TA402

Threat Actor updated a month ago (2024-11-29T14:53:50.570Z)
Download STIX
Preview STIX
TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a threat actor that has been tracked by cybersecurity researchers for over a decade. This group, associated with pro-Palestinian interests, is known for its innovative and persistent cyber espionage activities, frequently retooling its attack methods and malware to achieve its objectives. The group's activities are primarily deployed by the WIRTE subgroup, according to Check Point Research's analysis. Despite ongoing conflicts in the Middle East, TA402 continues to operate unhindered, using new and clever delivery methods to bypass detection efforts. In 2023, Proofpoint researchers identified a campaign associated with TA402 that utilized custom loaders like IronWind, a complex infection chain first disclosed in November 2023. The group's hacking activities have remained highly focused, with phishing campaigns typically targeting no more than five entities per operation. Their attacks are extremely targeted, with a strong focus on government entities based in the Middle East and North Africa. The group's use of weaponized XLL and RAR files to deliver malware demonstrates their evolving tactics and technical sophistication. As the conflict between Israel and Hamas continues, researchers warn that TA402 may further adjust its targeting or social engineering lures. Their operations continued through October 2024, indicating that the current conflict in Gaza has not significantly disrupted their activities. Joshua Miller, a senior threat researcher at Proofpoint, emphasized the group's adaptability, noting their use of complex infection chains and new malware to attack targets. As such, TA402 remains a significant cybersecurity threat that demands ongoing vigilance and robust defense strategies.
Description last updated: 2024-11-15T15:55:25.891Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ironwind is a possible alias for TA402. IronWind is a threat actor that has been active since at least October 2023, known for its use of sophisticated malware and encryption techniques to carry out cyber attacks. This group uses a unique variant of the IronWind loader as an infection vector, which enables communication with command and c
3
WIRTE is a possible alias for TA402. WIRTE is a threat actor that has been identified as part of several overlapping groups, including TA402, Molerats, and Frankenstein. In mid-2023, Proofpoint researchers first noticed WIRTE's activity within TA402, which targeted Middle Eastern governments using an intricate infection chain and a new
2
Frankenstein is a possible alias for TA402. Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke
2
Molerats is a possible alias for TA402. Molerats, also known as the Gaza Cybergang Group1, is a threat actor group historically associated with Hamas. The group has been tracked for over a decade under various names including Frankenstein and WIRTE, among others. Molerats, along with five other groups including APT 35 and Moses Staff, are
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Dropbox
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the TA402 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more