Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Users in Middle East Targeted in “Moonlight” Espionage Campaign

A threat group believed to be located in Palestine has been targeting users in Palestine and other Middle Eastern countries in a series of unsophisticated attacks whose main goal appears to be espionage.

A threat group believed to be located in Palestine has been targeting users in Palestine and other Middle Eastern countries in a series of unsophisticated attacks whose main goal appears to be espionage.

Researchers at Vectra Networks have been monitoring the group for the past two years and determined that its operations focus on Middle Eastern political issues. The threat actor has been dubbed “Moonlight” based on the name of a command and control (C&C) domain used in the attacks.

According to Vectra, Moonlight’s tools and targets are similar to the ones of a group known as Gaza Hackers Team, Gaza Cybergang and Molerats, but experts have not found a clear connection between these actors. The Palestinian terrorist organization Hamas is believed to be behind Gaza Hackers Team.

Sinkholes deployed by Vectra showed that most Moonlight victims were located in Palestine, including individuals and a news organization, but infections were also spotted in Egypt, the United States, Jordan, Libya, Iran, Israel and China. However, researchers believe the U.S. and China are not actual targets – these infections are more likely part of security analysis efforts or they are foreign students with ties to one of the targeted countries.

Moonlight has not relied on exploits in its operations. Instead, the attackers have been using social engineering and URL shortening services to trick targets into downloading and executing malware.

The cyberspies have been impersonating news organizations, and delivering malware disguised as documents and videos that are likely to attract the attention of victims.

The first stage backdoor delivered by Moonlight is an obfuscated version of H-Worm, also known as Houdini, a threat believed to have been developed by an individual based in Algeria who has connections to the author of njw0rm and njRAT. Palo Alto Networks has also published an analysis of a new version of H-Worm this week, but the company has not provided any details on the attacks it has been used in.

The malware is typically installed using basic scripts within self-extracting RAR archives, but Moonlight developed over 200 variations in an effort to evade detection. What makes this group interesting is the fact that the samples have been produced manually, not using specialized build tools like other, more sophisticated actors.

Once H-Worm has infected a system, it allows the attackers to install other pieces of malware, such as njRAT.

The Moonlight attacks rely on a simple C&C infrastructure with dynamic domains controlled through home Internet connections in Gaza, Palestine.

“In general, the assigned IP-location of command and control servers is a poor indication of attacker locations,” Vectra researchers noted. “However, in this case the provided locations of home networks in the Gaza strip are likely to be accurate and fits with other details from the attacks.”

Experts believe they have identified some of the individuals involved with the group, but their identities have not been disclosed due to them being in a conflict zone. According to the security firm, these individuals exhibited poor operational security, particularly in their earlier attacks, which seemed opportunistic rather than targeted.

Related: Arabic Threat Group Targets IT, Incident Response Teams

Related: Gaza Threat Group Targeting Israeli Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.