Molerats (G0021): Persistent Cyber Espionage in the Middle East
- Suspected Origin
- Middle East / Palestinian Territories
- Motivation
- Espionage, Intelligence Gathering, Political
- Aliases
- Operation Molerats, Gaza Cybergang
- Target Sectors
- Government, Telecommunications, Media, Financial, NGOs, Foreign Policy Think Tanks, Airlines, Education, Healthcare, Journalists, Activists
- Associated Malware
- Spark, DustySky, MoleNet, SharpStage, DropBook, Pierogi, Pierogi++, Micropsia, NimbleMamba, BlackShades, DarkComet, NJRAT, PoisonIvy, Quasar RAT, XtremeRAT
Overview
Molerats (G0021), also widely recognized as Operation Molerats or Gaza Cybergang, is a well-established and politically motivated advanced persistent threat (APT) group that has been operational since at least 2012. This Arabic-speaking faction is believed to originate from the Middle East, specifically associated with the occupied Palestinian territories, and is often suspected to be a Hamas-aligned cluster. Their primary motivation is cyber espionage, focusing on intelligence collection to support regional geopolitical objectives and interests.
The group’s targeting is predominantly concentrated within the Middle East and North Africa (MENA) region, with notable operations also extending to Turkiye, Europe, and the United States. Molerats casts a wide net across various sensitive sectors. Historically, they have targeted governmental entities, telecommunications providers, media organizations, financial institutions, and non-governmental organizations (NGOs). More specifically, victims have included government officials, political figures, diplomats, journalists, activists, and even foreign policy think tanks and airlines. While their target set is broad, their focus often remains on entities in Palestinian territories, Jordan, Israel, Lebanon, UAE, Egypt, and Saudi Arabia. In some peculiar instances, the group has also targeted insurance and retail industries, which researchers noted as deviations from their typical objectives.
Molerats is not a monolithic entity, often operating as an umbrella organization composed of several adjacent sub-groups. These include what researchers have identified as Gaza Cybergang Group 1 (Molerats itself), Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Group 3 (behind Operation Parliament). These sub-groups have been observed to share victims, tactics, techniques, procedures (TTPs), and related malware strains, indicating a unified front against anti-Hamas interests. This collaborative structure allows Molerats to maintain persistent and evolving cyber espionage capabilities.
Tactics & Techniques
Molerats employs a range of sophisticated and adaptable tactics to achieve its intelligence-gathering objectives. Their initial access almost invariably begins with spear-phishing campaigns, which are often meticulously crafted to leverage social engineering. These phishing emails frequently contain malicious attachments, such as weaponized Microsoft Word or PDF documents, or include links to malicious payloads. The lures are highly contextual and politically charged, often referencing sensitive regional geopolitical events like the Israel-Hamas conflict, Israeli-Palestinian relations, or the assassination of prominent figures. In some instances, they’ve used coercive tactics, threatening to expose sensitive information to trick recipients into enabling macros or clicking malicious links.
To enhance their evasion capabilities, Molerats utilizes legitimate cloud services such as Dropbox, Google Drive, and GitHub to host their malware and for command and control (C2) communications. This strategy helps them blend malicious traffic with legitimate network activity, making detection more challenging. They have also been observed using disposable email addresses and domains for their phishing infrastructure, as well as paste sites like Pastebin and GitHub for malware staging.
Upon successful infiltration, Molerats uses various methods for execution and persistence. They deploy executables often delivered within compressed ZIP or RAR archives and have used msiexec.exe to execute MSI payloads. Persistence is achieved through creating scheduled tasks for VBScripts and saving malicious files within standard user directories like AppData and Startup folders. The group is also known for using obfuscation techniques with commercial packers like ConfuserEx, Themida, and Enigma to hinder analysis. A unique defense evasion tactic observed is their malware’s ability to check for Arabic language settings on the target system, refusing to run if these settings are not present, thereby avoiding execution in non-targeted environments. For data collection, Molerats’ tools can take screenshots, steal browser passwords using public tools like BrowserPasswordDump10, gather process information, and detect user interactions like mouse movements. Exfiltration of stolen data often occurs via the Dropbox API or other legitimate cloud services.
