virus logo Threat Actor

Molerats

Description

Molerats is a threat actor aligned with interests in the Middle East, specifically the occupied areas of the Palestinian territories. Also known as TA402; Molerats uses spearphishing tactics with various political and military themes as lures to compel targets into opening attachments. Thought to be associated with Hamas and/or groups aligned with Palestine, Molerats has been active since 2012.

Known affiliates:

  • APT-C-23

  • Arid Viper

  • The Gaza Cybergang

Aliases

  • ALUMINUM SARATOGA
  • TA402
  • BLACKSTEM
  • Moonlight
  • Extreme Jackal

Targeted Industries

  • Financial Sector
  • Government
  • Media and Journalism
  • Non-Governmental Organizations (NGOs)

Objectives

Intelligence Gathering, Data Exfiltration

Known Tools Used

  • BlackShades
  • BrowserPasswordDump10
  • DarkComet
  • DropBook
  • DustySky
  • LastConn
  • Micropsia
  • MoleNet
  • NimbleMamba
  • NJRAT
  • Pierogi backdoor
  • PoisonIvy
  • PowerShell
  • Quasar RAT
  • SharpStage
  • SPARK RAT
  • WMI
  • XtremeRAT

Known Infection Vectors

  • Social Engineering
  • Spearphishing

References

Molerats (MITRE)
https://attack.mitre.org/groups/G0021/

Molerats

ID

5572

Published

Apr 04, 2026

Threat Actor Type

Nation-State

Attacker Origins

  • Middle East

Target Systems

  • Windows

Regions Targeted

  • Europe
  • Middle East
  • the United States

Active CVEs