{ "id": "f7945f75-7b07-4840-a26e-ea79e8005356", "created_at": "2026-04-06T00:11:48.962549Z", "updated_at": "2026-04-10T03:38:03.304845Z", "deleted_at": null, "sha1_hash": "fc75d1fee6ac386c68cac7c6656890c96c2078af", "title": "Operation Parliament, who is doing what?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1259139, "plain_text": "Operation Parliament, who is doing what?\r\nBy GReAT\r\nPublished: 2018-04-12 · Archived: 2026-04-05 13:31:00 UTC\r\nSummary\r\nKaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks\r\nappear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly\r\nespionage – they involve gaining access to top legislative, executive and judicial bodies around the world.\r\n1. 1 The attackers have targeted a large number of organizations globally since early 2017, with the main\r\nfocus on the Middle East and North Africa (MENA), especially Palestine. High-profile organizations have\r\nalso been targeted in other regions. The number of attacks has decreased since the beginning of 2018.\r\n2. 2 The attacks were initially discovered while investigating a phishing attack that targeted political figures\r\nin the MENA region. At first the attacks looked to be the work of the low-sophistication Gaza Cybergang\r\n(decoys, file names), but further analysis painted a very different picture.\r\n3. 3 Targets include high-profile entities such as parliaments, senates, top state offices and officials, political\r\nscience scholars, military and intelligence agencies, ministries, media outlets, research centers, election\r\ncommissions, Olympic organizations, large trading companies, and other unknown entities.\r\n4. 4 The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to\r\nexecute any scripts/commands and receive the result via HTTP requests.\r\n5. 5 Kaspersky Lab users and Threat Management and Defense clients are protected from the attacks.\r\nCisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe\r\nmay be connected.\r\nVictimology and Statistics\r\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat\r\nactor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely\r\nhave access to additional tools when needed and appear to have access to an elaborate database of contacts in\r\nsensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim\r\nsystems range from personal desktop or laptop systems to large servers with domain controller roles or similar.\r\nThe nature of the targeted ministries varied, including those responsible for telecommunications, health, energy,\r\njustice, finance and so on.\r\nVictims have been spotted in the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar,\r\nLebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the USA, the UK, Germany, Israel,\r\nAfghanistan, Serbia, Russia, Oman, Kuwait, South Korea and Denmark.\r\nVictim organization type Number of victim organizations\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 1 of 7\n\nUnknown 91\r\nSenates/Parliaments 7\r\nPrime Ministerial Offices 3\r\nMilitary/Intelligence Agencies 5\r\nOther Gov./Ministerial/Diplomatic Offices 20\r\nFinancial/Banking Institutions 5\r\nMedia Outlets 2\r\nOlympic/Sports Bodies 2\r\nResearch Centers/Scholars 2\r\nElection Commissions 1\r\nDistribution/Logistics 1\r\nThe number of victims/victim organizations probably doesn’t represent the full scope of the attacks – only a\r\nportion.\r\nAttack description and attribution\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 2 of 7\n\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The\r\nattackers have taken great care to stay under the radar, imitating another attack group in the region. They have\r\nbeen particularly careful to verify victim devices before proceeding with the infection, safeguarding their\r\ncommand and control servers. The targeting seems to have slowed down since the beginning of 2018, probably\r\nwinding down when the desired data or access was obtained. The targeting of specific victims is unlike previously\r\nseen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\r\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated\r\ntask that requires solid evidence, especially in complex regions such as the Middle East.\r\nSee the following for more information and examples of false flags being used in cyberattacks:\r\nWave your false flags! …or the Nightmares and Nuances of a Self-Aware Attribution Space\r\nOlympicDestroyer is here to trick the industry\r\nMalware description\r\nThe malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with\r\npreviously known malware. All the strings and settings were encrypted and obfuscated. Functionality was\r\nidentified that enables HTTP communication with the C\u0026C server and invokes “processcreate” based on\r\nparameters received as a response.\r\nThe configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the C\u0026C server is also\r\nencrypted using 3DES and Base64. Different keys are used for local and network encryption.\r\nThe malware starts communicating with the C\u0026C server by sending basic information about the infected machine.\r\nThe C\u0026C server then replies with the encrypted serialized configuration.\r\nThe malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute\r\nscripts/commands and receive the results via HTTP requests.\r\nSample of the C\u0026C response with encrypted commands and configurations\r\nExamples of attack decoys\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 3 of 7\n\nTranslation: Contacts list of media personnel\r\nTranslation: Relations between UAE and Jordan, and the impact caused by the non-boycott of Qatar\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 4 of 7\n\nTranslation: Military retirement statement 2017 June\r\nTranslation: The new Hamas structure for Gaza strip 2017\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 5 of 7\n\nTranslation: Clarification report (on Gaza employee salaries)\r\nWhat should high-profile organizations do?\r\nHigh-profile organizations should have elevated levels of cybersecurity. Attacks against them are inevitable and\r\nare unlikely to ever cease. These organizations need to pay particular attention to their security, implementing\r\nadditional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence\r\ncapabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and\r\ninsider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for\r\nprotecting organizations in the current threat landscape.\r\nThe victims of Operation Parliament need to re-evaluate their approach to cybersecurity.\r\nAdditional information\r\nFor more information about the attacks and the indicators of compromise, please contact:\r\nintelreports@kaspersky.com\r\nAlternatively, please visit: https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting\r\nTo find more information about cybersecurity awareness training for enterprise or government staff, go to\r\nKaspersky Security Awareness.\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 6 of 7\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSource: https://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nhttps://securelist.com/operation-parliament-who-is-doing-what/85237/\r\nPage 7 of 7\n\n https://securelist.com/operation-parliament-who-is-doing-what/85237/ \nTranslation: Military retirement statement 2017 June\nTranslation: The new Hamas structure for Gaza strip 2017\n Page 5 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://securelist.com/operation-parliament-who-is-doing-what/85237/" ], "report_names": [ "85237" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434308, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc75d1fee6ac386c68cac7c6656890c96c2078af.pdf", "text": "https://archive.orkl.eu/fc75d1fee6ac386c68cac7c6656890c96c2078af.txt", "img": "https://archive.orkl.eu/fc75d1fee6ac386c68cac7c6656890c96c2078af.jpg" } }