TA402

TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a persistent and innovative threat actor that has been tracked by researchers for over a decade. The group is renowned for its cyber espionage activities, which include highly targeted phishing campaigns and the deployment of new access methods. Despite the ongoing conflict between Israel and Hamas, TA402's operations have not been significantly disrupted. The group continues to iterate and develop new delivery methods to bypass detection efforts, with a strong focus on government entities based in the Middle East and North Africa. In mid-2023, Proofpoint researchers identified a shift in TA402's tactics. The group started using a complex infection chain to target Middle Eastern governments with a new initial access downloader dubbed IronWind. This malware and others were distributed through phishing emails from a compromised Ministry of Foreign Affairs account, using economy-related issues as lures to deceive recipients into downloading files through Dropbox download links. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant leading to the download of a DLL containing multifunctional malware. Furthermore, TA402 has pivoted away from using cloud services like Dropbox API, which was observed in their activities in 2021 and 2022, to using actor-controlled infrastructure for command and control (C2) communication. The group's hacking activities, including highly focused phishing campaigns targeting no more than five entities in any given campaign, continued through October, indicating that the current conflict in Gaza has not significantly disrupted their operations. As the conflict drags on, researchers caution that TA402 could further adjust its targeting or social engineering lures.