Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2]

ID: G0021
Version: 1.0

Associated Group Descriptions

Operation Molerats[3]
Gaza Cybergang[1]

Techniques Used

EnterpriseT1116Code SigningMolerats has used forged Microsoft code-signing certificates on malware.[3]
EnterpriseT1003Credential DumpingMolerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]
EnterpriseT1057Process DiscoveryMolerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]


S0062DustySky[1][2]Fallback Channels, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Replication Through Removable Media, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Windows Management Instrumentation
S0012PoisonIvy[1][2][3]Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port