aka: Gaza Hackers Team, Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA, G0021
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”
2022-11-30 ⋅ FFRI Security ⋅ Matsumoto
@online{matsumoto:20221130:evolution:29e9b4c,
author = {Matsumoto},
title = {{Evolution of the PlugX loader}},
date = {2022-11-30},
organization = {FFRI Security},
url = {https://engineers.ffri.jp/entry/2022/11/30/141346},
language = {Japanese},
urldate = {2022-12-01}
}
Evolution of the PlugX loader
PlugX Poison Ivy |
2022-08-22 ⋅ Fortinet ⋅ Shunichi Imano, Fred Gutierrez
@online{imano:20220822:tale:9a74924,
author = {Shunichi Imano and Fred Gutierrez},
title = {{A Tale of PivNoxy and Chinoxy Puppeteer}},
date = {2022-08-22},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis},
language = {English},
urldate = {2022-08-28}
}
A Tale of PivNoxy and Chinoxy Puppeteer
Chinoxy Poison Ivy |
2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken
@online{bushidotoken:20220731:space:636e570,
author = {BushidoToken},
title = {{Space Invaders: Cyber Threats That Are Out Of This World}},
date = {2022-07-31},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html},
language = {English},
urldate = {2022-08-02}
}
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:shallow:cc9413f,
author = {Unit 42},
title = {{Shallow Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/},
language = {English},
urldate = {2022-07-29}
}
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:crawling:d229f20,
author = {Unit 42},
title = {{Crawling Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/crawling-taurus/},
language = {English},
urldate = {2022-07-29}
}
Crawling Taurus
Poison Ivy APT20 |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies
@online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT |
2022-02-08 ⋅ Proofpoint ⋅ Konstantin Klinger, Joshua Miller, Georgi Mladenov
@online{klinger:20220208:ugg:dc05453,
author = {Konstantin Klinger and Joshua Miller and Georgi Mladenov},
title = {{Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage}},
date = {2022-02-08},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage},
language = {English},
urldate = {2022-02-09}
}
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
BrittleBush NimbleMamba |
2022-02-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan
@online{lakshmanan:20220208:palestinian:8763e1d,
author = {Ravie Lakshmanan},
title = {{Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks}},
date = {2022-02-08},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/palestinian-hackers-using-new.html},
language = {English},
urldate = {2022-02-09}
}
Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks
NimbleMamba |
2022-01-20 ⋅ Zscaler ⋅ Sahil Antil, Sudeep Singh
@online{antil:20220120:new:2bc6613,
author = {Sahil Antil and Sudeep Singh},
title = {{New espionage attack by Molerats APT targeting users in the Middle East}},
date = {2022-01-20},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east},
language = {English},
urldate = {2022-01-24}
}
New espionage attack by Molerats APT targeting users in the Middle East
Spark |
2021-07-06 ⋅ 0ffset Blog ⋅ Daniel Bunce, 0verfl0w_
@online{bunce:20210706:new:36ccc46,
author = {Daniel Bunce and 0verfl0w_},
title = {{New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings}},
date = {2021-07-06},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/},
language = {English},
urldate = {2021-07-11}
}
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
SharpStage |
2021-06-17 ⋅ Proofpoint ⋅ Konstantin Klinger, Dennis Schwarz, Selena Larson
@online{klinger:20210617:new:2641c84,
author = {Konstantin Klinger and Dennis Schwarz and Selena Larson},
title = {{New TA402 Molerats Malware Targets Governments in the Middle East}},
date = {2021-06-17},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east},
language = {English},
urldate = {2021-06-21}
}
New TA402 Molerats Malware Targets Governments in the Middle East
Molerat Loader |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
@online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428 |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
@online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis
@techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-08 ⋅ Youtube (Virus Bulletin) ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@online{ozawa:20210108:operation:18eec5e,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2021-01-08},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger TA428 |
2020-12-13 ⋅ SlideShare (ChiEnAshleyShen) ⋅ Chi-en Shen, Steve Su
@online{shen:20201213:from:ce39bbc,
