TIARAS - Molerats

Threat Actor Profile

High APT

Description

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

Confidence Score

90%

Known Aliases

Molerats Operation Molerats Gaza Cybergang

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (16)

T1105 - Ingress Tool Transfer

Command and Control

T1555.003 - Credentials from Web Browsers

Credential Access

T1027.015 - Compression

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1218.007 - Msiexec

Defense Evasion

T1553.002 - Code Signing

Defense Evasion

T1057 - Process Discovery

Discovery

T1053.005 - Scheduled Task

Execution

T1059.001 - PowerShell

Execution

T1059.005 - Visual Basic

Execution

T1059.007 - JavaScript

Execution

T1204.001 - Malicious Link

Execution

T1204.002 - Malicious File

Execution

T1566.001 - Spearphishing Attachment

Initial Access

T1566.002 - Spearphishing Link

Initial Access

T1547.001 - Registry Run Keys / Startup Folder

Persistence

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel

STIX Data

{'aliases': ['Molerats', 'Operation Molerats', 'Gaza Cybergang'],
 'created': '2017-05-31T21:31:55.093Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Molerats](https://attack.mitre.org/groups/G0021) is an '
                'Arabic-speaking, politically-motivated threat group that has '
                "been operating since 2012. The group's victims have primarily "
                'been in the Middle East, Europe, and the United '
                'States.(Citation: DustySky)(Citation: DustySky2)(Citation: '
                'Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats '
                'Dec 2020)',
 'external_references': [{'external_id': 'G0021',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0021'},
                         {'description': '(Citation: DustySky)',
                          'source_name': 'Molerats'},
                         {'description': '(Citation: DustySky)(Citation: '
                                         'Kaspersky MoleRATs April '
                                         '2019)(Citation: Cybereason Molerats '
                                         'Dec 2020)',
                          'source_name': 'Gaza Cybergang'},
                         {'description': '(Citation: FireEye Operation '
                                         'Molerats)(Citation: Cybereason '
                                         'Molerats Dec 2020)',
                          'source_name': 'Operation Molerats'},
                         {'description': 'ClearSky Cybersecurity. (2016, June '
                                         '9). Operation DustySky - Part 2. '
                                         'Retrieved August 3, 2016.',
                          'source_name': 'DustySky2',
                          'url': 'http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf'},
                         {'description': 'ClearSky. (2016, January 7). '
                                         'Operation DustySky. Retrieved '
                                         'January 8, 2016.',
                          'source_name': 'DustySky',
                          'url': 'https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf'},
                         {'description': 'Cybereason Nocturnus Team. (2020, '
                                         'December 9). MOLERATS IN THE CLOUD: '
                                         'New Malware Arsenal Abuses Cloud '
                                         'Platforms in Middle East Espionage '
                                         'Campaign. Retrieved December 22, '
                                         '2020.',
                          'source_name': 'Cybereason Molerats Dec 2020',
                          'url': 'https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf'},
                         {'description': 'GReAT. (2019, April 10). Gaza '
                                         'Cybergang Group1, operation '
                                         'SneakyPastes. Retrieved May 13, '
                                         '2020.',
                          'source_name': 'Kaspersky MoleRATs April 2019',
                          'url': 'https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/'},
                         {'description': 'Villeneuve, N., Haq, H., Moran, N. '
                                         '(2013, August 23). OPERATION '
                                         'MOLERATS: MIDDLE EAST CYBER ATTACKS '
                                         'USING POISON IVY. Retrieved November '
                                         '17, 2024.',
                          'source_name': 'FireEye Operation Molerats',
                          'url': 'https://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html'}],
 'id': 'intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411',
 'modified': '2024-11-17T15:50:27.600Z',
 'name': 'Molerats',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.1'}

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (16)

T1105 - Ingress Tool Transfer

T1555.003 - Credentials from Web Browsers

T1027.015 - Compression

T1140 - Deobfuscate/Decode Files or Information

T1218.007 - Msiexec

T1553.002 - Code Signing

T1057 - Process Discovery

T1053.005 - Scheduled Task

T1059.001 - PowerShell

T1059.005 - Visual Basic

T1059.007 - JavaScript

T1204.001 - Malicious Link

T1204.002 - Malicious File

T1566.001 - Spearphishing Attachment

T1566.002 - Spearphishing Link

T1547.001 - Registry Run Keys / Startup Folder

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (16)

Please wait…