Molerats / Gaza Cybergang (also tracked as Gaza Hackers Team, Extreme Jackal, Moonlight, DustySky, TA402, Aluminum Saratoga, BLACKSTEM, Operation Molerats, and MITRE ATT&CK G0021) is a Palestinian-nexus cyber-espionage cluster active publicly since at least October 2011 and likely earlier, representing one of the longest-running continuously-tracked Middle Eastern regional cyber-espionage operations. Industry vendors (Kaspersky GReAT, Cybereason, Palo Alto Networks Unit 42, Proofpoint, Zscaler, FireEye/Mandiant, ClearSky, Check Point) assess the cluster with high confidence as Palestinian-aligned with intelligence-collection-supporting-Palestinian-political- and-security-objectives as the operational mission, with partial industry attribution specifically to Hamas-affiliated sponsorship and partial attribution more broadly to Palestinian- political-faction sponsorship without specific faction affiliation. No formal state-actor attribution has been asserted by any government cybersecurity authority, consistent with the absence of a fully-recognized Palestinian state actor.
the cluster is consequently most accurately framed as Palestinian-nexus or Palestinian-aligned rather than as formally state-sponsored. The cluster operates within a broader Gaza Cybergang umbrella that industry analysis (Kaspersky GReAT canonical disclosure 2018) has divided into three operationally-distinct sub- clusters: (a) Gaza Cybergang Group 1, the Molerats core, represented by this curated profile.
(b) Gaza Cybergang Group 2, also tracked as APT-C-23 or Arid Viper, distinct operator cluster with the Micropsia backdoor signature, separately curated profiling recommended.
(c) Gaza Cybergang Group 3, the cluster behind the 2017-2018 Operation Parliament campaign. The three sub-clusters share tradecraft patterns (Arabic-language malware configuration artifacts, naming- convention-based C2 command structures, politically-themed lure documents referencing Israeli-Palestinian developments, regional Middle Eastern victim targeting profiles, malware cross-pollination across sub-clusters) but are operationally distinct in tooling, infrastructure, and personnel. This YAML represents Group 1 / Molerats. The Arid Viper / APT-C-23 sub-cluster is referenced in aliases for umbrella searchability but is operationally distinct and recommended for separate curated profiling in a future curation pass. Operationally Molerats / Gaza Cybergang Group 1 has demonstrated multiple operationally-distinctive signature patterns across its 2011-2024 tracked history: (1) ARABIC-LANGUAGE MALWARE CONFIGURATION ARTIFACTS. Custom Molerats backdoors (DustySky, Spark, Pierogi, DropBook, SharpStage, NimbleMamba, IronWind) consistently include Arabic-language strings in malware-internal configuration data, debug strings, and C2 command-and-control naming conventions. The Arabic-language artifacts are the strongest consistent attribution signal across the cluster's longitudinal malware development. (2) POLITICALLY-THEMED SPEAR-PHISHING LURE DOCUMENTS. The cluster's primary initial-access vector is consistently spear-phishing email with weaponized Microsoft Office or RAR archive attachments carrying lure-content themed around Israeli-Palestinian political-affairs developments, Middle Eastern geopolitical events, diplomatic communications, and Palestinian-political-faction internal affairs. The lure- document content selection demonstrates clear operator intelligence-targeting-knowledge of victim-organization political-context interests. (3) ABUSE OF LEGITIMATE CLOUD SERVICES AS C2 INFRASTRUCTURE. One of the operationally-most-distinctive cluster tradecraft signatures is the abuse of legitimate public cloud services (Dropbox, Google Drive, Facebook accounts, YouTube comments, Pastebin) as command-and-control dead-drop and exfiltration infrastructure. Cybereason's December 2020 DropBook/SharpStage disclosure documenting the cluster's use of attacker- controlled Facebook account posts as C2 command-issue channel, and Zscaler's January 2022 disclosure of Google Drive and Dropbox abuse, are canonical industry references for this signature. The cloud-service-abuse-as-C2 pattern exploits legitimate-service-traffic profiles to evade traditional network-detection signatures focused on novel attacker- controlled infrastructure. (4) NAMING-CONVENTION-BASED C2 COMMAND STRUCTURES. Custom Molerats backdoors implement C2 command-and-control protocols that use proper-name keywords (people's names, common Arabic names) as command tokens rather than the typical numeric or letter-code command tokens of commodity RATs. The naming-convention C2 pattern is a tradecraft signature that cross-pollinates among the three