The Gaza Cyber Gang, identified as a pro-Hamas threat actor, has been targeting Palestinian entities using an updated version of a backdoor called Pierogi++. This malware is notable for being implemented in the C++ programming language, distinguishing it from its Delphi- and Pascal-based predecessor. The Gaza Cyber Gang, active since at least 2012, has historically targeted the Middle East, specifically Israel and Palestine, often employing spear-phishing for initial access.
Some of the malware families associated with this threat actor include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT, among others. Recent activities of the Gaza Cyber Gang indicate consistent targeting of Palestinian entities, with a focus on maintaining access and compromising targets. The group has been linked to attacks involving improvised variants of its Micropsia and Arid Gopher implants, as well as a new initial access downloader known as IronWind.
The deployment of Pierogi++, first recorded in late 2022, highlights the group’s commitment to refining and updating its malware tools for successful compromise and persistent access to networks. The investigation also reveals tactical connections between two separate campaigns, Big Bang and Operation Bearded Barbie, and reinforces ties between the threat actor and WIRTE, as disclosed by Kaspersky in November 2021.
The observed overlaps in targeting and malware similarities suggest a consolidation process within the Gaza Cyber Gang, possibly involving the establishment of an internal malware development and maintenance hub or streamlining supply from external vendors.
Reference link
