Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

A new cyber-espionage campaign has been uncovered in the Middle East which is directed at entities and individuals in the Palestinian territories. The attacks are believed to be the work of a group known as MoleRATs (The Gaza Cybergang), an Arabic-speaking threat actor that has been operating in the Middle East since 2012.

According to the Boston-based cybersecurity company Cybereason, there are two separate campaigns happening simultaneously. One of them dubbed “The Spark Campaign” attempts to infect targets (mainly from the Palestinian territories) with the Spark backdoor using social engineering. The campaign lures victims with content related to recent geopolitical events, namely the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.

If victims open the emails and attached malicious files that come in the form of Microsoft Office documents, .PDF, and archive files, an additional archive file from Egnyte or Dropbox is dropped on the system. This archive contains an executable which is the Spark backdoor dropper.

To stay hidden from security solutions the creators of the Spark backdoor use several techniques. More specifically, they the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking to minimize the risk of detection and infection of unwanted victims.

The second campaign which the researchers called “The Pierogi Campaign” also leverages social engineering tricks to infect victims, but in this case the payload is a new, undocumented RAT dubbed Pierogi. First discovered in December 2019, this RAT allows the attackers to spy on victims. The researchers believe that the Pierogi backdoor is not custom-made, but rather obtained by the MoleRATs group in underground communities. Also, the Cybereason found evidence in the code (the Ukranian language embedded in the backdoor) indicating that the malware may have been developed by Ukranian-speaking hackers.


Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025