{ "id": "9348f29a-29d2-452e-be69-e590481bd2bd", "created_at": "2026-04-06T00:08:49.997094Z", "updated_at": "2026-04-10T13:12:34.472872Z", "deleted_at": null, "sha1_hash": "ffd6e63827e156aa1cc6020365a7972a66eb1f19", "title": "Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4663235, "plain_text": "Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli\r\nOfficials\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:10:39 UTC\r\nOver the last several years, the Cybereason Nocturnus Team has been tracking different APT groups operating in the Middle\r\nEast region, including two main sub-groups of the Hamas cyberwarfare division: Molerats and APT-C-23. Both groups are\r\nArabic-speaking and politically-motivated that operate on behalf of Hamas, the Palestinian Islamic-fundamentalist\r\nmovement and a terrorist organization that has controlled the Gaza strip since 2006.\r\nWhile most of the previously reported APT-C-23 campaigns seemed to target Arabic-speaking individuals in the Middle\r\nEast, Cybereason recently discovered a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.\r\nThe campaign operators use sophisticated social engineering techniques, ultimately aimed to deliver previously\r\nundocumented backdoors for Windows and Android devices. The goal behind the attack was to extract sensitive information\r\nfrom the victims devices for espionage purposes. \r\nOur investigation reveals that APT-C-23 has effectively upgraded its malware arsenal with new tools, dubbed Barb(ie)\r\nDownloader and BarbWire Backdoor, which are equipped with enhanced stealth and a focus on operational security. The\r\nnew campaign that targets Israeli individuals seems to have a dedicated infrastructure that is almost completely separated\r\nfrom the known APT-C-23 infrastructure which is assessed to be more focused on Arabic-speaking targets. \r\nKey Findings\r\nNew Espionage Campaign Targeting Israelis: Cybereason discovered a new and elaborate campaign that targets\r\nIsraeli individuals and officials. The campaign is characterized as an espionage campaign aiming to steal sensitive\r\ninformation from PCs and mobile devices belonging to a chosen target group of Israeli individuals working for law\r\nenforcement, military and emergency services.\r\nAttribution to APT-C-23: Based on our investigation and previous knowledge of the group, Cybereason assesses\r\nwith moderate-high confidence that the group behind the new campaign is APT-C-23, an Arabic-speaking, politically\r\nmotivated group believed to be operating on behalf of Hamas. \r\nSocial Engineering as Primary Infection Vector: The attackers used fake Facebook profiles to trick specific\r\nindividuals into downloading trojanized direct message applications for Android and PC, which granted them access\r\nto the victims’ devices. \r\nUpgraded Malware Arsenal: The new campaign consists of two previously undocumented malware, dubbed\r\nBarb(ie) Downloader and BarbWire Backdoor, both of which use an enhanced stealth mechanism to remain\r\nundetected. In addition, Cybereason observed an upgraded version of an Android implant dubbed VolatileVenom. \r\nAPT-C-23 Stepping Up Their Game: Until recently, the group has been using known tools which served them for\r\nyears, and were known for their relatively unsophisticated tools and techniques. The analysis of this recent campaign\r\nshows that the group has revamped their toolset and playbook. \r\nLuring the Victims: A Wolf in a Beauty’s Clothing \r\nTo get to their targets, APT-C-23 has set up a network of fake Facebook profiles that are highly maintained and constantly\r\ninteracting with many Israeli citizens. The social engineering tactic used in this campaign relies mostly on classic catfishing,\r\nusing fake identities of attractive young women to engage with mostly male individuals to gain their trust.  \r\nThese fake accounts have operated for months, and seem relatively authentic to the unsuspecting user. The operators seem to\r\nhave invested considerable effort in “tending” these profiles, expanding their social network by joining popular Israeli\r\ngroups, writing posts in Hebrew, and adding friends of the potential victims as friends:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 1 of 16\n\nFake Facebook account operated by APT-C-23\r\nIn order to give the profiles an even more authentic appearance, the group uses the accounts to “like” various Facebook\r\ngroups and pages that are well known to Israelis, such as Israelis news pages, Israeli politicians’ accounts and corporate\r\npages:\r\nLiked profiles showed on the above mentioned Facebook page\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 2 of 16\n\nOver time, the operators of the fake profiles were able to become “friends” with a broad spectrum