Threat Watch

MoleRATs Working on Two Active Campaigns


The Arabic speaking threat actor known as MoleRATs, which is part of a trio of groups, is believed to be behind two recent campaigns tracked by researchers from the Cybereason Nocturnus team. The first campaign is called Spark and uses social engineering for their preliminary attack. The group uses phishing emails to trick victims. Using politically motivated content, the emails contain malicious files in the form of Word documents, PDF files, and archive files—all of which attempt to get users to download an additional archive file from Egnyte or Dropbox. If the victim opens the archive file, another file that is disguised as a Microsoft Word file contains an executable which will deliver the spark backdoor dropper onto the victim’s computer. The second campaign has been called Pierogi and is named after an Eastern European dish. The software used in this campaign is written in Delphi and was considered basic according to researchers. It is believed to be written by Ukrainian-speaking attackers as indicated by the language used in the code. The malware can collect and steal system data, download additional payloads, take screenshots and execute commands via CMD. It is believed that the group is using these campaigns to obtain sensitive information from the victims and leverage that stolen information for political reasons.


Researchers cautioned in their report that many threat actors are operational in the Middle East and that groups have become more and more likely to mimic the TTP’s (Tactics, Techniques, and Procedures) of other groups, making it harder for accurate attribution. Though the researchers stated that this is the work of MoleRATs, they noted the possibility of misattribution. Politically motivated groups such as this will carry out attacks whenever major events occur in their specified target area. Security training and teaching employees how to spot phishing emails are important components of a defense against campaigns such as these. Using anti-virus and endpoint monitoring provides a critical layer of security because of the likelihood of employees falling for phishing emails sometime throughout their careers. Quickly detecting attacker behaviors on endpoints and responding before the attackers have a chance to steal files or gain access to more computers on the network is the best way to keep initial intrusions from causing major damage to a business. More information about these campaigns can be found here:, and the full research from Cybereason can be read at: