neutral, quoting from newspapers and the media,\r\nothers seem to report fake news to spread misinformation that serves a political agenda. With regards to decoy content\r\nthemes, this campaign resembles previous campaigns reported in blogs by Vectra, Unit 42, and Talos. The contents of the\r\ndecoy documents seems to include: \r\nPotentially fake documents that appear to be issued by the Palestinian government.\r\nMeetings minutes of different Palestinian organizations.\r\nNews about Hamas and the Palestinian National Authority.\r\nPotentially fake, leaked Hamas documents.  \r\nCriticism of and embarrassing content about Hamas.\r\nDecoy Document Name\r\nDocument\r\nDescription\r\nSHA-256\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 2 of 13\n\nAPA adopted resolution\r\nUnlimited support for\r\nPalestinian people.docx\r\nDescribes a\r\nresolution by\r\nthe Asian\r\nParliamentary\r\nAssembly\r\n(APA) held in\r\nAnatalya,\r\nannouncing\r\nunlimited\r\nsupport for the\r\nPalestinian\r\npeople.\r\n7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c\r\njalsa.rar\r\nContains the\r\nabove\r\nmentioned\r\ndocument, as\r\nwell as photos\r\nof the\r\nassemblies and\r\npolitical\r\ncartoons\r\ncriticizing\r\nHamas  \r\n50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b\r\nInternet in\r\ngovernment.pdf / \r\nDefine the Internet in\r\ngovernment\r\ninstitutions.pdf\r\nAnnouncement\r\nabout a new\r\nregulation\r\nregarding\r\ninternet usage\r\nin Palestinian\r\ngovernment\r\ninstitutions.\r\nThe\r\nannouncement\r\nstates that\r\nporn, gambling\r\nand\r\nentertainment\r\nsites will be\r\nblocked. \r\n9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8\r\nCongratulations_Jan-7.pdfLetter\r\nallegedly from\r\nthe Barcelona\r\nbranch of the \r\nFederation of\r\nIndependent\r\nPalestinian\r\nCommunities\r\nand\r\nOrganizations\r\nand Events in\r\nthe Diaspora.\r\n65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 3 of 13\n\nThe letter\r\ncommemorates\r\nthe 73rd\r\nanniversary of\r\nthe Syrian\r\nArmy, and\r\nexpresses the\r\nPalestinian\r\nsupport of\r\nBashar Al-Asad. The\r\nletter ends\r\nwith “Death to\r\nIsrael” and\r\n“Humiliation\r\nand shame to\r\nthe tyrant\r\nAmerica”\r\nDaily_Report.docx\r\nDaily\r\nsummary of\r\nnews\r\nconcerning\r\ndifferent\r\nPalestinian\r\ngovenment\r\nrelated issues. \r\nd3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428\r\nDirectory of Government\r\nServices.pdf\r\nA screenshot\r\nfrom a website\r\nof the\r\nPalestinian\r\ngovernment,\r\nshowing a\r\ndirectory of\r\nthe different\r\nministries. \r\n9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8\r\nMeeting Agenda.pdf Corrupted file f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427\r\nimgonline-com-ua-dexifEEdWuIbNSv7G.jpg\r\npotentially\r\nleaked Hamas\r\ndocument\r\ndetailing\r\nHamas 32nd\r\nanniversary\r\nexpenses in\r\ndifferent\r\nregions in the\r\nPalestinian\r\nTerritories\r\n932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 4 of 13\n\nAsala.mp3\r\nAn .mp3 file\r\nof a song by\r\nthe famous\r\nSyrian singer\r\nAsala Nasri\r\n(song name:\r\nFen Habibi,\r\ntranslation:\r\n“where is my\r\nloved one?”)\r\n4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964\r\n Select screenshots from the above decoy content: \r\nExcerpt of the decoy documents presented to the victims.\r\nPotentially leaked Hamas document detailing expenses for Hamas 32th anniversary celebrations.\r\nIn addition to the documents, the content includes a number of political cartoons that criticize Hamas’ relations with Iran and\r\nHamas’ standing as a resistance movement. \r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 5 of 13\n\n“#Iran Movement” - depicting the co-founder of Hamas, Mahmoud Al-Zahar and Ali Khamenei, the Supreme leader of Iran.                                     \r\n                                                                                                              SHA-256:\r\n06e92ca2d9c6c17c45ed5b347df1d27cb96747ba3a4585f7c94f0861fc643e94\r\n“Hamas 32 years after its establishment”                                   \r\nTop: “The Speeches (calling for) ‘Resistance’”                        B\r\n“The reality”                                                                               \r\n      SHA-256:\r\n6ccdfa8fcf5e2fc5baeea765e59a10e9f9a5d3d1b2a2f189ff1beee\r\nInfection Vector: Analysis of the Malicious Word Document \r\nWhile the majority of infections in this campaign did not originate from Malicious Microsoft Word documents, the\r\nCybereason Nocturnus team found several weaponized Microsoft Word documents with an embedded downloader macro\r\nthat downloads and installs the backdoor used in this attack. \r\nMalicious Microsoft Word Document uploaded from the Palestinian territories.