Security Experts:

Connect with us

Hi, what are you looking for?



Hamas-Linked Threat Actor’s Infrastructure Disrupted

A large portion of the infrastructure related to a Middle Eastern threat actor known as Gaza Cybergang was taken down after their latest operations were uncovered, Kaspersky Lab’s security researchers reveal.

A large portion of the infrastructure related to a Middle Eastern threat actor known as Gaza Cybergang was taken down after their latest operations were uncovered, Kaspersky Lab’s security researchers reveal.

Also known as the Gaza Hackers Team and Molerats and mainly targeting the MENA (Middle East North Africa) region, especially the Palestinian Territories, the actor is likely linked to the Palestinian terrorist organization Hamas and has been connected to numerous attacks in the past several years.

Kaspersky Lab now explains that three different groups operate under the Gaza Cybergang umbrella, and that only Group1 can be referred to as Molerats. The two other groups have been described before under the names of Desert Falcons and Operation Parliament.

The groups are differentiated by level of sophistication and style and, in some cases, techniques. However, they deploy common tools and commands after initial infection and were observed sharing victims.

The Gaza Cybergang Group1 is the least sophisticated of the three and makes heavy use of paste sites to gradually deploy a remote access Trojan (RAT) onto victim systems. Called SneakyPastes, their operation employs phishing and chained stages to evade detection and extend command and control (C&C) server lifetime.

The group has limited infrastructure, relies on open-source tools, and launches widespread attacks, but mainly focuses on Palestinian political problems. SneakyPastes targets embassies, government entities, educational institutions, media outlets, journalists, activists, political parties or personnel, healthcare organizations, and banks, the security researchers say.

During their investigation into the campaign, the researchers were able to uncover the group’s cyber kill chain, including TTPs, infrastructure, action on objectives, and victims. Working with law enforcement agencies, they also took down a large portion of the related infrastructure.

The group used disposable emails and domains for phishing, and delivered several implants that leverage PowerShell, VBS, JavaScript, and .NET for resilience and persistence. The final stage includes support for directory listing, screenshots, file compression, encryption, uploads, and more.

The attackers sent phishing emails with political themes to a large number of victims, but deployed their tools in specific cases only. The emails either contained the first stage as attachment or a link to it. The malware downloads additional files to achieve persistence and exfiltrate data from the victim machine.

The final stage of the attack is the Razy RAT (aka NeD worm and Wonder Botnet), which was designed to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, and send them to the C&C server.

The RAT supports a broad range of commands to exfiltrate data, create and delete files, restart its process, take screenshots, shut down or reboot the system, list active processes and installed software, and kill system processes.

In 2018, the group relied on a single C&C server, but rotated multiple domain names. They also hosted the different attack stages on free sites such as Mailimg, Github, Pastebin,,, and, and leveraged disposable email providers such as,, and others.

As part of the campaign, the hackers hit over 240 unique victims across 39 countries. Most of these, however, are located in the Palestinian Territories (110), followed by Jordan (25), Israel (17), Lebanon (11), and Saudi Arabia and Syria (9 each).

“Gaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks are now divided into three groups with different levels of sophistication and different levels of targeting. We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation,” Kaspersky concludes.

Related: New Attacks on Palestine Linked to ‘Gaza Cybergang’

Related: ‘Operation Parliament’ Imitates Another Actor to Stay Undetected

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.