The sub-techniques beta is now live! Read the release blog post for more info.


Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [1] [2]

ID: G0021
Associated Groups: Operation Molerats, Gaza Cybergang
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
Operation Molerats [3]
Gaza Cybergang [1]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

Molerats has used forged Microsoft code-signing certificates on malware.[3]

Enterprise T1003 Credential Dumping

Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[1]

Enterprise T1057 Process Discovery

Molerats actors obtained a list of active processes on the victim and sent them to C2 servers.[1]


ID Name References Techniques
S0062 DustySky [1] [2] Fallback Channels, File and Directory Discovery, Input Capture, Obfuscated Files or Information, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Replication Through Removable Media, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, Windows Management Instrumentation
S0012 PoisonIvy [1] [2] [3] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port