\r\nDocument\r\nName\r\nPhishing Content SHA-256\r\nالسرية الذاتية\r\nمنال.1doc\r\nTranslation:\r\nCV Manal 1\r\nResume of a woman\r\nfrom Abu-Dis,\r\nPalestinian Authority.\r\n4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 6 of 13\n\nEmployee-entitlements-2020.doc\r\nA statement of the\r\nMinistry of Finance\r\non civil and military\r\nemployee benefits\r\nand salaries,\r\ndiscussing the\r\nconterversial issue\r\nPalestinian Authority\r\nemployees that have\r\nnot been paid or paid\r\nin full their salaries.\r\nb33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80\r\nWhen the victims open the document, they are encouraged to click on Enable Content, which causes the embedded\r\nmalicious macro code to run.\r\nContents of the weaponized Microsoft Word document.\r\nThe macro code embedded in the document is rather simple and is not obfuscated. In fact, it is almost unusual in its\r\nunsophistication. \r\nThe macro code does the following: \r\n1. Downloads a Base64 encoded payload from the following URL:\r\nhxxp://linda-callaghan[.]icu/Minkowski/brown.\r\n2. Writes the decoded payload to C:\\ProgramData\\IntegratedOffice.txt.\r\n3. Decodes the Base64 payload and writes the file to C:\\ProgramData\\IntegratedOffice.exe.\r\n4. Runs the executable file and deletes the .txt file.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 7 of 13\n\nMalicious macro code found in the phishing document.\r\nAnalysis of the Pierogi Backdoor \r\nPierogi, the backdoor in this attack, appears to be a new backdoor written in Delphi. It enables the attackers to spy on\r\nvictims using rather basic backdoor capabilities. While it is unknown at this point whether the backdoor was coded by the\r\nsame members of the group behind the attacks, there are indications that suggest that the malware was authored by\r\nUkranian-speaking malware developers. The commands used to communicate with the C2 servers and other strings in the\r\nbinary are written in Ukrainian. \r\nThis is why we chose to name the malware Pierogi, after the popular East European dish. \r\nStrings embedded in the backdoor binary that show Ukranian words.\r\nThe backdoor has the following capabilities: \r\nCollects information about the infected machine.\r\nUploads files to the attackers’ server.\r\nDownloads additional payloads.\r\nTakes screenshots from the infected machine.\r\nExecutes arbitrary commands via the CMD shell.\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 8 of 13\n\nIn addition to spy features, the backdoor also implements a few checks to ensure it is running in a safe environment.\r\nSpecifically, it looks for antivirus and other security products. \r\n1. The backdoor queries Windows for installed antivirus software using WMI: SELECT * FROM AntiVirusProduct\r\n2. It looks for specific antivirus and security products installed on the infected machine, such as Kaspersky, eScan, F-secure and Bitdefender.\r\nStrings of security products found in the backdoor code.\r\nPersistence Mechanism\r\nThe backdoor achieves persistence using a classic startup item autorun technique: \r\n1.  A shortcut is added to the the startup folder: C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup.\r\n2. Once the user logs on to the infected machine, the shortcut points to the file binary location in the C:\\ProgramData\\\r\nfolder.\r\nThe backdoor persistence shown via Sysinternals Autoruns tool.\r\nThe GUID generated by the malware is saved in a file called GUID.bin. This file is created in the same folder as the binary\r\nof the backdoor  (C:\\ProgramData\\GUID.bin).\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 9 of 13\n\nContents of the GUID.bin file generated by the backdoor.\r\nC2 Communication by the Pierogi Backdoor\r\nThe backdoor has rather basic C2 functionality implemented through a predefined set of URLs: \r\n1. Sending machine information and a heartbeat to the C2:\r\nURL: hxxp://nicoledotson[.]icu/debby/weatherford/Yortysnr\r\nThe information sent to the C2 includes: \r\ncname:  computer name, username, and GUID\r\nav: Name of detected antivirus\r\nosversion: version of the operating system\r\naname: the location of the malware on the infected machine\r\nSending basic information about the infected machine\r\n2. Requesting commands from the C2 server:\r\nURL: hxxp://nicoledotson[.]icu/debby/weatherford/Ekspertyza \r\nEkspertyza means expertise or examination in Ukranian. There are 3 basic commands coming from the server in the form of\r\nmd5 hashes:\r\nMD5 hash Plain text command\r\nDfff0a7fa1a55c8c1a4966c19f6da452 cmd\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 10 of 13\n\n51a7a76a7dd5d9e4651fe3d4c74d16d6  downloadfile\r\n62c92ba585f74ecdbef4c4498a438984 screenshot\r\nReceiving command from the server to upload a screenshot of the infected machine’s screen.