aka: Gaza Hackers Team, Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA, G0021
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”
2022-11-30 ⋅ FFRI Security ⋅ Matsumoto @online{matsumoto:20221130:evolution:29e9b4c,
author = {Matsumoto},
title = {{Evolution of the PlugX loader}},
date = {2022-11-30},
organization = {FFRI Security},
url = {https://engineers.ffri.jp/entry/2022/11/30/141346},
language = {Japanese},
urldate = {2022-12-01}
}
Evolution of the PlugX loader PlugX Poison Ivy |
2022-08-22 ⋅ Fortinet ⋅ Shunichi Imano, Fred Gutierrez @online{imano:20220822:tale:9a74924,
author = {Shunichi Imano and Fred Gutierrez},
title = {{A Tale of PivNoxy and Chinoxy Puppeteer}},
date = {2022-08-22},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis},
language = {English},
urldate = {2022-08-28}
}
A Tale of PivNoxy and Chinoxy Puppeteer Chinoxy Poison Ivy |
2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken @online{bushidotoken:20220731:space:636e570,
author = {BushidoToken},
title = {{Space Invaders: Cyber Threats That Are Out Of This World}},
date = {2022-07-31},
organization = {BushidoToken Blog},
url = {https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html},
language = {English},
urldate = {2022-08-02}
}
Space Invaders: Cyber Threats That Are Out Of This World Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:shallow:cc9413f,
author = {Unit 42},
title = {{Shallow Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/shallowtaurus/},
language = {English},
urldate = {2022-07-29}
}
Shallow Taurus FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:crawling:d229f20,
author = {Unit 42},
title = {{Crawling Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/crawling-taurus/},
language = {English},
urldate = {2022-07-29}
}
Crawling Taurus Poison Ivy APT20 |
2022-05-17 ⋅ Positive Technologies ⋅ Positive Technologies @online{technologies:20220517:space:abd655a,
author = {Positive Technologies},
title = {{Space Pirates: analyzing the tools and connections of a new hacker group}},
date = {2022-05-17},
organization = {Positive Technologies},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/},
language = {English},
urldate = {2022-05-25}
}
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
2022-05-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220516:analysis:b1c8089,
author = {Shusei Tomonaga},
title = {{Analysis of HUI Loader}},
date = {2022-05-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html},
language = {English},
urldate = {2022-05-17}
}
Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT |
2022-02-08 ⋅ Proofpoint ⋅ Konstantin Klinger, Joshua Miller, Georgi Mladenov @online{klinger:20220208:ugg:dc05453,
author = {Konstantin Klinger and Joshua Miller and Georgi Mladenov},
title = {{Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage}},
date = {2022-02-08},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage},
language = {English},
urldate = {2022-02-09}
}
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage BrittleBush NimbleMamba |
2022-02-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220208:palestinian:8763e1d,
author = {Ravie Lakshmanan},
title = {{Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks}},
date = {2022-02-08},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/02/palestinian-hackers-using-new.html},
language = {English},
urldate = {2022-02-09}
}
Palestinian Hackers Use New NimbleMamba Implant in Recent Attacks NimbleMamba |
2022-01-20 ⋅ Zscaler ⋅ Sahil Antil, Sudeep Singh @online{antil:20220120:new:2bc6613,
author = {Sahil Antil and Sudeep Singh},
title = {{New espionage attack by Molerats APT targeting users in the Middle East}},
date = {2022-01-20},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east},
language = {English},
urldate = {2022-01-24}
}
New espionage attack by Molerats APT targeting users in the Middle East Spark |
2021-07-06 ⋅ 0ffset Blog ⋅ Daniel Bunce, 0verfl0w_ @online{bunce:20210706:new:36ccc46,
author = {Daniel Bunce and 0verfl0w_},
title = {{New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings}},
date = {2021-07-06},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/},
language = {English},
urldate = {2021-07-11}
}
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings SharpStage |
2021-06-17 ⋅ Proofpoint ⋅ Konstantin Klinger, Dennis Schwarz, Selena Larson @online{klinger:20210617:new:2641c84,
author = {Konstantin Klinger and Dennis Schwarz and Selena Larson},
title = {{New TA402 Molerats Malware Targets Governments in the Middle East}},
date = {2021-06-17},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east},
language = {English},
urldate = {2021-06-21}
}
New TA402 Molerats Malware Targets Governments in the Middle East Molerat Loader |
2021-06-16 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210616:threat:d585785,
author = {Insikt Group®},