of Israeli citizens, among\r\nthem some high-profile targets that work for sensitive organizations including defense, law enforcement, emergency services\r\nand other government-related organizations: \r\nSome Facebook accounts that interacted with the fake account and their workplace\r\nAnother example of a fake profile used by APT-C-23 in this campaign, is the following: \r\nFake Facebook account operated by APT-C-23\r\nFrom Chat to Infection\r\nAfter gaining the victim’s trust, the operator of the fake account suggests migrating the conversation from Facebook over to\r\nWhatsApp. By doing so, the operator quickly obtains the target's mobile number. In many cases, the content of the chat\r\nrevolves around sexual themes, and the operators often suggest to the victims that they should use a “safer” and more\r\n“discrete” means of communication, suggesting a designated app for Android. \r\nIn addition, they also entice the victims to open a .rar file containing a video that supposedly contains explicit sexual\r\ncontent. However, when the users open the video they are infected with malware. \r\nThe following diagram captures the flow of the infection: \r\nThe VolatileVenom Malware: A supposedly “secure” and “confidential” Android messaging application.\r\nThe Barb(ie) Downloader: A link to a site “hxxps://media-storage[.]site/09vy09JC053w15ik21Sw04” downloads a\r\n.rar file that contains a private video and the BarbWire Backdoor payload:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 3 of 16\n\nGraph that describes the initial infection chain of the campaign\r\nStage One: Barb(ie) Downloader\r\nBarb(ie) is a downloader component used by APT-C-23 to install the BarbWire backdoor. As mentioned above, in the\r\ninfection phase the downloader is delivered alongside a video in a .rar file. The video is meant to distract the victim from the\r\ninfection process that is happening in the background. \r\nThe downloader sample analyzed in this section is named “Windows Notifications.exe”. When first executed, Barb(ie)\r\ndecrypts strings using a custom base64 algorithm that is also used in the BarbWire backdoor. Those decrypted strings are\r\ndifferent Virtual Machine vendor names, WMI queries, command and control (C2), file and folders names which are used in\r\ndifferent phases of the execution.\r\nOne way the malware uses those strings is in performing multiple checks, such as anti-vm and anti-analysis checks, in order\r\nto determine that “the coast is clear.” If the check fails, a custom pop-up message is displayed to the user and the malware\r\nterminates itself:\r\nCustom pop-up displayed to user\r\nbefore terminating process: “Unable to start program 'http:/localhost:60721/”\r\nIf the malware finds the target machine to be clean and it doesn’t detect any sandboxing or other analysis being performed\r\non the targeted device, the malware will continue its execution and collect information about the machine, including\r\nusername, computer name, date and time, running processes and OS version.\r\nLater, the malware will attempt to create a connection to the embedded C2 server: fausto-barb[.]website. When creating the\r\nconnection, the malware sends information about the victim machine that is composed of the data collected. In addition, it\r\nsends other information to the C2, like the OS version, downloader name and compilation month (“windowsNotification” +\r\n“092021”) as well as information on any installed Antivirus software running:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 4 of 16\n\nC2 server for Barb(ie) downloader\r\nData sent back to the C2 over http\r\nBarb(ie) will attempt to download the payload by using the following URI: “/api/sofy/pony”:\r\nURI structure for Barb(ie) downloader\r\nIn addition, the downloader creates a file named “adbloker.dat” that stores the encrypted C2, copies itself to programdata\r\nand sets persistence via two scheduled tasks: “01” and “02”.\r\nInterestingly, another Barb(ie) sample that was analyzed with a different name (“Windows Security.exe”) copies itself to\r\nappdata as well, but renames the executable to “Windows Notifications.exe” and sets the same persistence:\r\nTwo scheduled tasks created by Barb(ie) downloader for persistence\r\nExecution of the Barb(ie) downloader as shown in the Cybereason XDR Platform\r\nLooking at the metadata of Windows Notifications.exe, it appears that the author of the malware chooses a unique company\r\nname and product name that do not exist as part of Windows: “Windows Security Groups” as the company name, and\r\n“Windows Essential” as product name:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 5 of 16\n\nMetadata of the Barb(ie) downloader as shown in the Cybereason XDR Platform\r\nOnce a successful connection has been established with the C2, Barb(ie) will download the payload, the BarbWire backdoor.