Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S9030: SameCoin

SameCoin is a multi-platform wiper with Windows and Android versions that has been used by WIRTE to target entities in the Middle East including in Israel.[1]

EnterpriseS9030MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

SameCoin matters because MITRE describes it as a multi-platform wiper with Windows and Android versions. For leaders, the key issue is not just malware presence; it is availability risk: destructive activity can turn an intrusion into an outage, evidence loss, mobile disruption, and a high-pressure incident response decision.

Executive priority

Treat this as a resilience and incident-readiness validation item where the organization has Windows endpoints, Android devices, or regional/sector exposure similar to the supplied WIRTE targeting context. Executives should ask whether destructive malware scenarios are covered by tested backups, mobile device governance, internal communications monitoring, and clear criteria for containment before widespread deletion or defacement occurs.

Technical view

ATT&CK provides no official detection text for SameCoin, so SOC and IR teams should validate coverage through its related behaviors: scheduled task abuse on Windows, resource name/location matching, file and directory discovery on enterprise and mobile platforms, system location discovery, lateral tool transfer, internal spearphishing, data destruction, internal defacement, and selective exclusion. Detection should focus on behavior chains rather than a single malware name.

Likely telemetry

  • Windows endpoint process, file, and command-line telemetry
  • Windows Task Scheduler creation/modification/execution events
  • File enumeration, mass deletion, overwrite, or unusual file modification telemetry
  • Internal file transfer and file share activity logs
  • Email or collaboration telemetry for internally sent phishing-like messages from trusted accounts

Detection direction

  • Confirm whether detections cover destructive file operations and not only ransomware-style encryption.
  • Correlate file discovery followed by deletion/overwrite, defacement, or transfer activity.
  • Review scheduled task detections for malicious persistence/execution while tuning out approved administration and software deployment tasks.
  • Hunt for suspicious files placed or named to resemble legitimate resources, especially when paired with execution or persistence.
  • Validate visibility into Android devices; unmanaged mobile endpoints are a likely blind spot.

Mitigation priorities

  • Prioritize tested, protected backups and restore procedures for destructive-malware scenarios.
  • Limit administrative rights and task-scheduling capability to reduce persistence and execution abuse.
  • Harden endpoint controls around suspicious file creation, tool transfer, and destructive file operations.
  • Strengthen internal phishing controls and account monitoring because the relationship set includes internal spearphishing.
  • Bring Android devices under enforceable management, inventory, and incident response procedures where they support business operations.
Analyst notes and limits

SameCoin is linked by ATT&CK to WIRTE and to both enterprise and mobile behaviors. The most decision-useful framing is destructive impact readiness across Windows and Android, plus the ability to detect precursor behaviors such as discovery, lateral movement, scheduled tasks, and internal phishing.

MITRE supplies no official detection guidance, no aliases, and no tactics directly on the malware object. Several conclusions must therefore be validated against local telemetry, device coverage, and business exposure. The supplied relationship descriptions are also truncated in places.

Official MITRE ATT&CK definition

SameCoin

SameCoin is a multi-platform wiper with Windows and Android versions that has been used by WIRTE to target entities in the Middle East including in Israel.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1534 Internal Spearphishing

SameCoin can send its Setup.exe file as an attachment to other addresses in the same compromised organization.[1]
Enterprise T1485 Data Destruction

SameCoin can overwrite designated files on targeted systems with random bytes.[1]
Enterprise T1491.001 Internal Defacement Sub-technique

SameCoin can alter the victim’s background to display an image showing the name of Hamas’s military wing.[1]
Enterprise T1614 System Location Discovery

SameCoin can attempt to connect to the Israel Home Front Command site, oref.org[.]il, which is only reachable from within Israel to verify the target's location.[1]
Enterprise T1570 Lateral Tool Transfer

SameCoin can copy its wiper executable to remote machines within the same Active Directory.[1]
Enterprise T1679 Selective Exclusion

SameCoin can avoid overwriting file names that contain “desktop.ini” and “conf.conf." [1]
Enterprise T1083 File and Directory Discovery

SameCoin can list all system files and can avoid wiping specific directories such as Program Files, Windows, and Users.[1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

SameCoin has named files to appear legitimate such as "MicrosoftEdge.exe."[1]
Enterprise T1053.005 Scheduled Task Sub-technique

SameCoin has the ability to set a scheduled task for execution.[1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0090: WIRTE

WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0090: WIRTE Enterprise uses · Technique T1534: Internal Spearphishing Enterprise uses · Technique T1485: Data Destruction Enterprise uses · Technique T1491.001: Internal Defacement Enterprise uses · Technique T1614: System Location Discovery Enterprise uses · Technique T1570: Lateral Tool Transfer Enterprise uses · Technique T1679: Selective Exclusion Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1053.005: Scheduled Task Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
50f8535e8f130901...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 50f8535e8f13…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Check Point Wirte NOV 2024

    Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.

    Open source URL
  2. [2]
    mitre-attack S9030
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use