author = {Chi-en Shen and Steve Su},
title = {{From ThreatHunting to Campaign Tracking}},
date = {2020-12-13},
organization = {SlideShare (ChiEnAshleyShen)},
url = {https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1},
language = {English},
urldate = {2020-12-18}
}
From ThreatHunting to Campaign Tracking
Xtreme RAT |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20201209:new:ef00418,
author = {Cybereason Nocturnus},
title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign},
language = {English},
urldate = {2020-12-10}
}
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team
@techreport{team:20201209:molerats:a13c569,
author = {Cybereason Nocturnus Team},
title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
institution = {Cybereason},
url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf},
language = {English},
urldate = {2022-02-09}
}
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark |
2020-10-26 ⋅ 360 Core Security ⋅ 360
@online{360:20201026:aptc44:a336bf6,
author = {360},
title = {{北非狐(APT-C-44)攻击活动揭露}},
date = {2020-10-26},
organization = {360 Core Security},
url = {https://blogs.360.cn/post/APT-C-44.html},
language = {Chinese},
urldate = {2020-11-09}
}
北非狐(APT-C-44)攻击活动揭露
Xtreme RAT Houdini NjRAT Revenge RAT |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:04593f6,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint (Slides)}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint (Slides)
Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200930:operation:1efe218,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2021-01-25}
}
Operation LagTime IT: colourful Panda footprint
Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
@online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy |
2020-08-28 ⋅ NTT ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200828:operation:e0feab5,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation Lagtime IT: Colourful Panda Footprint}},
date = {2020-08-28},
institution = {NTT},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Lagtime IT: Colourful Panda Footprint
Cotx RAT Poison Ivy TA428 |
2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: Colorful Panda Footprint}},
date = {2020-08-19},
institution = {NTT Security},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2022-07-29}
}
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428 |
2020-07-14 ⋅ ESET Research ⋅ Lukáš Štefanko
@online{tefanko:20200714:welcome:333a076,
author = {Lukáš Štefanko},
title = {{Welcome Chat as a secure messaging app? Nothing could be further from the truth}},
date = {2020-07-14},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/},
language = {English},
urldate = {2020-07-15}
}
Welcome Chat as a secure messaging app? Nothing could be further from the truth
BadPatch |
2020-03-12 ⋅ Check Point ⋅ Check Point Research
@online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-03 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee, Alex Hinchliffe
@online{falcone:20200303:molerats:990b000,
author = {Robert Falcone and Bryan Lee and Alex Hinchliffe},
title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}},
date = {2020-03-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/},
language = {English},
urldate = {2020-03-03}
}
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
Downeks JhoneRAT Molerat Loader Spark |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy |
2020-02-13 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20200213:new:4006ede,
author = {Cybereason Nocturnus},
title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor}},
date = {2020-02-13},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor},
language = {English},
urldate = {2020-02-13}
}
New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor
Pierogi |
2020-02-13 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20200213:new:ca8e240,
author = {Cybereason Nocturnus},
title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign}},
date = {2020-02-13},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one},
language = {English},
urldate = {2020-02-13}
}
New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign
Spark |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-09 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200109:ta428:2230af2,
author = {Jagaimo Kawaii},
title = {{TA428 Group abusing recent conflict between Iran and USA}},
date = {2020-01-09},
organization = {Lab52},
url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/},
language = {English},
urldate = {2021-02-06}
}
TA428 Group abusing recent conflict between Iran and USA
