Molerats  (Back to overview)

aka: ALUMINUM SARATOGA, BLACKSTEM, Extreme Jackal, G0021, Gaza Cybergang, Gaza Hackers Team, Gaza cybergang, Moonlight, Operation Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Associated Families
apk.badpatch win.brittle_bush win.dropbook win.extreme_rat win.molenet win.molerat_loader win.nimblemamba win.pierogi win.sharpstage win.spark win.poison_ivy

2023-11-22Twitter (@embee_research)Embee_research
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)
BianLian Xtreme RAT NjRAT QakBot RedLine Stealer Remcos
2022-11-30FFRI SecurityMatsumoto
Evolution of the PlugX loader
PlugX Poison Ivy
2022-08-22FortinetFred Gutierrez, Shunichi Imano
A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy
2022-07-31BushidoToken BlogBushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-07-18Palo Alto Networks Unit 42Unit 42
Crawling Taurus
Poison Ivy APT20
2022-07-18Palo Alto Networks Unit 42Unit 42
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK
2022-05-17Positive TechnologiesPositive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-16JPCERT/CCShusei Tomonaga
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2022-02-08The Hacker NewsRavie Lakshmanan
Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks
2022-02-08ProofpointGeorgi Mladenov, Joshua Miller, Konstantin Klinger
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
BrittleBush NimbleMamba TA402
2022-01-20ZscalerSahil Antil, Sudeep Singh
New espionage attack by Molerats APT targeting users in the Middle East
2021-07-060ffset Blog0verfl0w_, Daniel Bunce
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
2021-06-17ProofpointDennis Schwarz, Konstantin Klinger, Selena Larson
New TA402 Molerats Malware Targets Governments in the Middle East
Molerat Loader
2021-06-16Recorded FutureInsikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-03-17Recorded FutureInsikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-01-15SwisscomMarkus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-08Youtube (Virus Bulletin)Fumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428
2020-12-13SlideShare (ChiEnAshleyShen)Chi-en Shen, Steve Su
From ThreatHunting to Campaign Tracking
Xtreme RAT
2020-12-09CybereasonCybereason Nocturnus
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark
2020-12-09CybereasonCybereason Nocturnus Team
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark
2020-10-30YouTube (Kaspersky Tech)Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti
2020-10-26360 Core Security360
Xtreme RAT Houdini NjRAT Revenge RAT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-30NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger
2020-09-16RiskIQJon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-28NTTFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428
2020-08-19NTT SecurityFumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428
2020-07-14ESET ResearchLukáš Štefanko
Welcome Chat as a secure messaging app? Nothing could be further from the truth
2020-03-12Check PointCheck Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-03Palo Alto Networks Unit 42Alex Hinchliffe, Bryan Lee, Robert Falcone
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
Downeks JhoneRAT Molerat Loader Spark
2020-03-02Virus BulletinAlex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
2020-02-13CybereasonCybereason Nocturnus
New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor
2020-02-13CybereasonCybereason Nocturnus
New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign
2020-01-29nao_sec blognao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020-01-09Lab52Jagaimo Kawaii
TA428 Group abusing recent conflict between Iran and USA
Poison Ivy
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-07-23ProofpointDennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428
2019-06-25CybereasonCybereason Nocturnus
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell
2019-04-10Kaspersky LabsKaspersky Team
The Gaza cybergang and its SneakyPastes campaign
Suspected Molerats New Attack in the Middle East
Suspected Molerats' New Attack in the Middle East
Group description: Molerats
2019-01-01Virus BulletinBowen Pan, Lion Gu
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell
2018-09-21Qihoo 360 TechnologyQihoo 360
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy
2018-05-15BSides DetroitKeven Murphy, Stefano Maccaglia
IR in Heterogeneous Environment
Korlia Poison Ivy
2017-10-30Kaspersky LabsGhareeb Saad, Mohamad Amin Hasbini
Gaza Cybergang – updated activity in 2017:
2017-09-15FortinetXiaopeng Zhang
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy
2017-08-31NCC GroupAhmed Zaki
Analysing a recent Poison Ivy sample
Poison Ivy
2017-08-23FortinetXiaopeng Zhang
Deep Analysis of New Poison Ivy Variant
Poison Ivy
2017-08-02RSA LinkAhmed Sonbol
Malspam delivers Xtreme RAT 8-1-2017
Xtreme RAT
Enfal Ghost RAT MimiKatz Poison Ivy APT24
2017-03-14ClearSkyClearSky Research Team
Operation Electric Powder – Who is targeting Israel Electric Company?
Molerat Loader
2016-11-22Palo Alto Networks Unit 42Jen Miller-Osborn, Robert Falcone, Tom Lancaster, Vicky Ray
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy
2016-10-26UnknownChris Doman
Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats
2016-06-08ClearSkyClearSky Research Team
Operation DustySky Part 2
2016-04-26Github (CyberMonitor)Jason Jones
New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy
2016-04-22Palo Alto Networks Unit 42Brandon Levene, Jen Miller-Osborn, Micah Yates, Mike Scott
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy
2016-01-01ClearSkyClearSky Research Team
Operation DustySky
2015-12-08The CitizenlabClaudio Guarnieri, John Scott-Railton, Marion Marschalek, Morgan Marquis-Boire
Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat
2015-12-03SymantecSymantec Security Response
Colombians major target of email campaigns delivering Xtreme RAT
Xtreme RAT
2015-09-28Kaspersky LabsGhareeb Saad, Mohamad Amin Hasbini
Gaza cybergang, where’s your IR team?
2015-04-27PWCTom Lancaster
Attacks against Israeli & Palestinian interests
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2014-09-19Palo Alto Networks Unit 42Jen Miller-Osborn, Ryan Olson
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy
2014-06-02FireEyeTimothy Dahms
Molerats, Here for Spring!
2014-02-19FireEyeJames T. Bennett, Nart Villeneuve
XtremeRAT: Nuisance or Threat?
Xtreme RAT
Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet
2013-10-31FireEyeNed Moran, Thoufique Haq
Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy TEMPER PANDA
2013-08-23FireEyeNart Villeneuve, Ned Moran, Thoufique Haq
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats
Xtreme RAT analysis
Xtreme RAT
2012-01-13Middle East OnlineMiddle East Online
Cyber war: 'Gaza hackers' deface Israel fire service website
2011-01-01SymantecErica Eng, Gavin O'Gorman
The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro
2010-01-01MandiantEro Carrera, Peter Silberman
State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus

Credits: MISP Project