Gaza Cybergang sub-clusters (Spark / Molerats Group 1, Micropsia / Arid Viper Group 2, Operation Parliament / Group 3 share this pattern), providing one of the strongest technical-cross-cluster-genealogical signals across the broader Gaza Cybergang umbrella. (5) LONGITUDINAL OPERATIONAL PERSISTENCE THROUGH PUBLIC DISCLOSURES. The cluster has demonstrated approximately 13 years of continuous public operation (2011-2024 and ongoing) despite repeated major industry disclosures by FireEye (2013), ClearSky (2016), Kaspersky (2018, 2019), Cybereason (2020), Palo Alto Unit 42 (2020), Proofpoint (2022), Zscaler (2022), and others. The cluster's response pattern is typically: brief operational pause following major disclosure; retooling of malware families (replacing exposed backdoor families with newly-developed variants)
resumption of broadly-similar targeting profiles with new tooling. The retooling-and-resumption cycle has been documented multiple times across the cluster's longitudinal history, demonstrating sustained in-house malware development capability rather than reliance on commodity-RAT-only tradecraft. (6) HISTORICAL HEAVY USE OF COMMODITY RATs (2011-2016 ERA). Through the cluster's early operational years (approximately 2011-2016), Molerats heavily used commodity remote-access trojans including njRAT, H-worm, Houdini, XtremeRAT, Poison Ivy, QuasarRAT, Bandook, and RevengeRAT, with custom- developed backdoor families becoming the operational primary tooling from approximately 2015-2016 onward (DustySky, Spark, Pierogi, DropBook, SharpStage, NimbleMamba, IronWind). The commodity-RAT-then-custom-backdoor operational progression mirrors the maturation pattern observed across multiple regional cyber-espionage clusters as operator-development capability matured over multi-year operational periods. Notable named operations include the canonical FireEye August 2013 Operation Molerats disclosure (Poison Ivy era)
the ClearSky January 2016 DustySky disclosure (custom-backdoor maturation era)
the Kaspersky GReAT April 2018 Operation Parliament disclosure (Gaza Cybergang Group 3 sub-cluster); the Kaspersky April 2019 SneakyPastes disclosure (Pastebin- based C2 dead-drop tradecraft)
the Cybereason January- February 2020 Spark and Pierogi backdoor disclosures (custom-backdoor-development era)
the Palo Alto Unit 42 January 2020 insurance-and-retail-expansion disclosure (target-profile diversification)
the Cybereason December 2020 DropBook + SharpStage + Facebook/Dropbox-C2 disclosure (cloud-service-abuse-as-C2 signature)
the Zscaler January 2022 Google Drive / Dropbox abuse campaign disclosure.
and the Proofpoint January 2022 TA402 / IronWind / NimbleMamba disclosure (post-2021-disclosure retooling). Targeting profile is consistently focused on Middle Eastern and North African (MENA) regional government, defense, intelligence, telecommunications, and diplomatic targets, with primary geographies including the Palestinian Territories, Israel, Egypt, Saudi Arabia, UAE, Iraq, Jordan, Lebanon, Syria, Turkey, Libya, Morocco, and Tunisia. Secondary targeting against Palestinian-diaspora populations, Palestinian-political-faction personnel, Palestinian-banking- sector personnel, journalists covering Palestinian affairs, and human-rights activists active on Palestinian-related issues is consistently observed. Less-frequent targeting against US, UK, and European diplomatic entities focused on Middle East policy has been observed. The cluster does not appear to maintain significant operational OPSEC discipline (Arabic-language malware artifacts are consistently visible, infrastructure reuse across campaigns is common, attribution-distinguishing tradecraft signatures are operationally stable across years). The cluster's response to public exposure is operational retooling rather than operational shutdown, demonstrating sustained operator- development capability and political-motivation-driven persistence rather than financially-motivated cost-benefit operational discipline. Analytically the Molerats / Gaza Cybergang Group 1 cluster is operationally significant as an example of a long-running regional non-state-actor cyber-espionage cluster operating with sustained intelligence-collection-targeting consistency, sustained in-house malware development capability, operationally-distinctive cloud-service-abuse-as-C2 tradecraft, and approximately 13 years of demonstrated operational continuity through repeated public disclosures. The cluster fills the only major Palestinian-aligned threat- actor cluster cell in modern cyber-threat-intelligence taxonomy and is canonically the longest-running publicly- tracked Palestinian-nexus cyber-espionage operation.