Poison Ivy |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-04-10 ⋅ Kaspersky Labs ⋅ Kaspersky Team
@online{team:20190410:gaza:d5f5a32,
author = {Kaspersky Team},
title = {{The Gaza cybergang and its SneakyPastes campaign}},
date = {2019-04-10},
organization = {Kaspersky Labs},
url = {https://www.kaspersky.com/blog/gaza-cybergang/26363/},
language = {English},
urldate = {2019-12-18}
}
The Gaza cybergang and its SneakyPastes campaign
Molerats |
2019-02-14 ⋅ 360.cn ⋅ 奇安信威胁情报中心
@online{:20190214:suspected:25adc45,
author = {奇安信威胁情报中心},
title = {{Suspected Molerats New Attack in the Middle East}},
date = {2019-02-14},
organization = {360.cn},
url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/},
language = {Chinese},
urldate = {2019-10-12}
}
Suspected Molerats New Attack in the Middle East
Molerats |
2019-02-14 ⋅ 奇安信威胁情报中心 ⋅ 事件追踪
@online{:20190214:suspected:5df65f1,
author = {事件追踪},
title = {{Suspected Molerats' New Attack in the Middle East}},
date = {2019-02-14},
organization = {奇安信威胁情报中心},
url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/},
language = {English},
urldate = {2020-01-07}
}
Suspected Molerats' New Attack in the Middle East
Molerats |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
@techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:molerats:9927c33,
author = {MITRE ATT&CK},
title = {{Group description: Molerats}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0021/},
language = {English},
urldate = {2019-12-20}
}
Group description: Molerats
Molerats |
2018-09-21 ⋅ Qihoo 360 Technology ⋅ Qihoo 360
@online{360:20180921:poison:d1cab92,
author = {Qihoo 360},
title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}},
date = {2018-09-21},
organization = {Qihoo 360 Technology},
url = {http://blogs.360.cn/post/APT_C_01_en.html},
language = {English},
urldate = {2019-11-29}
}
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment
Poison Ivy |
2018-05-15 ⋅ BSides Detroit ⋅ Keven Murphy, Stefano Maccaglia
@online{murphy:20180515:ir:ac5b561,
author = {Keven Murphy and Stefano Maccaglia},
title = {{IR in Heterogeneous Environment}},
date = {2018-05-15},
organization = {BSides Detroit},
url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment},
language = {English},
urldate = {2020-07-20}
}
IR in Heterogeneous Environment
Korlia Poison Ivy |
2017-10-30 ⋅ Kaspersky Labs ⋅ Mohamad Amin Hasbini, Ghareeb Saad
@online{hasbini:20171030:gaza:7c531cc,
author = {Mohamad Amin Hasbini and Ghareeb Saad},
title = {{Gaza Cybergang – updated activity in 2017:}},
date = {2017-10-30},
organization = {Kaspersky Labs},
url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/},
language = {English},
urldate = {2019-12-20}
}
Gaza Cybergang – updated activity in 2017:
Molerats |
2017-09-15 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20170915:deep:5178fe3,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}},
date = {2017-09-15},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii},
language = {English},
urldate = {2020-01-10}
}
Deep Analysis of New Poison Ivy/PlugX Variant - Part II
Poison Ivy |
2017-08-31 ⋅ NCC Group ⋅ Ahmed Zaki
@online{zaki:20170831:analysing:4c77e47,
author = {Ahmed Zaki},
title = {{Analysing a recent Poison Ivy sample}},
date = {2017-08-31},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/},
language = {English},
urldate = {2020-01-10}
}
Analysing a recent Poison Ivy sample
Poison Ivy |
2017-08-23 ⋅ Fortinet ⋅ Xiaopeng Zhang
@online{zhang:20170823:deep:3d931ad,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy Variant}},
date = {2017-08-23},
organization = {Fortinet},
url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant},
language = {English},
urldate = {2020-01-06}
}
Deep Analysis of New Poison Ivy Variant
Poison Ivy |
2017-08-02 ⋅ RSA Link ⋅ Ahmed Sonbol
@online{sonbol:20170802:malspam:d849b12,
author = {Ahmed Sonbol},
title = {{Malspam delivers Xtreme RAT 8-1-2017}},
date = {2017-08-02},
organization = {RSA Link},
url = {https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017},
language = {English},
urldate = {2020-01-13}
}
Malspam delivers Xtreme RAT 8-1-2017
Xtreme RAT |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-03-14 ⋅ ClearSky ⋅ ClearSky Research Team
@online{team:20170314:operation:38f832c,
author = {ClearSky Research Team},
title = {{Operation Electric Powder – Who is targeting Israel Electric Company?}},
date = {2017-03-14},
organization = {ClearSky},
url = {http://www.clearskysec.com/iec/},
language = {English},
urldate = {2020-01-13}
}
Operation Electric Powder – Who is targeting Israel Electric Company?