\r\n3. Uploading data (mainly screenshots) to the C2: \r\nURL: hxxp://nicoledotson[.]icu/debby/weatherford/Zavantazhyty\r\nZavantazhyty means to load or download in Ukranian. This command is used to upload collected data to the C2 server. For\r\nexample, in some instances the backdoor uploads screenshots taken from an infected machine, as can be seen in the example\r\nbelow.\r\nThe backdoor uploads a screenshot of the infected machine to the C2 server.\r\n4. Removing information:\r\nURL: hxxp://nicoledotso[.]icu/debby/weatherford/Vydalyty\r\nVydalyty means to remove or delete in Ukrainian. The malware can delete various requests based on the command\r\nbelow.\r\nExcerpt from the code that handles deletion requests from the C2 server.\r\nRecent Infrastructure\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 11 of 13\n\nThe records of the domains and IPs involved in this campaign seem to show that the attackers created a new infrastructure\r\nspecifically for this campaign. The domains were registered in November 2019 and operationalized shortly after, as shown\r\nbelow. \r\nPassiveTotal UI: An activity timeline of the malicious domain Linda-callaghan[.]icu.\r\nAn activity timeline of the malicious domain Nicoledotson[.]icu.\r\nConclusion\r\nIn part two of this research, we examined the Pierogi campaign. Cybereason suspects this  campaign targets Palestinian\r\nindividuals and entities in the Middle East, specifically directed at  those in the Palestinian government. The threat actors\r\nbehind the campaign use social engineering to infect their victims with the Pierogi backdoor for cyber espionage purposes. \r\nThe threat actor behind the attack invested considerable time and effort to lure their victims with specially-crafted\r\ndocuments that target Palestinian individuals and entities in the Middle East. In our analysis, we reviewed the TTPs and the\r\ndecoy content, and pointed out the similarities between previous attacks that have been attributed to MoleRATs, an Arabic-speaking, politically motivated group that has operated  in the Middle East since 2012.\r\nThe Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat\r\nactors espionage capabilities over their victims. Based on the Ukranian language embedded in the backdoor, Cybereason\r\nraises the possibility that the backdoor was obtained in underground communities by the threat actors, rather than developed\r\nin-house by the group. \r\nLearn how to protect against these types of attacks with the right roles for SIEM and EDR. Download our white paper.\r\nIndicators of Compromise\r\nClick here to download the MoleRATs IOCs (PDF)\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery Collection C\u0026C\r\nSpearphishing\r\nAttachment\r\nCommand-Line\r\nInterface\r\nScheduled\r\nTask\r\nBypass\r\nUser\r\nAccount\r\nControl\r\nBypass User\r\nAccount Control\r\nSystem Information\r\nDiscovery\r\nScreen\r\nCapture\r\nWeb\r\nService\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 12 of 13\n\nSpearphishing\r\nLink\r\nScheduled\r\nTask\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nStartup\r\nItems\r\nDeobfuscate/Decode\r\nFiles or Information\r\nUser Discovery\r\nAutomated\r\nCollection\r\nData\r\nEncoding\r\n  Scripting\r\nShortcut\r\nModification\r\n \r\nDisabling Security\r\nTools\r\nVirtualization/Sandbox\r\nDiscovery\r\n \r\nRemote\r\nFile\r\nCopy\r\n \r\nUser\r\nExecution\r\n    File Deletion      \r\n        Software Packing      \r\n        Masquerading      \r\n       \r\nEvade Analysis\r\nEnvironment\r\n     \r\n       \r\nSecurity Software\r\nDiscovery\r\n     \r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-bac\r\nkdoor\r\nhttps://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor" ], "report_names": [ "new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e75e2d78cfc4870431912c982e67218f35fa1429.pdf", "text": "https://archive.orkl.eu/e75e2d78cfc4870431912c982e67218f35fa1429.txt", "img": "https://archive.orkl.eu/e75e2d78cfc4870431912c982e67218f35fa1429.jpg" } }