The Arabic speaking threat actor known as MoleRATs, which is part of a trio of groups, is believed to be behind two recent campaigns tracked by researchers from the Cybereason Nocturnus team. The first campaign is called Spark and uses social engineering for their preliminary attack. The group uses phishing emails to trick victims. Using politically motivated content, the emails contain malicious files in the form of Word documents, PDF files, and archive files—all of which attempt to get users to download an additional archive file from Egnyte or Dropbox. If the victim opens the archive file, another file that is disguised as a Microsoft Word file contains an executable which will deliver the spark backdoor dropper onto the victim’s computer. The second campaign has been called Pierogi and is named after an Eastern European dish. The software used in this campaign is written in Delphi and was considered basic according to researchers. It is believed to be written by Ukrainian-speaking attackers as indicated by the language used in the code. The malware can collect and steal system data, download additional payloads, take screenshots and execute commands via CMD. It is believed that the group is using these campaigns to obtain sensitive information from the victims and leverage that stolen information for political reasons.