Gaza Cybergang

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

The Gaza Cybergang, a threat actor suspected to be affiliated with the Palestinian militant group Hamas, has been involved in various cyber espionage campaigns targeting both Palestinian and Israeli entities since 2012. The group is known for its use of sophisticated malware, including variants of SysJoker and Pierogi++, and leverages phishing attacks and social media engagements to distribute these malicious files. While the group's volume of activity hasn't increased significantly since the onset of the Gaza conflict in October, it continues to innovate and maintain its malware to enhance capabilities and evade detection. Gaza Cybergang is divided into multiple subgroups, including Group 1 (Molerats), Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Group 3 (responsible for Operation Parliament). Each subgroup utilizes different tools and tactics; for instance, the WIRTE subgroup, which we suspect is part of the Gaza Cybergang, uses interpreted language malware such as VBS and PowerShell scripts, adding flexibility to update their toolset and avoid static detection controls. However, the exact roles and separation of activities among these groups remain unclear within the cybersecurity community. Recent analysis reveals links between the Gaza Cybergang and several past targeted attacks. For example, new variants of SysJoker were found to have ties to Operation Electric Powder, a series of attacks on Israeli organizations from 2016 to 2017. Additionally, researchers found connections between the latest attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company, despite the significant time gap between the operations. This suggests that the Gaza Cybergang maintains persistent threats over extended periods.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Molerats	5	Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
Operation Electric Powder	2	Operation Electric Powder is a threat actor operation that was actively involved in targeted attacks against Israeli organizations between 2016-2017. This operation, as previously reported by ClearSky, has been linked to the threat actor known as Gaza Cybergang, also referred to as Molerats. The cyb
Desert Falcons	1	Desert Falcons, also known as APT-C-23, Arid Viper, or Two-tailed Scorpion, is a threat actor group associated with cyber espionage activities that have been ongoing since at least 2013. This group has targeted countries in the Middle East and has shown links to the Gaza Cybergang Group2, which is k
Operation Parliament	1	Operation Parliament is a highly sophisticated cyber threat campaign orchestrated by the Gaza Cybergang Group3, a threat actor known for executing actions with malicious intent. This group, which could consist of individuals, private companies, or government entities, has previously conducted operat

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rust

Operation El...

Backdoor

Apt

Hamas

Israel

Phishing

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sysjoker	has used	4	SysJoker is a sophisticated piece of malware, short for malicious software, which has been designed with the intent to exploit and damage computer systems. It infiltrates systems without the user's knowledge through suspicious downloads, emails, or websites. Once it has gained access, SysJoker can d

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
WIRTE	is related to	1	WIRTE, identified as a threat actor by cybersecurity researchers, is suspected to be part of a larger network of malicious entities including Molerats, Gaza Cybergang, and Frankenstein. The cybersecurity industry has recognized that WIRTE overlaps with these other groups, although the specific relat

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Gaza Cybergang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	7 months ago	Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets
DARKReading	8 months ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
CERT-EU	8 months ago	Novel SysJoker variant leveraged by Hamas-linked threat operation
CERT-EU	8 months ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
DARKReading	8 months ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
InfoSecurity-magazine	8 months ago	SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
Securityaffairs	8 months ago	Hamas-linked APT uses Rust-based SysJoker backdoor against Israel
Checkpoint	8 months ago	Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker - Check Point Research
MITRE	a year ago	Gaza Cybergang Group1, operation SneakyPastes
MITRE	a year ago	Public report on attacks in Middle East we attribute to WIRTE APT