title = {{Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries}},
date = {2021-06-16},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf},
language = {English},
urldate = {2022-07-29}
}
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
2021-03-17 ⋅ Recorded Future ⋅ Insikt Group® @online{group:20210317:chinalinked:65b251b,
author = {Insikt Group®},
title = {{China-linked TA428 Continues to Target Russia and Mongolia IT Companies}},
date = {2021-03-17},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/china-linked-ta428-threat-group},
language = {English},
urldate = {2021-03-19}
}
China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy TA428 |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-08 ⋅ Youtube (Virus Bulletin) ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @online{ozawa:20210108:operation:18eec5e,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2021-01-08},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=1WfPlgtfWnQ},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger TA428 |
2020-12-13 ⋅ SlideShare (ChiEnAshleyShen) ⋅ Chi-en Shen, Steve Su @online{shen:20201213:from:ce39bbc,
author = {Chi-en Shen and Steve Su},
title = {{From ThreatHunting to Campaign Tracking}},
date = {2020-12-13},
organization = {SlideShare (ChiEnAshleyShen)},
url = {https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1},
language = {English},
urldate = {2020-12-18}
}
From ThreatHunting to Campaign Tracking Xtreme RAT |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20201209:new:ef00418,
author = {Cybereason Nocturnus},
title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign},
language = {English},
urldate = {2020-12-10}
}
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign DropBook MoleNet Quasar RAT SharpStage Spark |
2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team @techreport{team:20201209:molerats:a13c569,
author = {Cybereason Nocturnus Team},
title = {{MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign}},
date = {2020-12-09},
institution = {Cybereason},
url = {https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf},
language = {English},
urldate = {2022-02-09}
}
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark |
2020-10-26 ⋅ 360 Core Security ⋅ 360 @online{360:20201026:aptc44:a336bf6,
author = {360},
title = {{北非狐(APT-C-44)攻击活动揭露}},
date = {2020-10-26},
organization = {360 Core Security},
url = {https://blogs.360.cn/post/APT-C-44.html},
language = {Chinese},
urldate = {2020-11-09}
}
北非狐(APT-C-44)攻击活动揭露 Xtreme RAT Houdini NjRAT Revenge RAT |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200930:operation:04593f6,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint (Slides)}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2021-02-06}
}
Operation LagTime IT: colourful Panda footprint (Slides) Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-30 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200930:operation:1efe218,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: colourful Panda footprint}},
date = {2020-09-30},
institution = {NTT Security},
url = {https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2021-01-25}
}
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross @online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy |
2020-08-28 ⋅ NTT ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200828:operation:e0feab5,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation Lagtime IT: Colourful Panda Footprint}},
date = {2020-08-28},
institution = {NTT},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Lagtime IT: Colourful Panda Footprint Cotx RAT Poison Ivy TA428 |
2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike @techreport{ozawa:20200819:operation:445be8c,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: Colorful Panda Footprint}},
date = {2020-08-19},
institution = {NTT Security},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2022-07-29}
}
Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428 |
2020-07-14 ⋅ ESET Research ⋅ Lukáš Štefanko @online{tefanko:20200714:welcome:333a076,
author = {Lukáš Štefanko},
title = {{Welcome Chat as a secure messaging app? Nothing could be further from the truth}},
date = {2020-07-14},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/},
language = {English},
urldate = {2020-07-15}
}
Welcome Chat as a secure messaging app? Nothing could be further from the truth BadPatch |
2020-03-12 ⋅ Check Point ⋅ Check Point Research @online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-03 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Bryan Lee, Alex Hinchliffe @online{falcone:20200303:molerats:990b000,
author = {Robert Falcone and Bryan Lee and Alex Hinchliffe},
title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}},
date = {2020-03-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/},