Notable Campaigns
Molerats has been linked to a series of significant cyber espionage campaigns over its operational history. The “DustySky” campaign is one such operation, as is the “TopHat” campaign. Another notable series of attacks is the “SneakyPastes” campaign, attributed to Gaza Cybergang Group 1, which heavily relied on paste sites for gradually delivering remote access Trojans (RATs) to victim systems.
The group is also associated with “Operation Parliament,” a campaign attributed to Gaza Cybergang Group 3, which employed the Spark backdoor. In late 2019, Unit 42 observed Molerats deploying the Spark backdoor in phishing attacks against government, telecommunications, insurance, and retail sectors across six countries.
More recently, in 2020, Cybereason identified a campaign that leveraged three previously unidentified malware variants: SharpStage, DropBook, and the MoleNet downloader. This operation employed lures related to the ongoing normalization process between Israel and Arab nations. Throughout 2022 and 2023, Molerats continued its evolution by introducing the Pierogi++ backdoor, maintaining a consistent focus on targeting Palestinian entities. A very recent operation in April 2024 involved macro-based MS Office files embedded with decoys related to the Israel-Hamas conflict, targeting individuals in Palestine’s banking sector, political figures, activists, and journalists in Turkiye.
Associated Malware & Tools
Molerats commands a diverse and evolving arsenal of custom-developed and publicly available malware and tools. Among their custom backdoors, Spark has been consistently used since at least 2017. DustySky, a .NET-based malware, has been in their toolkit since mid-2015. The group also developed MoleNet, a .NET downloader with extensive backdoor capabilities, observed since approximately 2019.
More recently, they introduced SharpStage (a .NET backdoor) and DropBook (a Python-based backdoor) in 2020, both capable of arbitrary code execution and data collection. The Pierogi backdoor, first emerging in 2019, saw an upgraded C++ variant, Pierogi++, first used in 2022 and throughout 2023. Other custom malware includes Micropsia (with Delphi and Python variants), KASPERAGENT, JhoneRAT, and the intelligence-gathering trojan NimbleMamba.
Beyond their custom creations, Molerats frequently incorporates publicly available remote access Trojans (RATs) and other utilities. These include BlackShades, DarkComet, NJRAT, PoisonIvy, Quasar RAT, and XtremeRAT. They also leverage legitimate system tools like PowerShell and WMI, and password dumpers such as BrowserPasswordDump10, for various stages of their attacks.
Current Status
Molerats remains a highly active and persistent threat actor. Reports from late 2023 and early 2024 confirm their ongoing operations. Their activities throughout 2022 and 2023 demonstrated a sustained focus on targeting Palestinian entities and an continued evolution of their malware arsenal, notably with the introduction of Pierogi++. Recent findings in April 2024 indicate a specific operation leveraging macro-based MS Office files with lures tied to the Israel-Hamas conflict, targeting the banking sector, political figures, activists, and journalists in Turkiye. This indicates not only continued activity but also their strategic adaptation of lures to current geopolitical events. Cybersecurity researchers continuously track Molerats, with some analyses published as recently as May 2026, categorizing them as a nation-state threat originating from the Middle East. Their consistent retooling of attack methods and malware, coupled with their unwavering focus on cyber espionage, underscores Molerats’ enduring threat to global security. The current conflict in Gaza has not appeared to significantly disrupt their operations, suggesting a well-resourced and resilient group.
Related content
APT33: Iran's Evolving Cyber Espionage and Destructive Capabilities
Adversary ProfileMoafee (G0002): Profile of a Chinese Espionage Threat Actor
Adversary ProfileDragonOK: China-Linked APT Group Targeting Asian & European Organizations
Adversary ProfileThreat Actor Profile: admin@338 (G0018)
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call