TA402

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, is a persistent and innovative threat actor that has been tracked by researchers for over a decade. The group is renowned for its cyber espionage activities, which include highly targeted phishing campaigns and the deployment of new access methods. Despite the ongoing conflict between Israel and Hamas, TA402's operations have not been significantly disrupted. The group continues to iterate and develop new delivery methods to bypass detection efforts, with a strong focus on government entities based in the Middle East and North Africa. In mid-2023, Proofpoint researchers identified a shift in TA402's tactics. The group started using a complex infection chain to target Middle Eastern governments with a new initial access downloader dubbed IronWind. This malware and others were distributed through phishing emails from a compromised Ministry of Foreign Affairs account, using economy-related issues as lures to deceive recipients into downloading files through Dropbox download links. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant leading to the download of a DLL containing multifunctional malware. Furthermore, TA402 has pivoted away from using cloud services like Dropbox API, which was observed in their activities in 2021 and 2022, to using actor-controlled infrastructure for command and control (C2) communication. The group's hacking activities, including highly focused phishing campaigns targeting no more than five entities in any given campaign, continued through October, indicating that the current conflict in Gaza has not significantly disrupted their operations. As the conflict drags on, researchers caution that TA402 could further adjust its targeting or social engineering lures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Molerats
2
Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv
Frankenstein
2
Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke
WIRTE
1
WIRTE, identified as a threat actor by cybersecurity researchers, is suspected to be part of a larger network of malicious entities including Molerats, Gaza Cybergang, and Frankenstein. The cybersecurity industry has recognized that WIRTE overlaps with these other groups, although the specific relat
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Dropbox
Espionage
Payload
Decoy
Cyberscoop
Government
Gbhackers
Israel
Downloader
Phishing
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
IronwindUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA402 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
Hackers Claim Accessing 740GB of Data from Viber Messaging App | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
TA402 Group using Weaponized XLL and RAR Files to Deliver Malware
CERT-EU
8 months ago
Pro-Palestinian hacking group evolves tactics amid war
CERT-EU
8 months ago
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities - Cyber Security Review
CERT-EU
8 months ago
Novel espionage tool leveraged by pro-Palestinian hacking operation
CERT-EU
8 months ago
APT29 mounts cyberespionage campaign across Europe
CERT-EU
8 months ago
Pro-Palestinian TA402 APT Using IronWind Malware in New Attack
CERT-EU
8 months ago
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities  | Proofpoint US
CERT-EU
8 months ago
Molerats Group Wields Custom Cybertool to Steal Secrets in the Middle East
DARKReading
8 months ago
Molerats Group Wields Custom Cybertool to Steal Secrets in the Middle East
InfoSecurity-magazine
8 months ago
Pro-Palestine APT Group Uses Novel Downloader in New Campaign