language = {English},
urldate = {2020-03-03}
}
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations Downeks JhoneRAT Molerat Loader Spark |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe @online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
2020-02-13 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20200213:new:4006ede,
author = {Cybereason Nocturnus},
title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor}},
date = {2020-02-13},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor},
language = {English},
urldate = {2020-02-13}
}
New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor Pierogi |
2020-02-13 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20200213:new:ca8e240,
author = {Cybereason Nocturnus},
title = {{New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign}},
date = {2020-02-13},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one},
language = {English},
urldate = {2020-02-13}
}
New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign Spark |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec @online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-09 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200109:ta428:2230af2,
author = {Jagaimo Kawaii},
title = {{TA428 Group abusing recent conflict between Iran and USA}},
date = {2020-01-09},
organization = {Lab52},
url = {https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/},
language = {English},
urldate = {2021-02-06}
}
TA428 Group abusing recent conflict between Iran and USA Poison Ivy |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team @online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus @online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-04-10 ⋅ Kaspersky Labs ⋅ Kaspersky Team @online{team:20190410:gaza:d5f5a32,
author = {Kaspersky Team},
title = {{The Gaza cybergang and its SneakyPastes campaign}},
date = {2019-04-10},
organization = {Kaspersky Labs},
url = {https://www.kaspersky.com/blog/gaza-cybergang/26363/},
language = {English},
urldate = {2019-12-18}
}
The Gaza cybergang and its SneakyPastes campaign Molerats |
2019-02-14 ⋅ 360.cn ⋅ 奇安信威胁情报中心 @online{:20190214:suspected:25adc45,
author = {奇安信威胁情报中心},
title = {{Suspected Molerats New Attack in the Middle East}},
date = {2019-02-14},
organization = {360.cn},
url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/},
language = {Chinese},
urldate = {2019-10-12}
}
Suspected Molerats New Attack in the Middle East Molerats |
2019-02-14 ⋅ 奇安信威胁情报中心 ⋅ 事件追踪 @online{:20190214:suspected:5df65f1,
author = {事件追踪},
title = {{Suspected Molerats' New Attack in the Middle East}},
date = {2019-02-14},
organization = {奇安信威胁情报中心},
url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/},
language = {English},
urldate = {2020-01-07}
}
Suspected Molerats' New Attack in the Middle East Molerats |
2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan @techreport{gu:2019:vine:df5dbfb,
author = {Lion Gu and Bowen Pan},
title = {{A vine climbing over the Great Firewall: A long-term attack against China}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf},
language = {English},
urldate = {2020-01-08}
}
A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:molerats:9927c33,
author = {MITRE ATT&CK},
title = {{Group description: Molerats}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0021/},
language = {English},
urldate = {2019-12-20}
}
Group description: Molerats Molerats |
2018-09-21 ⋅ Qihoo 360 Technology ⋅ Qihoo 360 @online{360:20180921:poison:d1cab92,
author = {Qihoo 360},
title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}},
date = {2018-09-21},
organization = {Qihoo 360 Technology},
url = {http://blogs.360.cn/post/APT_C_01_en.html},
language = {English},
urldate = {2019-11-29}
}
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment Poison Ivy |
2018-05-15 ⋅ BSides Detroit ⋅ Keven Murphy, Stefano Maccaglia @online{murphy:20180515:ir:ac5b561,
author = {Keven Murphy and Stefano Maccaglia},
title = {{IR in Heterogeneous Environment}},
date = {2018-05-15},
organization = {BSides Detroit},
url = {https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment},
language = {English},
urldate = {2020-07-20}
}
IR in Heterogeneous Environment Korlia Poison Ivy |
2017-10-30 ⋅ Kaspersky Labs ⋅ Mohamad Amin Hasbini, Ghareeb Saad @online{hasbini:20171030:gaza:7c531cc,
author = {Mohamad Amin Hasbini and Ghareeb Saad},
title = {{Gaza Cybergang – updated activity in 2017:}},
date = {2017-10-30},
organization = {Kaspersky Labs},
url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/},
language = {English},
urldate = {2019-12-20}
}
Gaza Cybergang – updated activity in 2017: Molerats |
2017-09-15 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20170915:deep:5178fe3,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy/PlugX Variant - Part II}},
date = {2017-09-15},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii},
language = {English},
urldate = {2020-01-10}
}
Deep Analysis of New Poison Ivy/PlugX Variant - Part II Poison Ivy |
2017-08-31 ⋅ NCC Group ⋅ Ahmed Zaki @online{zaki:20170831:analysing:4c77e47,
author = {Ahmed Zaki},
title = {{Analysing a recent Poison Ivy sample}},
date = {2017-08-31},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/},
language = {English},
urldate = {2020-01-10}
}
Analysing a recent Poison Ivy sample Poison Ivy |
2017-08-23 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20170823:deep:3d931ad,
author = {Xiaopeng Zhang},
title = {{Deep Analysis of New Poison Ivy Variant}},
date = {2017-08-23},
organization = {Fortinet},
url = {http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant},
language = {English},
urldate = {2020-01-06}
}
Deep Analysis of New Poison Ivy Variant Poison Ivy |
2017-08-02 ⋅ RSA Link ⋅ Ahmed Sonbol @online{sonbol:20170802:malspam:d849b12,
author = {Ahmed Sonbol},
title = {{Malspam delivers Xtreme RAT 8-1-2017}},
date = {2017-08-02},
organization = {RSA Link},
url = {https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017},
language = {English},
urldate = {2020-01-13}
}
Malspam delivers Xtreme RAT 8-1-2017 Xtreme RAT |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-03-14 ⋅ ClearSky ⋅ ClearSky Research Team @online{team:20170314:operation:38f832c,
author = {ClearSky Research Team},
title = {{Operation Electric Powder – Who is targeting Israel Electric Company?}},
date = {2017-03-14},
organization = {ClearSky},
url = {http://www.clearskysec.com/iec/},
language = {English},
urldate = {2020-01-13}
}
Operation Electric Powder – Who is targeting Israel Electric Company? Molerat Loader |
2016-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Vicky Ray, Robert Falcone, Jen Miller-Osborn, Tom Lancaster @online{ray:20161122:tropic:7f503e7,
author = {Vicky Ray and Robert Falcone and Jen Miller-Osborn and Tom Lancaster},
title = {{Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy}},
date = {2016-11-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy Poison Ivy |
2016-10-26 ⋅ Unknown ⋅ Chris Doman @online{doman:20161026:moonlight:1edffaa,
author = {Chris Doman},
title = {{Moonlight – Targeted attacks in the Middle East}},
date = {2016-10-26},
organization = {Unknown},
url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks},
language = {English},
urldate = {2020-04-06}
}
Moonlight – Targeted attacks in the Middle East Houdini NjRAT Molerats |
2016-06-08 ⋅ ClearSky ⋅ ClearSky Research Team @techreport{team:20160608:operation:c8f6615,
author = {ClearSky Research Team},
title = {{Operation DustySky Part 2}},
date = {2016-06-08},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf},
language = {English},
urldate = {2020-01-08}
}
Operation DustySky Part 2 Molerats |
2016-04-26 ⋅ Github (CyberMonitor) ⋅ Jason Jones @techreport{jones:20160426:new:78ff145,
author = {Jason Jones},
title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}},
date = {2016-04-26},
institution = {Github (CyberMonitor)},
url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf},
language = {English},
urldate = {2019-12-17}
}
New Poison Ivy Activity Targeting Myanmar, Asian Countries Poison Ivy |
2016-04-22 ⋅ Palo Alto Networks Unit 42 ⋅ Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn @online{yates:20160422:new:249e32b,
author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn},
title = {{New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists}},
date = {2016-04-22},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/},
language = {English},
urldate = {2019-12-20}
}
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists Poison Ivy |
2016-01 ⋅ ClearSky ⋅ ClearSky Research Team @techreport{team:201601:operation:b45e4b9,
author = {ClearSky Research Team},
title = {{Operation DustySky}},
date = {2016-01},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf},
language = {English},
urldate = {2019-11-29}
}
Operation DustySky Molerats |
2015-12-08 ⋅ The Citizenlab ⋅ John Scott-Railton, Morgan Marquis-Boire, Claudio Guarnieri, Marion Marschalek @online{scottrailton:20151208:packrat:5f9bffa,
author = {John Scott-Railton and Morgan Marquis-Boire and Claudio Guarnieri and Marion Marschalek},
title = {{Packrat: Seven Years of a South American Threat Actor}},
date = {2015-12-08},
organization = {The Citizenlab},
url = {https://citizenlab.ca/2015/12/packrat-report/},
language = {English},
urldate = {2020-05-18}
}
Packrat: Seven Years of a South American Threat Actor AdWind Adzok CyberGate Xtreme RAT Packrat |
2015-12-03 ⋅ Symantec ⋅ Symantec Security Response @online{response:20151203:colombians:04e7e8a,
author = {Symantec Security Response},
title = {{Colombians major target of email campaigns delivering Xtreme RAT}},
date = {2015-12-03},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat},
language = {English},
urldate = {2020-01-08}
}
Colombians major target of email campaigns delivering Xtreme RAT Xtreme RAT |
2015-09-28 ⋅ Kaspersky Labs ⋅ Mohamad Amin Hasbini, Ghareeb Saad @online{hasbini:20150928:gaza:0c6e96e,
author = {Mohamad Amin Hasbini and Ghareeb Saad},
title = {{Gaza cybergang, where’s your IR team?}},
date = {2015-09-28},
organization = {Kaspersky Labs},
url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/},
language = {English},
urldate = {2019-12-20}
}
Gaza cybergang, where’s your IR team? Molerats |
2015-04-27 ⋅ PWC ⋅ Tom Lancaster @online{lancaster:20150427:attacks:8467adc,
author = {Tom Lancaster},
title = {{Attacks against Israeli & Palestinian interests}},
date = {2015-04-27},
organization = {PWC},
url = {https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html},
language = {English},
urldate = {2020-01-08}
}
Attacks against Israeli & Palestinian interests Molerats |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2014-09-19 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Ryan Olson @online{millerosborn:20140919:recent:edf1ed3,
author = {Jen Miller-Osborn and Ryan Olson},
title = {{Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy}},
date = {2014-09-19},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/},
language = {English},
urldate = {2019-12-20}
}
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy Poison Ivy |
2014-06-02 ⋅ FireEye ⋅ Timothy Dahms @online{dahms:20140602:molerats:8b00d0d,
author = {Timothy Dahms},
title = {{Molerats, Here for Spring!}},
date = {2014-06-02},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html},
language = {English},
urldate = {2019-12-20}
}
Molerats, Here for Spring! Molerats |
2014-02-19 ⋅ FireEye ⋅ Nart Villeneuve, James T. Bennett @online{villeneuve:20140219:xtremerat:53e1a83,
author = {Nart Villeneuve and James T. Bennett},
title = {{XtremeRAT: Nuisance or Threat?}},
date = {2014-02-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html},
language = {English},
urldate = {2019-12-20}
}
XtremeRAT: Nuisance or Threat? Xtreme RAT |
2014 ⋅ FireEye ⋅ FireEye @techreport{fireeye:2014:operation:2160679,
author = {FireEye},
title = {{Operation Quantum Entanglement}},
date = {2014},
institution = {FireEye},
url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf},
language = {English},
urldate = {2021-04-29}
}
Operation Quantum Entanglement IsSpace NewCT Poison Ivy SysGet |
2013-10-31 ⋅ FireEye ⋅ Thoufique Haq, Ned Moran @online{haq:20131031:know:e772ee9,
author = {Thoufique Haq and Ned Moran},
title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}},
date = {2013-10-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html},
language = {English},
urldate = {2019-12-20}
}
Know Your Enemy: Tracking A Rapidly Evolving APT Actor Bozok Poison Ivy TEMPER PANDA |
2013-08-23 ⋅ FireEye ⋅ Nart Villeneuve, Thoufique Haq, Ned Moran @online{villeneuve:20130823:operation:dc4b5d6,
author = {Nart Villeneuve and Thoufique Haq and Ned Moran},
title = {{Operation Molerats: Middle East Cyber Attacks Using Poison Ivy}},
date = {2013-08-23},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html},
language = {English},
urldate = {2019-12-20}
}
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Poison Ivy Molerats |
2012-07-22 ⋅ Malware.lu ⋅ Malware.lu @online{malwarelu:20120722:xtreme:ada355e,
author = {Malware.lu},
title = {{Xtreme RAT analysis}},
date = {2012-07-22},
organization = {Malware.lu},
url = {https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html},
language = {English},
urldate = {2020-01-08}
}
Xtreme RAT analysis Xtreme RAT |
2012-01-13 ⋅ Middle East Online ⋅ Middle East Online @online{online:20120113:cyber:de2ee6e,
author = {Middle East Online},
title = {{Cyber war: 'Gaza hackers' deface Israel fire service website}},
date = {2012-01-13},
organization = {Middle East Online},
url = {https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website},
language = {English},
urldate = {2019-10-12}
}
Cyber war: 'Gaza hackers' deface Israel fire service website Molerats |
2011 ⋅ Symantec ⋅ Erica Eng, Gavin O'Gorman @techreport{eng:2011:nitro:656e464,
author = {Erica Eng and Gavin O'Gorman},
title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}},
date = {2011},
institution = {Symantec},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf},
language = {English},
urldate = {2020-04-21}
}
The Nitro Attacks: Stealing Secrets from the Chemical Industry Poison Ivy Nitro |
2010 ⋅ Mandiant ⋅ Ero Carrera, Peter Silberman @techreport{carrera:2010:state:687e608,
author = {Ero Carrera and Peter Silberman},
title = {{State of Malware: Family Ties}},
date = {2010},
institution = {Mandiant},
url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf},
language = {English},
urldate = {2022-01-28}
}
State of Malware: Family Ties Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus |