TA402

Threat Actor updated 3 days ago (2024-11-20T18:13:50.936Z)

Download STIX

Preview STIX

TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently retooling its attack methods and malware to achieve its objectives. The group's activities are primarily deployed by the WIRTE subgroup, according to Check Point Research's analysis. Despite ongoing conflicts in the Middle East, TA402 continues to operate unhindered, using new and clever delivery methods to bypass detection efforts. In 2023, Proofpoint researchers identified a campaign associated with TA402 that utilized custom loaders like IronWind, a complex infection chain first disclosed in November 2023. The group's hacking activities have remained highly focused, with phishing campaigns typically targeting no more than five entities per operation. Their attacks are extremely targeted, with a strong focus on government entities based in the Middle East and North Africa. The group's use of weaponized XLL and RAR files to deliver malware demonstrates their evolving tactics and technical sophistication. As the conflict between Israel and Hamas continues, researchers warn that TA402 may further adjust its targeting or social engineering lures. Their operations continued through October 2024, indicating that the current conflict in Gaza has not significantly disrupted their activities. Joshua Miller, a senior threat researcher at Proofpoint, emphasized the group's adaptability, noting their use of complex infection chains and new malware to attack targets. As such, TA402 remains a significant cybersecurity threat that demands ongoing vigilance and robust defense strategies.

Description last updated: 2024-11-15T15:55:25.891Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ironwind is a possible alias for TA402. IronWind is a threat actor that has been active since at least October 2023, known for its use of sophisticated malware and encryption techniques to carry out cyber attacks. This group uses a unique variant of the IronWind loader as an infection vector, which enables communication with command and c	3
WIRTE is a possible alias for TA402. WIRTE is a threat actor that has been identified as part of several overlapping groups, including TA402, Molerats, and Frankenstein. In mid-2023, Proofpoint researchers first noticed WIRTE's activity within TA402, which targeted Middle Eastern governments using an intricate infection chain and a new	2
Frankenstein is a possible alias for TA402. Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke	2
Molerats is a possible alias for TA402. Molerats, also known as the Gaza Cybergang Group1, is a threat actor group historically associated with Hamas. The group has been tracked for over a decade under various names including Frankenstein and WIRTE, among others. Molerats, along with five other groups including APT 35 and Moses Staff, are	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Espionage

Dropbox

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the TA402 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 days ago	Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel
Checkpoint	8 days ago	Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research
CERT-EU	8 months ago	Hackers Claim Accessing 740GB of Data from Viber Messaging App
CERT-EU	8 months ago	Hackers Claim Accessing 740GB of Data from Viber Messaging App \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	TA402 Group using Weaponized XLL and RAR Files to Deliver Malware
CERT-EU	a year ago	Pro-Palestinian hacking group evolves tactics amid war
CERT-EU	a year ago	TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities - Cyber Security Review
CERT-EU	a year ago	Novel espionage tool leveraged by pro-Palestinian hacking operation
CERT-EU	a year ago	APT29 mounts cyberespionage campaign across Europe
CERT-EU	a year ago	Pro-Palestinian TA402 APT Using IronWind Malware in New Attack
CERT-EU	a year ago	TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities \| Proofpoint US
CERT-EU	a year ago	Molerats Group Wields Custom Cybertool to Steal Secrets in the Middle East
DARKReading	a year ago	Molerats Group Wields Custom Cybertool to Steal Secrets in the Middle East
InfoSecurity-magazine	a year ago	Pro-Palestine APT Group Uses Novel Downloader in New Campaign