\r\nBarbWire Backdoor\r\nBackground and Capabilities\r\nThe backdoor component of APT-C-23’s operation is a very capable piece of malware, and it is obvious that a lot of effort\r\nwas put into hiding its capabilities using a custom base64 algorithm. Its main goal is to fully compromise the victim\r\nmachine, gaining access to their most sensitive data. The backdoor’s main capabilities include:\r\nPersistence\r\nOS Reconnaissance \r\nData encryption\r\nKeylogging\r\nScreen capturing\r\nAudio recording\r\nDownload additional malware\r\nLocal/external drives and directory enumeration\r\nSteal specific file types and exfiltrate data\r\nVariants\r\nAccording to the timeline of this operation, there are at least three different variants of the BarbWire backdoor. In addition to\r\nthe compilation timestamp, there is the “sekop” flag that is used as an identifier for a currently running campaign. It is worth\r\nmentioning that the variant that was allegedly compiled in December 2021, still carries the Sep 2021 identifier, perhaps\r\nmeaning that the Sep 2021 campaign was still ongoing for at least two months:\r\nMD5 Hash Variant\r\nCompilation\r\ntimestamp\r\n“sekop” Similarity\r\nff1c877db4d0b6a37f4ba5d7b4bd4b3b980eddef\r\nEarly\r\nvariant\r\n2021-07-04\r\n07:39:15 UTC\r\n-\r\n62% with\r\ncampaign\r\nvariant\r\nad9d280a97ee3a52314c84a6ec82ef25a005467d\r\nAnalyzed\r\nCampaign\r\n2021-07-07\r\n11:02:11 UTC\r\n\"\u0026sekop=072021_\"\r\n90% with\r\nnew variant\r\n4dcdb7095da34b3cef73ad721d27002c5f65f47b\r\nNew\r\nvariant\r\n2021-12-28\r\n11:17:12 UTC\r\n“\u0026sekop=092021_”\r\n59% with\r\nearly\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 6 of 16\n\nInitial Execution and Victim Host Profiling\r\nThe BarbWire persistence techniques include the creation of a scheduled task and also the implementation of a known\r\nProcess protection technique:\r\nProcess protection implementation\r\nThe malware handles two execution scenarios; If it is being executed from a location that is other than %programdata%, the\r\nmalware copies itself to %programdata%\\WMIhosts and creates a scheduled task:\r\nThe operative path of the BarbWire Backdoor\r\nThe scheduled task created by the malware\r\nAccording to a second execution scenario, where the file already operates from %appdata%, the malware starts collecting\r\nuser information and gathering OS information including:\r\nPC name\r\nUsername\r\nProcess architecture\r\nWindows version\r\nInstalled AV products using WMI\r\nWMI query to check installed AV products\r\nIn order to hide the malware’s most sensitive strings, which can disclose its capabilities and communication patterns, it uses\r\na custom-built base64 algorithm.\r\nAfter successful C2 decryption, the BarbWire backdoor initiates a connectivity check using Google’s domain, and then\r\nconnects with the C2:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 7 of 16\n\nConnectivity check code snippet\r\nIt is worth noting that the URIs are in the same format as in the Barb(ie) downloader analyzed above, and other related files\r\npivoted in this research:\r\nOne of the generated URLs with the same pattern as the downloader\r\nOnce the initial information is gathered on the victim’s OS and the connectivity check is completed, the BarbWire Backdoor\r\nfinally initiates the connection with the C2 through a POST request:\r\nInitial POST packet with information on the victim’s machine\r\nThe data that is sent in the POST request includes:\r\nParameter Data\r\nname A double layer encoded victim’s OS information\r\nsov Installed AV name\r\nsekop Campaign identifier and malware filename\r\npos The victim’s OS and architecture\r\nData Collection and Exfiltration\r\nThe BarbWire backdoor can steal a wide range of file types, depending on the instructions it receives from its operators. It\r\nspecifically looks for certain file extensions such as PDF files, Office documents, archives, videos, and images.\r\nIn addition to the local drives found on the host, it also looks for external media such as a CD-Rom drive. Searching for such\r\nan old media format, together with the file extensions of interests, could suggest a focus on targets that tend to use more\r\n“physical” formats to transfer and secure data, such as military, law enforcement, and healthcare:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 8 of 16\n\nSearching for a CD-Rom drive presence\r\nBarbWire stores the data it collects from the host on special folders it creates under %programdata%\\Settings where it stores\r\nthe collected data from the machine. Each stolen “type” (i.e. keylogged data,screen capture data etc.) has its own resource\r\n“code name” in the C2, appended