Molerat Loader |
2016-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster
@online{ray:20161122:tropic:7f503e7,
author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster},
title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}},
date = {2016-11-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
Poison Ivy |
2016-10-26 ⋅ Unknown ⋅ Chris Doman
@online{doman:20161026:moonlight:1edffaa,
author = {Chris Doman},
title = {{Moonlight – Targeted attacks in the Middle East}},
date = {2016-10-26},
organization = {Unknown},
url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks},
language = {English},
urldate = {2020-04-06}
}
Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats |
2016-06-08 ⋅ ClearSky ⋅ ClearSky Research Team
@techreport{team:20160608:operation:c8f6615,
author = {ClearSky Research Team},
title = {{Operation DustySky Part 2}},
date = {2016-06-08},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf},
language = {English},
urldate = {2020-01-08}
}
Operation DustySky Part 2
Molerats |
2016-04-26 ⋅ Github (CyberMonitor) ⋅ Jason Jones
@techreport{jones:20160426:new:78ff145,
author = {Jason Jones},
title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}},
date = {2016-04-26},
institution = {Github (CyberMonitor)},
url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf},
language = {English},
urldate = {2019-12-17}
}
New Poison Ivy Activity Targeting Myanmar, Asian Countries
Poison Ivy |
2016-04-22 ⋅ Palo Alto Networks Unit 42 ⋅ Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn
@online{yates:20160422:new:249e32b,
author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn},
title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}},
date = {2016-04-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/},
language = {English},
urldate = {2019-12-20}
}
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Poison Ivy |
2016-01 ⋅ ClearSky ⋅ ClearSky Research Team
@techreport{team:201601:operation:b45e4b9,
author = {ClearSky Research Team},
title = {{Operation DustySky}},
date = {2016-01},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf},
language = {English},
urldate = {2019-11-29}
}
Operation DustySky
Molerats |
2015-12-08 ⋅ The Citizenlab ⋅ John Scott-Railton, Morgan Marquis-Boire, Claudio Guarnieri, Marion Marschalek
@online{scottrailton:20151208:packrat:5f9bffa,
author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek},
title = {{Packrat: Seven Years of a South American Threat Actor}},
date = {2015-12-08},
organization = {The Citizenlab},
url = {https://citizenlab.ca/2015/12/packrat-report/},
language = {English},
urldate = {2020-05-18}
}
Packrat: Seven Years of a South American Threat Actor
AdWind Adzok CyberGate Xtreme RAT Packrat |
2015-12-03 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20151203:colombians:04e7e8a,
author = {Symantec Security Response},
title = {{Colombians major target of email campaigns delivering Xtreme RAT}},
date = {2015-12-03},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat},
language = {English},
urldate = {2020-01-08}
}
Colombians major target of email campaigns delivering Xtreme RAT
Xtreme RAT |
2015-09-28 ⋅ Kaspersky Labs ⋅ Mohamad Amin Hasbini, Ghareeb Saad
@online{hasbini:20150928:gaza:0c6e96e,
author = {Mohamad Amin Hasbini and Ghareeb Saad},
title = {{Gaza cybergang, where’s your IR team?}},
date = {2015-09-28},
organization = {Kaspersky Labs},
url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/},
language = {English},
urldate = {2019-12-20}
}
Gaza cybergang, where’s your IR team?
