Molerats

Threat Actor updated 19 hours ago (2024-11-20T18:17:02.906Z)

Download STIX

Preview STIX

Molerats, also known as the Gaza Cybergang Group1, is a threat actor group historically associated with Hamas. The group has been tracked for over a decade under various names including Frankenstein and WIRTE, among others. Molerats, along with five other groups including APT 35 and Moses Staff, are linked to Iran, while two other groups have ties to China. The group primarily targets organizations in Saudi Arabia, the United Arab Emirates, and Israel, using advanced persistent threats (APTs) for their operations. The Molerats group has displayed significant adaptability and persistence, recently leveraging an improved downloader as part of its initial access operations. Furthermore, it is believed to be behind attacks on Israeli targets using a Rust-based version of SysJoker, a multi-platform backdoor first discovered by Intezer in 2021. This suggests a high level of sophistication and ability to exploit multiple platforms for malicious activities. Notably, new variants of SysJoker have revealed connections to Operation Electric Powder, a series of targeted attacks against Israeli organizations between 2016-2017, previously linked to Molerats. Despite the absence of activity from other Hamas-connected cyber threat actors like Extreme Jackal and Renegade Jackal after the Oct. 7 terrorist attack in Israel, Molerats continues to pose a significant threat. The group's long history, combined with its evolving tactics and techniques, underscores the need for continued vigilance and robust cybersecurity measures.

Description last updated: 2024-11-15T15:55:29.596Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gaza Cybergang is a possible alias for Molerats. Gaza Cybergang, a threat actor group affiliated with Hamas, has been active since at least 2012, targeting entities in the Middle East and North Africa. The group's activities primarily involve intelligence collection and espionage campaigns against Palestinian and Israeli victims. Researchers have	5
TA402 is a possible alias for Molerats. TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently ret	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Hamas

Apt

Malware

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sysjoker Malware is associated with Molerats. SysJoker is a sophisticated malware, short for malicious software, that has been leveraged by a Hamas-linked Advanced Persistent Threat (APT) against Israel. Unlike other malware, SysJoker is written in Rust, a programming language known for its performance and safety, which makes it more challengin	Unspecified	2

Source Document References

Information about the Molerats Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 days ago	Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel
Checkpoint	6 days ago	Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research
DARKReading	8 months ago	Saudi Arabia, UAE Top List of APT-Targeted Nations in the Middle East
DARKReading	9 months ago	Iranian APTs Dress Up As Hacktivists for Disruption, Influence Ops
DARKReading	a year ago	Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets
DARKReading	a year ago	Ransomware Attacks Strike South Africa, Decline in UAE
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
InfoSecurity-magazine	a year ago	SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
CERT-EU	a year ago	Shadowy hacking group targeting Israel shows outsized capabilities
Securityaffairs	a year ago	Hamas-linked APT uses Rust-based SysJoker backdoor against Israel
Checkpoint	a year ago	Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker - Check Point Research
Checkpoint	a year ago	20th November – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Novel espionage tool leveraged by pro-Palestinian hacking operation
CERT-EU	a year ago	APT29 mounts cyberespionage campaign across Europe
DARKReading	a year ago	Molerats Group Wields Custom Cybertool to Steal Secrets in the Middle East
CERT-EU	a year ago	Pro-Palestinian hacking group evolves tactics amid war
MITRE	2 years ago	Gaza Cybergang Group1, operation SneakyPastes
MITRE	2 years ago	Hacking group’s new malware abuses Google and Facebook services