Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Users in Middle East Targeted in “Moonlight” Espionage Campaign

A threat group believed to be located in Palestine has been targeting users in Palestine and other Middle Eastern countries in a series of unsophisticated attacks whose main goal appears to be espionage.

A threat group believed to be located in Palestine has been targeting users in Palestine and other Middle Eastern countries in a series of unsophisticated attacks whose main goal appears to be espionage.

Researchers at Vectra Networks have been monitoring the group for the past two years and determined that its operations focus on Middle Eastern political issues. The threat actor has been dubbed “Moonlight” based on the name of a command and control (C&C) domain used in the attacks.

According to Vectra, Moonlight’s tools and targets are similar to the ones of a group known as Gaza Hackers Team, Gaza Cybergang and Molerats, but experts have not found a clear connection between these actors. The Palestinian terrorist organization Hamas is believed to be behind Gaza Hackers Team.

Sinkholes deployed by Vectra showed that most Moonlight victims were located in Palestine, including individuals and a news organization, but infections were also spotted in Egypt, the United States, Jordan, Libya, Iran, Israel and China. However, researchers believe the U.S. and China are not actual targets – these infections are more likely part of security analysis efforts or they are foreign students with ties to one of the targeted countries.

Moonlight has not relied on exploits in its operations. Instead, the attackers have been using social engineering and URL shortening services to trick targets into downloading and executing malware.

The cyberspies have been impersonating news organizations, and delivering malware disguised as documents and videos that are likely to attract the attention of victims.

The first stage backdoor delivered by Moonlight is an obfuscated version of H-Worm, also known as Houdini, a threat believed to have been developed by an individual based in Algeria who has connections to the author of njw0rm and njRAT. Palo Alto Networks has also published an analysis of a new version of H-Worm this week, but the company has not provided any details on the attacks it has been used in.

The malware is typically installed using basic scripts within self-extracting RAR archives, but Moonlight developed over 200 variations in an effort to evade detection. What makes this group interesting is the fact that the samples have been produced manually, not using specialized build tools like other, more sophisticated actors.

Once H-Worm has infected a system, it allows the attackers to install other pieces of malware, such as njRAT.

The Moonlight attacks rely on a simple C&C infrastructure with dynamic domains controlled through home Internet connections in Gaza, Palestine.

“In general, the assigned IP-location of command and control servers is a poor indication of attacker locations,” Vectra researchers noted. “However, in this case the provided locations of home networks in the Gaza strip are likely to be accurate and fits with other details from the attacks.”

Experts believe they have identified some of the individuals involved with the group, but their identities have not been disclosed due to them being in a conflict zone. According to the security firm, these individuals exhibited poor operational security, particularly in their earlier attacks, which seemed opportunistic rather than targeted.

Related: Arabic Threat Group Targets IT, Incident Response Teams

Related: Gaza Threat Group Targeting Israeli Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...