Molerats group targets Middle Eastern governments with spear-phishing attacks

June 25, 2021
Molerats Middle East government spear phishing attacks

Back from their two-month hiatus, the Middle Eastern APT (Advanced Persistent Threat) group, Molerats, resurfaced with targeted cyber-attacks against government organizations in the Middle East and global government bodies linked with geopolitics in the region using rash new campaigns as discovered in the early weeks of this month.

A cybersecurity firm has attributed the politically motivated cyber activities to a threat actor known as TA402, aka Molerats and GazaHacker team.

According to previous campaign reports and based on their targeting, the Molerats seem to operate with motives and interests with Palestinian military state. The APT group is believed to be active for a decade, with track records of attacking organizations and companies related to Palestine and Israel. Their targets span several verticals such as telecommunications, technology, academia, finance, media, governments, and the military.

The reason they stopped their operations for two months is not yet apparent, but researchers speculate that either the ensuing violence in May or the holy month of Ramadan may have been one of the reasons.

The new wave of attacks and campaigns starts with spear-phishing emails with the Arabic language as content. It contains a PDF file embedded with malicious URL filtered geographically to redirect victims to a password-protected repository only if the source IP address belongs to the targeted countries in Middle East.

The recipients who failed to be within the URL geo filter are redirected to a fake decoy web page that is typically in Arabic language and looks like the website of Al Akhbar or Al Jazeera.

Further analysis of the attacks revealed that the geofenced delivery method and the password-protected archive file were used as an anti-detection mechanism so that the threat actors could bypass automated security analysis products.

The final stage of the infection chain includes extracting the archive file, which will drop a custom backdoor called LastConn, which seems to be an upgraded version of a backdoor detected last December 2020, SharpStage.

Once the LastConn backdoor runs, the malware which relied heavily on the Dropbox API will download and execute the cloud-hosted files on a host server, in addition to running remote commands and capturing screenshots that are exfiltrated back using Dropbox.

The evolved toolset of Molerats underscores that threat actors are focused on developing and customizing their malware and backdoor implants to attempt the avoidance of detection and sneak past the defenses placed in a system.


The TA402 carries out highly effective attack campaigns, and they are considered a severe cyber threat.

About the author

Leave a Reply