S9030: SameCoin
Analyst context for executives and security teams
SameCoin matters because MITRE describes it as a multi-platform wiper with Windows and Android versions. For leaders, the key issue is not just malware presence; it is availability risk: destructive activity can turn an intrusion into an outage, evidence loss, mobile disruption, and a high-pressure incident response decision.
Executive priority
Treat this as a resilience and incident-readiness validation item where the organization has Windows endpoints, Android devices, or regional/sector exposure similar to the supplied WIRTE targeting context. Executives should ask whether destructive malware scenarios are covered by tested backups, mobile device governance, internal communications monitoring, and clear criteria for containment before widespread deletion or defacement occurs.
Technical view
ATT&CK provides no official detection text for SameCoin, so SOC and IR teams should validate coverage through its related behaviors: scheduled task abuse on Windows, resource name/location matching, file and directory discovery on enterprise and mobile platforms, system location discovery, lateral tool transfer, internal spearphishing, data destruction, internal defacement, and selective exclusion. Detection should focus on behavior chains rather than a single malware name.
Likely telemetry
- Windows endpoint process, file, and command-line telemetry
- Windows Task Scheduler creation/modification/execution events
- File enumeration, mass deletion, overwrite, or unusual file modification telemetry
- Internal file transfer and file share activity logs
- Email or collaboration telemetry for internally sent phishing-like messages from trusted accounts
Detection direction
- Confirm whether detections cover destructive file operations and not only ransomware-style encryption.
- Correlate file discovery followed by deletion/overwrite, defacement, or transfer activity.
- Review scheduled task detections for malicious persistence/execution while tuning out approved administration and software deployment tasks.
- Hunt for suspicious files placed or named to resemble legitimate resources, especially when paired with execution or persistence.
- Validate visibility into Android devices; unmanaged mobile endpoints are a likely blind spot.
Mitigation priorities
- Prioritize tested, protected backups and restore procedures for destructive-malware scenarios.
- Limit administrative rights and task-scheduling capability to reduce persistence and execution abuse.
- Harden endpoint controls around suspicious file creation, tool transfer, and destructive file operations.
- Strengthen internal phishing controls and account monitoring because the relationship set includes internal spearphishing.
- Bring Android devices under enforceable management, inventory, and incident response procedures where they support business operations.
Analyst notes and limits
SameCoin is linked by ATT&CK to WIRTE and to both enterprise and mobile behaviors. The most decision-useful framing is destructive impact readiness across Windows and Android, plus the ability to detect precursor behaviors such as discovery, lateral movement, scheduled tasks, and internal phishing.
MITRE supplies no official detection guidance, no aliases, and no tactics directly on the malware object. Several conclusions must therefore be validated against local telemetry, device coverage, and business exposure. The supplied relationship descriptions are also truncated in places.
SameCoin
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1534 | Internal Spearphishing | SameCoin can send its Setup.exe file as an attachment to other addresses in the same compromised organization.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1485 | Data Destruction | SameCoin can overwrite designated files on targeted systems with random bytes.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | SameCoin can alter the victim’s background to display an image showing the name of Hamas’s military wing.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1614 | System Location Discovery | SameCoin can attempt to connect to the Israel Home Front Command site, oref.org[.]il, which is only reachable from within Israel to verify the target's location.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1570 | Lateral Tool Transfer | SameCoin can copy its wiper executable to remote machines within the same Active Directory.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1679 | Selective Exclusion | SameCoin can avoid overwriting file names that contain “desktop.ini” and “conf.conf." CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1083 | File and Directory Discovery | SameCoin can list all system files and can avoid wiping specific directories such as Program Files, Windows, and Users.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SameCoin has named files to appear legitimate such as "MicrosoftEdge.exe."CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SameCoin has the ability to set a scheduled task for execution.CitationCheck Point Wirte NOV 2024 |
Groups, software, and campaigns
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 50f8535e8f13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point Wirte NOV 2024
Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.
Open source URL -
[2]
mitre-attack S9030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.