- Gaza Cybergang

Generated with sparks and insights from 10 sources

Introduction

Gaza Cybergang is a politically motivated Arabic-language cyberthreat actor, primarily targeting the Middle East North Africa (MENA) region, especially Palestinian entities.
The group has been active since at least 2012 and is suspected to be aligned with Hamas.
Gaza Cybergang is composed of several sub-groups, including Molerats (Group 1), Arid Viper (Group 2), and the group behind Operation Parliament (Group 3).
The group has been involved in various cyber espionage campaigns, using malware such as Micropsia and Pierogi++.
Recent activities from 2022 to 2023 show a sustained focus on targeting Palestinian entities, with no significant changes in dynamics since the start of the Israel-Hamas war.
Gaza Cybergang has upgraded its malware arsenal with a backdoor called Pierogi++, first used in 2022.
The group uses a variety of techniques, including phishing, social engineering, and the deployment of remote access Trojans (RATs).
The group's activities are likely aligned with the tensions between the Hamas and Fatah factions.

Gaza Cybergang Group 1: Also known as Molerats, this group is considered the least sophisticated and relies heavily on paste sites for malware distribution.
Gaza Cybergang Group 2: Known as Arid Viper or Desert Falcons, this group has medium-level sophistication and has been involved in various targeted attacks.
Gaza Cybergang Group 3: The most sophisticated group, previously known for Operation Parliament, which targets high-profile entities.
The groups share victims, tools, and techniques, indicating a high level of coordination.
Group 1 often deploys scripts to infect victims with malware belonging to Group 2 or Group 3.

From late 2022 to late 2023, Gaza Cybergang introduced a new backdoor called Pierogi++.
The group has consistently targeted Palestinian entities, using malware such as Micropsia and Pierogi++.
The group's activities have not significantly changed in intensity or characteristics since the onset of the Israel-Hamas war.
Recent campaigns have involved the use of politically-themed decoy documents to deliver malware.
The group continues to evolve its malware arsenal, indicating a sustained investment in cyber espionage capabilities.

Pierogi++: An upgraded backdoor first used in 2022, based on the older Pierogi malware.
Micropsia: A family of malware used by Gaza Cybergang, with variants implemented in Delphi and Python.
BarbWire: A backdoor used in Operation Bearded Barbie, targeting Israeli officials.
SharpStage and DropBook: Malware used in conjunction with Pierogi in Arid Viper operations.
LastConn: An updated version of SharpStage, used in TA402 activities.

Phishing: The group uses politically-themed phishing emails to lure victims.
Social Engineering: Techniques to trick victims into executing malware.
Remote Access Trojans (RATs): Used to gain persistent access to victim systems.
Chained Attack Stages: Multiple stages of infection to evade detection.
Use of Paste Sites: For distributing malware and maintaining command and control.

Primary Targets: Palestinian entities, including government, education, media, and political personnel.
Geographical Spread: Victims are spread across 39 countries, with the majority in the Palestinian Territories, Jordan, Israel, and Lebanon.
Targeted Sectors: Embassies, government entities, education, media outlets, journalists, activists, political parties, healthcare, and banking.
Phishing Themes: Political themes are commonly used to lure victims.
Victim Data: Collected data includes sensitive documents such as PDFs, DOCs, and XLS files.

Operation Bearded Barbie: A campaign targeting Israeli officials, attributed to Arid Viper.
Big Bang Campaign: An operation from 2018 targeting Palestinian entities, loosely associated with Gaza Cybergang.
Operation Parliament: A high-sophistication campaign targeting high-profile entities, attributed to Group 3.
SneakyPastes: A campaign by Group 1 using paste sites to distribute malware.
Desert Falcons: Targeted attacks by Group 2, focusing on Middle Eastern entities.