Gaza Cybergang

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
The Gaza Cybergang, a threat actor suspected to be affiliated with the Palestinian militant group Hamas, has been involved in various cyber espionage campaigns targeting both Palestinian and Israeli entities since 2012. The group is known for its use of sophisticated malware, including variants of SysJoker and Pierogi++, and leverages phishing attacks and social media engagements to distribute these malicious files. While the group's volume of activity hasn't increased significantly since the onset of the Gaza conflict in October, it continues to innovate and maintain its malware to enhance capabilities and evade detection. Gaza Cybergang is divided into multiple subgroups, including Group 1 (Molerats), Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Group 3 (responsible for Operation Parliament). Each subgroup utilizes different tools and tactics; for instance, the WIRTE subgroup, which we suspect is part of the Gaza Cybergang, uses interpreted language malware such as VBS and PowerShell scripts, adding flexibility to update their toolset and avoid static detection controls. However, the exact roles and separation of activities among these groups remain unclear within the cybersecurity community. Recent analysis reveals links between the Gaza Cybergang and several past targeted attacks. For example, new variants of SysJoker were found to have ties to Operation Electric Powder, a series of attacks on Israeli organizations from 2016 to 2017. Additionally, researchers found connections between the latest attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company, despite the significant time gap between the operations. This suggests that the Gaza Cybergang maintains persistent threats over extended periods.
What's your take? (Question 1 of 5)
3032974d-2895-4439-b763-85b5ada5b172 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Molerats
5
Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
Operation Electric Powder
2
Operation Electric Powder is a threat actor operation that was actively involved in targeted attacks against Israeli organizations between 2016-2017. This operation, as previously reported by ClearSky, has been linked to the threat actor known as Gaza Cybergang, also referred to as Molerats. The cyb
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rust
Operation El...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sysjokerhas used
4
SysJoker is a malicious software (malware) that has recently come to the forefront of cybersecurity concerns. Developed using the Rust programming language, this backdoor malware is known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, ema
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gaza Cybergang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Public report on attacks in Middle East we attribute to WIRTE APT
DARKReading
5 months ago
Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets
Securityaffairs
6 months ago
Hamas-linked APT uses Rust-based SysJoker backdoor against Israel
Checkpoint
6 months ago
Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker - Check Point Research
InfoSecurity-magazine
6 months ago
SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
DARKReading
6 months ago
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
CERT-EU
6 months ago
Novel SysJoker variant leveraged by Hamas-linked threat operation
CERT-EU
6 months ago
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
MITRE
a year ago
Gaza Cybergang Group1, operation SneakyPastes
DARKReading
6 months ago
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel