Security Experts:

Connect with us

Hi, what are you looking for?



Hamas-Linked Hackers Using Sexy ‘Catfish’ Lures, New Malware

Hamas-linked APT Group targeting high-ranking Israelis with new new malware

Hamas-linked APT Group targeting high-ranking Israelis with new new malware

APT-C-23, a Hamas-linked attack group, is said to be involved in a sophisticated catfishing campaign targeting high ranking Israeli officials. Beyond elaborate Facebook-focused social engineering, the group has introduced new malware including a fake messaging app (known as VolatileVenom), a downloader (known as Barbie Downloader) and a backdoor (BarbWire Backdoor).

The campaign individually targets high profile officials working in defense, law enforcement, emergency services, and other government-related organizations. The attack involves social engineering, a downloader, a backdoor and a separate Android malware. The purpose appears to be espionage. The campaign was discovered and analyzed by Cybereason’s Nocturnus researcher team.

APT-C-23 and Molerats are thought to be the two primary sub-groups  of the Hamas cyberwarfare division. Hamas is classified as a terrorist group in most of North America and Europe. ‘Catfishing’ is the creation of a fake online identity, using part or all of a genuine identity, with the usual intent to damage reputations. In this case the purpose is to create a very realistic identity that can be used to ensnare victims. The current campaign has been dubbed, Operation Bearded Barbie.

Catphishing Attacks on Israeli Military

The attacks start from a fake (catfished) Facebook network of attractive females, report the researchers. The accounts are established and well-maintained, with the attackers joining relevant groups, posting in Hebrew to those groups, and friending friends of the targets. The purpose is to connect with the officials and slowly draw them into a virtual sexual relationship.

Once this connection is made and Facebook chats established, the catfish attacker suggests migrating to WhatsApp. This immediately gives the attacker the target’s phone number. As the conversations become more personal and sexual, the attacker suggests they should use a ‘safer’ and more ‘discrete’ means of communication. A specific Android app is recommended.

The Android app is really the VolatileVenom malware. On pre-Android 10 devices the icon is hidden; on post Android 10 the malware uses the Google Play installer icon. But when the victim attempts to sign into the application, an error message is shown announcing the app will be uninstalled. VolatileVenom remains running in the background with a wide range of espionage capabilities.

[ READ: Hamas Hackers Tried to ‘Seduce’ Israeli Soldiers ]

Separately, the attacker also offers to send the victim a private video. This is delivered as a .rar file that comprises the video and the Barbie Downloader. “The video,” say the researchers, “is meant to distract the victim from the infection process that is happening in the background.” The infection process includes performing anti-analysis checks and gathering system information.

If the downloader assesses the host to be suitable, it connects to an embedded C2 server (otherwise it just terminates). The C2 server delivers the BarbWire Backdoor. The downloader has a back-up method of locating an alternative C2. If, for any reason, the attackers wish to change the C2 from the one embedded, they can simply include the new destination in an SMS message. The downloader intercepts all incoming SMS messages. If one comes from the attackers, it can simply extract the new C2 details and download the backdoor.

The researchers describe BarbWire as, “a very capable piece of malware, and it is obvious that a lot of effort was put into hiding its capabilities behind string encryption, API hashing, and process protection. Its main goal is to fully compromise the victim machine, gaining access to their most sensitive data.”

BarbWire steals data via a range of file types, including PDFs, Office files, archives, image files, videos and images. It also looks for external media such as a CD-ROM file – which suggests it may be looking for super-sensitive data that is often moved around physically rather than by telecommunication means. Stolen data is staged in a RAR archive and exfiltrated to the attackers’ C2 server.

Campaigns have been ongoing since September 2021. Despite the new malware and the more than usually sophisticated social engineering element, the Cybereason Nocturnus researchers assess ‘with moderate-high confidence’ that the attackers are the Hamas-linked APT-C-23 group. The campaign exhibits what the researchers describe as ‘a considerable step-up in APT-C-23 capabilities’.

Other campaigns against more common Palestinian and Arabic-speaking targets are continuing, but this campaign uses a separate infrastructure from the known APT-C-23 infrastructure and new malware specifically designed for Israeli targets. The researchers note that some victims have been infected with both VolatileVenom and BarbWire Backdoor. “This ‘tight grip’ on their targets attests to how important and sensitive this campaign was for the threat actors,” they say.

Related: New Backdoors Used by Hamas-Linked Hackers Abuse Facebook, Dropbox

Related: Meta Sues Two Nigerians Who Lured Facebook Users to Phishing Sites

Related: Facebook Figures Five Percent of Accounts Are Fake

Related: Facebook Nixes Billions of Fake Accounts

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.