{ "id": "02b8d83e-c9d1-446c-bc71-108d9fbf9b4d", "created_at": "2026-04-06T00:08:21.437701Z", "updated_at": "2026-04-10T03:38:03.330036Z", "deleted_at": null, "sha1_hash": "fe281c5d0e02090e5b8573319e5eb474dd4eb987", "title": "Spark (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42244, "plain_text": "Spark (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:15:57 UTC\r\nwin.spark (Back to overview)\r\nSpark\r\nActor(s): Molerats\r\nThere is no description at this point.\r\nReferences\r\n2022-01-20 ⋅ Zscaler ⋅ Sahil Antil, Sudeep Singh\r\nNew espionage attack by Molerats APT targeting users in the Middle East\r\nSpark\r\n2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus\r\nNew Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign\r\nDropBook MoleNet Quasar RAT SharpStage Spark\r\n2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team\r\nMOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage\r\nCampaign\r\nDropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark\r\n2020-03-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Bryan Lee, Robert Falcone\r\nMolerats Delivers Spark Backdoor to Government and Telecommunications Organizations\r\nDowneks JhoneRAT Molerat Loader Spark\r\n2020-02-13 ⋅ Cybereason ⋅ Cybereason Nocturnus\r\nNew Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign\r\nSpark\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.spark\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.spark\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark" ], "report_names": [ "win.spark" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434101, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe281c5d0e02090e5b8573319e5eb474dd4eb987.pdf", "text": "https://archive.orkl.eu/fe281c5d0e02090e5b8573319e5eb474dd4eb987.txt", "img": "https://archive.orkl.eu/fe281c5d0e02090e5b8573319e5eb474dd4eb987.jpg" } }