to the previously generated user id: \r\nBelow is a table summarizing each folder and its main role:\r\nFolder Name Role\r\nactivationData, backup,\r\nrecoveryFile\r\nStaging data in a RAR archive and exfiltration, download additional payloads, volumes\r\nand documents of interest enumeration\r\nlogFile Audio recording\r\nscanLog Keylogger log file\r\nupdateStatus Screenshots files\r\nFolders created by the BarbWire Backdoor\r\nOnce the data is being staged and exfiltrated, the data is archived in a .rar file and sent to the C2 to a designated URI:\r\nExfiltration of archive data\r\nAs detailed in the beginning of the analysis, the backdoor also has keylogging and screen capturing data-stealing\r\ncapabilities. Both are being stored in an interesting way, applying unrelated extensions to the files containing the stolen data.\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 9 of 16\n\nThis is perhaps another stealth mechanism, or just a way for the attacker to distinguish between the different stolen data\r\ntypes:\r\nStolen keylogging data\r\nA screenshot taken by the malware and saved with an .iso extension\r\nVolatileVenom Android Implant Analysis\r\nVolatileVenom is one of APT-C-23’s arsenal of Android malware. The attackers lure the victims into installing the\r\nVolatileVenom under the pretext that the suggested app is more “secure” and “discrete.” Based on our investigation, it seems\r\nthat VolatileVenom has been operationalized and integrated into the group's arsenal since at least April of 2020, and\r\ndisguises itself using icons and names of chat applications:\r\nAdditional\r\nIcons of VolatileVenom disguised as messaging apps\r\nAn example of a fake messaging app used in this campaign, is an Android app named “Wink Chat”:\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 10 of 16\n\nStart-up screen of the app\r\nAfter the user attempts to sign up for the application, an error message pops up and indicates the app will be uninstalled:\r\nError message after sign-up\r\nHowever, in reality the application keeps running in the background, and if the Android version of the device is lower than\r\n10, the application icon is hidden. If the Android version is higher than Android 10, the application icon is then replaced\r\nwith the icon of Google Play installer. The attackers have the option to change the application icon to Google Chrome or\r\nGoogle Maps as well.\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 11 of 16\n\nCapabilities \r\nVolatileVenom has a rich set of espionage capabilities, which enable attackers to extract a lot of data from their victims.\r\nThe main espionage capabilities are the following: \r\nSteal SMS messages \r\nRead contact list information\r\nUse the device camera to take photos\r\nSteal files with the following extensions: pdf, doc, docs, ppt, pptx, xls, xlsx, txt, text\r\nSteal images with the following extensions: jpg, jpeg, png\r\nRecord audio\r\nUse Phishing to steal credentials to popular apps such as Facebook and Twitter\r\nDiscard system notifications\r\nGet installed applications\r\nRestart Wi-Fi\r\nRecord calls / WhatsApp calls\r\nExtract call logs\r\nDownload files to the infected device \r\nTake screenshots\r\nRead notifications of the following apps: WhatsApp, Facebook, Telegram, Instagram, Skype, IMO, Viber\r\nDiscards any notifications raised by the system\r\nSwitch Case of Espionage Commands from\r\nthe C2\r\nC2 Communication \r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 12 of 16\n\nVolatileVenom uses HTTPS and Firebase Cloud Messaging (FCM) for C2 communication. The application appears to have\r\ntwo methods to retrieve the C2 domain:\r\nFirst the malware decrypts a hard coded encrypted domain which is encrypted and encoded with AES and Base64. The\r\nencrypted domain is retrieved from a .so (shared object) file. The app loads the .so file (named “liboxygen.so” in the\r\nanalyzed sample) , and executes a function (named “do932()” in the analyzed sample) that returns the encrypted domain:\r\nThe malware loads the .so file\r\nThe encrypted hard-coded domain inside the .so file\r\nNext, the encrypted domain is decoded and decrypted. In the analyzed sample, the encrypted domain is\r\n“https://sites.google[.]com/view/linda-lester/lockhart”:\r\nCode snippet of the decryption routine\r\nTo retrieve the final C2 domain, the malware connects to the decrypted domain and reads the title of the website (ex:\r\nFRANCES THOMAS COM) and builds the final C2 domain from that: frances-thomas[.]com:\r\nThe malware builds the final\r\nC2 domain from the title of the decrypted domain \r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 13 of 16\n\nThe second method the malware retrieves the C2 domain is via SMS messages. In case the attackers wish to update