Molerats |
2015-04-27 ⋅ PWC ⋅ Tom Lancaster
@online{lancaster:20150427:attacks:8467adc,
author = {Tom Lancaster},
title = {{Attacks against Israeli & Palestinian interests}},
date = {2015-04-27},
organization = {PWC},
url = {https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html},
language = {English},
urldate = {2020-01-08}
}
Attacks against Israeli & Palestinian interests
Molerats |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2014-09-19 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Ryan Olson
@online{millerosborn:20140919:recent:edf1ed3,
author = {Jen Miller-Osborn and Ryan Olson},
title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}},
date = {2014-09-19},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy
Poison Ivy |
2014-06-02 ⋅ FireEye ⋅ Timothy Dahms
@online{dahms:20140602:molerats:8b00d0d,
author = {Timothy Dahms},
title = {{Molerats, Here for Spring!}},
date = {2014-06-02},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html},
language = {English},
urldate = {2019-12-20}
}
Molerats, Here for Spring!
Molerats |
2014-02-19 ⋅ FireEye ⋅ Nart Villeneuve, James T. Bennett
@online{villeneuve:20140219:xtremerat:53e1a83,
author = {Nart Villeneuve and James T. Bennett},
title = {{XtremeRAT: Nuisance or Threat?}},
date = {2014-02-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html},
language = {English},
urldate = {2019-12-20}
}
XtremeRAT: Nuisance or Threat?
Xtreme RAT |
2014 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:2014:operation:2160679,
author = {FireEye},
title = {{Operation Quantum Entanglement}},
date = {2014},
institution = {FireEye},
url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf},
language = {English},
urldate = {2021-04-29}
}
Operation Quantum Entanglement
IsSpace NewCT Poison Ivy SysGet |
2013-10-31 ⋅ FireEye ⋅ Thoufique Haq, Ned Moran
@online{haq:20131031:know:e772ee9,
author = {Thoufique Haq and Ned Moran},
title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}},
date = {2013-10-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html},
language = {English},
urldate = {2019-12-20}
}
Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy TEMPER PANDA |
2013-08-23 ⋅ FireEye ⋅ Nart Villeneuve, Thoufique Haq, Ned Moran
@online{villeneuve:20130823:operation:dc4b5d6,
author = {Nart Villeneuve and Thoufique Haq and Ned Moran},
title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}},
date = {2013-08-23},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html},
language = {English},
urldate = {2019-12-20}
}
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
Poison Ivy Molerats |
2012-07-22 ⋅ Malware.lu ⋅ Malware.lu
@online{malwarelu:20120722:xtreme:ada355e,
author = {Malware.lu},
title = {{Xtreme RAT analysis}},
date = {2012-07-22},
organization = {Malware.lu},
url = {https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html},
language = {English},
urldate = {2020-01-08}
}
Xtreme RAT analysis
Xtreme RAT |
2012-01-13 ⋅ Middle East Online ⋅ Middle East Online
@online{online:20120113:cyber:de2ee6e,
author = {Middle East Online},
title = {{Cyber war: 'Gaza hackers' deface Israel fire service website}},
date = {2012-01-13},
organization = {Middle East Online},
url = {https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website},
language = {English},
urldate = {2019-10-12}
}
Cyber war: 'Gaza hackers' deface Israel fire service website
Molerats |
2011 ⋅ Symantec ⋅ Erica Eng, Gavin O'Gorman
@techreport{eng:2011:nitro:656e464,
author = {Erica Eng and Gavin O'Gorman},
title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}},
date = {2011},
institution = {Symantec},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf},
language = {English},
urldate = {2020-04-21}
}
The Nitro Attacks: Stealing Secrets from the Chemical Industry
Poison Ivy Nitro |
2010 ⋅ Mandiant ⋅ Ero Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608,
author = {Ero Carrera and Peter Silberman},
title = {{State of Malware: Family Ties}},
date = {2010},
institution = {Mandiant},
url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf},
language = {English},
urldate = {2022-01-28}
}
State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus |