G0021: Molerats
Analyst context for executives and security teams
Molerats is an ATT&CK-tracked intrusion set described by MITRE as an Arabic-speaking, politically motivated group operating since 2012, with reported victim geography primarily in the Middle East, Europe, and the United States. For defenders, the value of this object is less about a single signature and more about validating resilience against a recurring pattern: spearphishing-led access, user-assisted execution, Windows backdoors/RATs, persistence through scheduled tasks or Run keys, script execution, tool transfer, and credential theft from browsers.
Executive priority
Treat this as a practical test case for phishing resilience, endpoint visibility, and incident response readiness. Leaders should ask whether the organization can produce evidence that email security, endpoint logging, script controls, persistence monitoring, and credential protection would expose the ATT&CK behaviors associated with this group. Because the official ATT&CK group object has no detection text and no top-level platform list, prioritization should be based on local exposure: geographic relevance, politically sensitive business functions, executive or regional targeting risk, and the presence of Windows-heavy user endpoints where the related malware and techniques are most represented.
Technical view
SOC and IR teams should map coverage against the relationship set rather than relying on a Molerats-specific detection. The relationships include use of PoisonIvy, DustySky, Spark, SharpStage, DropBook, and MoleNet, all listed with Windows platforms, plus techniques spanning spearphishing links and attachments, malicious link/file execution, PowerShell, Visual Basic, JavaScript, msiexec proxy execution, scheduled tasks, Registry Run keys/startup folders, process discovery, ingress tool transfer, deobfuscation/decoding, compression, code signing abuse, and browser credential access. Validate whether detections correlate email events, user execution, child processes from Office/browser/script hosts, persistence writes, scheduled task creation, unusual msiexec activity, downloaded payloads, and browser credential store access into an investigation timeline.
Likely telemetry
- Email security logs for spearphishing attachments and links, including sender, recipient, URL, attachment, and delivery disposition metadata.
- Endpoint process creation telemetry for PowerShell, Visual Basic/JScript script hosts, msiexec.exe, archive/decompression utilities, and suspicious child processes from Office applications or browsers.
- Windows scheduled task creation/modification events and command-line details where available.
- Windows Registry and startup folder monitoring for Run key or startup persistence changes.
- File creation and download telemetry for transferred tools, compressed files, decoded payloads, PyInstaller/.NET artifacts where observable, and signed binaries with unusual context.
Detection direction
- Build behavior-led analytics around the ATT&CK relationships rather than a single group label; the official object does not provide detection guidance.
- Tune phishing detections to connect initial email delivery with endpoint execution from attachments or links, especially when followed by script interpreters, msiexec, downloads, or persistence creation.
- Validate command-line and parent/child-process visibility for PowerShell, Visual Basic/JScript, msiexec.exe, and archive/decode activity; lack of command-line logging is a material blind spot.
- Monitor scheduled task and Run key creation in user context, but account for legitimate software installers and administrative tools to reduce false positives.
- Review code-signing trust logic: a signed binary should not be treated as benign without execution context, source path, signer reputation, and behavior.
Mitigation priorities
- Prioritize phishing controls and user-reporting workflows for attachments and links, since both spearphishing attachment and spearphishing link are associated techniques.
- Harden endpoint execution paths: restrict or monitor script interpreters, PowerShell, and msiexec usage according to business need, with emphasis on high-risk users and regions.
- Strengthen persistence prevention and monitoring for scheduled tasks, Registry Run keys, and startup folders on Windows endpoints.
- Reduce credential exposure by managing browser password storage risk, enforcing strong identity controls, and ensuring rapid credential reset procedures during IR.
- Ensure EDR, email, proxy/DNS, and identity logs are retained long enough to reconstruct the sequence from email delivery to execution, persistence, tool transfer, and credential access.
Analyst notes and limits
The ATT&CK object identifies Molerats aliases as Molerats, Operation Molerats, and Gaza Cybergang, and cites reporting from ClearSky, FireEye, Kaspersky, and Cybereason. Relationship context is especially useful here because the group object has no official detection field and no top-level tactics or platforms. The strongest defensible defensive takeaway is to assess coverage for the related techniques and Windows malware relationships, while keeping geographic and political targeting context as a risk-prioritization input rather than proof of exposure.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current activity, customer targeting, confirmed compromise, or guaranteed detection. Top-level platforms and tactics are not specified for the intrusion-set object; platform references come only from related software and technique objects. Local environment telemetry, asset exposure, business geography, and control configuration are required to determine actual risk and coverage.
Molerats
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.007 | Msiexec Sub-technique | Molerats has used msiexec.exe to execute an MSI payload.CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.CitationKaspersky MoleRATs April 2019CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Molerats used executables to download malicious files from different sources.CitationKaspersky MoleRATs April 2019CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Molerats has used forged Microsoft code-signing certificates on malware.CitationFireEye Operation Molerats |
| Enterprise | T1027.015 | Compression Sub-technique | Molerats has delivered compressed executables within ZIP files to victims.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Molerats has created scheduled tasks to persistently run VBScripts.CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Molerats decompresses ZIP files once on the victim machine.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.CitationKaspersky MoleRATs April 2019CitationUnit42 Molerat Mar 2020CitationCybereason Molerats Dec 2020 |
| Enterprise | T1057 | Process Discovery | Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.CitationDustySky |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Molerats has sent phishing emails with malicious links included.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.CitationDustySky |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Molerats saved malicious files within the AppData and Startup folders to maintain persistence.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Molerats used PowerShell implants on target machines.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Molerats used various implants, including those built with VBScript, on target machines.CitationKaspersky MoleRATs April 2019CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Molerats used various implants, including those built with JS, on target machines.CitationKaspersky MoleRATs April 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.CitationKaspersky MoleRATs April 2019CitationUnit42 Molerat Mar 2020CitationCybereason Molerats Dec 2020 |
Groups, software, and campaigns
S0553: MoleNet
S0543: Spark
S0062: DustySky
S0547: DropBook
S0546: SharpStage
SharpStage is a .NET malware with backdoor capabilities.[1][2]
S0012: PoisonIvy
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 096dac19e8b2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DustySky
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
Open source URL -
[2]
DustySky2
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
Open source URL -
[3]
Kaspersky MoleRATs April 2019
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
Open source URL -
[4]
Cybereason Molerats Dec 2020
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Open source URL -
[5]
FireEye Operation Molerats
Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved November 17, 2024.
Open source URL -
[6]
Gaza Cybergang
(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
-
[7]
Molerats
(Citation: DustySky)
-
[8]
Operation Molerats
(Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)
-
[9]
mitre-attack G0021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.