Home/ Threat Actors/ Molerats

🌐Molerats

🌐 Molerats is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 16 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0021) ↗

14Use cases

0Articles

16Techniques

0IOCs

About this actor (MITRE)

[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

Known aliases

MoleratsOperation MoleratsGaza Cybergang

Top techniques

T1027.015 · Compression T1053.005 · Scheduled Task T1057 · Process Discovery

All other tracked techniques

T1059.001 · PowerShell T1059.005 · Visual Basic T1059.007 · JavaScript T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1204.001 · Malicious Link T1204.002 · Malicious File T1218.007 · Msiexec T1547.001 · Registry Run Keys / Startup Folder T1553.002 · Code Signing T1555.003 · Credentials from Web Browsers T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link

Detection use cases (14)

Molerats (Gaza Cybergang) DropBook/SharpStage cloud-storage C2 — non-browser process talking to Dropbox/Google Drive/Facebook Graph APIs AI · profile SΣ Molerats spearphishing chain — RAR/SFX decoy spawning scheduled-task persistence with politically-themed payload name AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match