TA402

Threat Actor updated 5 months ago (2024-05-04T20:55:57.181Z)
Download STIX
Preview STIX
TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a persistent and innovative threat actor that has been tracked by researchers for over a decade. The group is renowned for its cyber espionage activities, which include highly targeted phishing campaigns and the deployment of new access methods. Despite the ongoing conflict between Israel and Hamas, TA402's operations have not been significantly disrupted. The group continues to iterate and develop new delivery methods to bypass detection efforts, with a strong focus on government entities based in the Middle East and North Africa. In mid-2023, Proofpoint researchers identified a shift in TA402's tactics. The group started using a complex infection chain to target Middle Eastern governments with a new initial access downloader dubbed IronWind. This malware and others were distributed through phishing emails from a compromised Ministry of Foreign Affairs account, using economy-related issues as lures to deceive recipients into downloading files through Dropbox download links. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant leading to the download of a DLL containing multifunctional malware. Furthermore, TA402 has pivoted away from using cloud services like Dropbox API, which was observed in their activities in 2021 and 2022, to using actor-controlled infrastructure for command and control (C2) communication. The group's hacking activities, including highly focused phishing campaigns targeting no more than five entities in any given campaign, continued through October, indicating that the current conflict in Gaza has not significantly disrupted their operations. As the conflict drags on, researchers caution that TA402 could further adjust its targeting or social engineering lures.
Description last updated: 2024-03-17T00:16:34.995Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Molerats is a possible alias for TA402. Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
2
Frankenstein is a possible alias for TA402. Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke
2
Ironwind is a possible alias for TA402. IronWind is a threat actor (TA) that has been active since 2020, known for its execution of actions with malicious intent. A significant shift in its operations was observed from July to October 2023, when it launched a new series of targeted cyber-espionage attacks using a novel initial access down
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Dropbox
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.