the C2\r\ndomain, they may send an SMS message containing a new C2 domain to the infected device. The malware intercepts every\r\nSMS message, and if a message arrives from the attackers, the malware will extract the new C2 domain to be used:\r\nRegex to extract domains from SMS messages\r\nConclusion\r\nIn this report, the Cybereason Nocturnus Team investigated an active espionage campaign that victimizes Israeli citizens,\r\namong them high profile targets, for espionage purposes. The campaign featured a classic social engineering tactic known as\r\ncatfishing, where the group used sexual content in order to lure their victims, mostly Israeli men, into downloading\r\nmalware. \r\nCybereason assesses with moderate-high confidence that APT-C-23, a politically-motivated APT group that operates on\r\nbehalf of Hamas, is behind the campaign detailed in this report. While the APT-C-23 operations against Arab-speaking\r\ntargets (mostly Palestinians) are still taking place, this newly identified campaign specifically targets Israelis and shows\r\nunique characteristics that distinguish it from other campaigns. The attackers use a completely new infrastructure that is\r\ndistinct from the known infrastructure used to target Palestinians and other Arabic-speakers. In addition, all three malware in\r\nuse were also specifically designed to be used against Israeli targets, and were not observed being used against other targets. \r\nThe Cybereason investigation found that some victims were infected with both PC and Android malware dubbed Barb(ie)\r\nDownloader, BarbWire Backdoor, and VolatileVenom. This “tight grip” on their targets attests to how important and\r\nsensitive this campaign was for the threat actors. \r\nLastly, this campaign shows a considerable step-up in APT-C-23 capabilities, with upgraded stealth, more sophisticated\r\nmalware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very\r\nactive and well-groomed network of fake Facebook accounts that have been proven quite effective for the group.\r\nCybereason contacted Facebook and reported the fake accounts.\r\nIndicators of Compromise\r\nLOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN FOR\r\nACCESS OR CLICK HERE.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nExecution Reconnaissance Persistence Defense Evasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nCommand\r\nand\r\nControl\r\nExfiltr\r\nCommand-line\r\ninterface\r\nGather Victim\r\nHost\r\nInformation\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nMasquerading\r\nInput\r\nCapture:\r\nKeylogging\r\nSoftware\r\nDiscovery:\r\nSecurity\r\nSoftware\r\nDiscovery\r\nArchive\r\nCollected\r\nData:\r\nArchive via\r\nUtility\r\nWeb\r\nProtocols\r\nExfiltr\r\nOver C\r\nChann\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 14 of 16\n\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\n   \r\nDeobfuscate/Decode\r\nFiles or Information\r\n   \r\nAudio\r\nCapture\r\nData\r\nEncoding:\r\nStandard\r\nEncoding\r\nAutom\r\nExfiltr\r\nUser\r\nExecution\r\n   \r\nIndicator Removal\r\non Host: File\r\nDeletion\r\n   \r\nData from\r\nRemovable\r\nMedia\r\nData\r\nEncoding:\r\nNon-Standard\r\nEncoding\r\n \r\n           \r\nInput\r\nCapture:\r\nKeylogging\r\n   \r\n           \r\nScreen\r\nCapture\r\n   \r\nMITRE ATT\u0026CK BREAKDOWN: MOBILE\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nCommand\r\nand\r\nControl\r\nDeliver\r\nMalicious\r\nApp via\r\nOther\r\nMeans\r\nBroadcast\r\nReceivers\r\nBroadcast\r\nReceivers\r\nDevice\r\nAdministrator\r\nPermissions\r\nMasquerade\r\nas\r\nLegitimate\r\nApplication\r\nAccess\r\nNotifications\r\nApplication\r\nDiscovery\r\nAccess Call\r\nLog\r\nAlternate\r\nNetwork\r\nMediums\r\nMasquerade\r\nas\r\nLegitimate\r\nApplication\r\nScheduled\r\nTask/Job\r\nScheduled\r\nTask/Job\r\n \r\nSuppress\r\nApplication\r\nIcon\r\nInput\r\nPrompt\r\nFile and\r\nDirectory\r\nDiscovery\r\nAccess\r\nContact List\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n \r\nNative\r\nCode\r\n       \r\nSystem\r\nInformation\r\nDiscovery\r\nAccess\r\nNotifications\r\n \r\n             \r\nCapture\r\nAudio\r\n \r\n             \r\nCapture\r\nCamera\r\n \r\n             \r\nCapture\r\nSMS\r\n \r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 15 of 16\n\nMessages\r\n             \r\nData from\r\nLocal\r\nSystem\r\n \r\n             \r\nScreen\r\nCapture\r\n \r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nhttps://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" ], "report_names": [ "operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffd6e63827e156aa1cc6020365a7972a66eb1f19.pdf", "text": "https://archive.orkl.eu/ffd6e63827e156aa1cc6020365a7972a66eb1f19.txt", "img": "https://archive.orkl.eu/ffd6e63827e156aa1cc6020365a7972a66eb1f19.jpg" } }