Molerats APT Uses Cloud Services To Host Malware Payloads & Steals Sensitive Information

by chebbi abir

Zscaler experts have recently unveiled a new active campaign that is operated by the hacker APT group, Molerats. In this campaign, the Molerats hackers target the Middle East by exploiting the cloud storage services and geopolitically themed lures.

Molerats is an Arabic-speaking APT group, which is also known as Gaza Cyber gang, and the operators of Molerats APT group are primarily focusing on the users from the following countries:-

  • Europe
  • The United States
  • Southwest Asia

Attack Flow

In July last year, the latest campaign of Molerats APT group was launched in which they used:-

  • Malicious RAR
  • ZIP archives

Here, the hackers have used the above items as an attachment of phishing e-mail to compromise the system and network of their targets.

Through Microsoft Office documents that were infected with malicious macros, the hackers subsequently began delivering them from mid-December. 

While after executing them, the operators of the Molerats APT group download the malicious tools on the computer system of their victim through the command line and PowerShell script.

All these are performed or pointed on the targets via popular cloud services like Google Drive Dropbox, as they abuse them to host malware payloads and steal sensitive information.


The conflict between Israel and Palestine has forced the experts to think about the growing concerns for forged documents. As in past attacks, the threat actors have used presentations about wanted persons, to which Interpol has already issued red notice.

Here, the primary goal of the threat actors behind this campaign is to target the important members of the following sectors:-

  • Palestinian financial sector.
  • People affiliated with Palestinian political parties.
  • Human rights activists from Turkey.
  • Journalists from Turkey.

Initially, the RAR archive called “servicehost” which was used as a backdoor by the threat actors, seemed harmless, but, in reality, it was an EXE executable file that enabled the hackers to steal the following data from the compromised systems of the victims:-

  • IP address
  • Hostname
  • User name of the infected device
  • Essential files

Through the API of the DropBox repository, the operators of Molerates APT group establish the communication between the malware and the control server.

Here are the commands used by the attackers for their operations:-

  • 1 to run the specified command.
  • 2 to take snapshots and upload.
  • 3 to send a list of files from specified directories.
  • 4 to upload files.
  • 5 to download and execute the RAR archive.

In Dropbox, they store all the data stolen from their victims, while in the Google Drive cloud storage, they store all the hacker codes


To read the original article:


Interdit de copier  ce contenu