Threat Research

Gaza Cybergang | Unified Front Targeting Hamas Opposition

SentinelOne

SentinelOne analysis links multiple Gaza Cybergang sub-groups through shared tooling, TTPs, and evolving malware, highlighting a newer C++ backdoor tracked as Pierogi++ used throughout 2022–2023. The report documents delivery via weaponized Office documents and archives, C2 infrastructure patterns, and code/obfuscation reuse across campaigns. #PierogiPlusPlus #GazaCybergang

Keypoints

  • Gaza Cybergang sub-groups show long-term consolidation and shared malware development/supply lines since 2018.
  • Pierogi++ is a C++ backdoor observed in 2022–2023 that appears to be an evolution of the Pierogi implant (originally Delphi/Pascal).
  • Primary delivery vectors are weaponized Office documents and archive files with macros or embedded Base64 payloads.
  • Pierogi++ implements backdoor capabilities such as screenshots, remote command execution, and file download, using curl for HTTP C2 traffic.
  • C2 domains for Pierogi++ are frequently registered via Namecheap and hosted by Stark Industries Solutions LTD; many domain names follow group naming conventions.
  • Obfuscation and encoding techniques include Base64-embedded payloads and modified Base64 string tricks used across BarbWire and Big Bang samples.
  • Telemetry shows overlaps with other clusters (Arid Viper, WIRTE, TA402) via shared strings, stager user-agents, and staging patterns.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – Office documents with macros are used to deploy Pierogi++ (‘The documents distributing Pierogi++ use macros to deploy the malware’)
  • [T1053.005] Scheduled Task/Job – Malware often persists or masquerades as scheduled tasks or utility applications (‘masquerades as a Windows artifact, such as a scheduled task or a utility application’)
  • [T1027] Obfuscated Files or Information – Payloads and implementation are embedded or encoded in Base64 within macros/documents (‘implementation is embedded either in the macros or in the documents themselves, often in Base64-encoded form.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Backdoor uses HTTP(S)-style C2 communication implemented with the curl library (‘The backdoor uses the curl library for exchanging data with the C2 server’)
  • [T1105] Ingress Tool Transfer – Backdoor supports downloading attacker-provided files onto victims (‘downloading attacker-provided files.’)
  • [T1113] Screen Capture – Backdoor captures screenshots as part of reconnaissance (‘taking screenshots’)
  • [T1583] Acquire Infrastructure – Multiple C2 domains are registered (Namecheap) and hosted (Stark Industries), reflecting coordinated infra acquisition (‘Most of the Pierogi++ C2 servers are registered at Namecheap and hosted by Stark Industries Solutions LTD’)
  • [T1036] Masquerading – Executables and decoys use politically themed filenames to appear legitimate (‘executables also masquerade as politically-themed documents, with names such as “The national role of the revolutionary and national councils in confronting the plans for liquidation and Judaization”‘)

Indicators of Compromise

  • [SHA-1] Sample hashes – 42cb16fc35cfc30995e5c6a63e32e2f9522c2a77 (Pierogi++), 003bb055758a7d687f12b65fc802bac07368335e (Micropsia), and 25 more hashes.
  • [Domains] C2 domains – bruce-ess[.]com (Micropsia C2), aracaravan[.]com (Pierogi++ C2), and 16 more domains.
  • [File names] Decoy/document names – “The national role of the revolutionary and national councils in confronting the plans for liquidation and Judaization”, “The situation of Palestinian refugees in Syria refugees in Syria” (used as politically themed decoys).
  • [Hosting/Registrar] Infrastructure providers – Namecheap (registrar) and Stark Industries Solutions LTD (hosting) used for Pierogi++ C2 servers.
  • [File types] Delivery artifacts – archive files and weaponized Office documents with macros (used to deliver Pierogi++ and Micropsia payloads).

Gaza Cybergang actors deploy Pierogi++ primarily via weaponized Office documents and archives: macros or embedded Base64 artifacts in decoy documents decode and execute a C++ backdoor or drop an executable that often masquerades as politically themed content. The payloads implement standard backdoor functionality—screenshot capture, remote command execution, and file downloads—and sometimes establish persistence or appear as scheduled tasks/utility applications.

Technically, Pierogi++ shows lineage to earlier Pierogi variants (Delphi/Pascal) but is rewritten in C++; it communicates with C2 using HTTP-like requests implemented via the curl library. Infrastructure patterns include Namecheap-registered domains and hosting by Stark Industries Solutions LTD, while obfuscation includes Base64 embedding and a modified-Base64 string technique (an extra character inserted/removed) observed in BarbWire/Big Bang samples to evade static detections. Telemetry also reveals reused strings and unique stager user-agent patterns that link Pierogi++ activity to broader clusters such as Micropsia, Arid Viper, WIRTE, and TA402.

Analysts should hunt for weaponized Office documents containing Base64-encoded payloads or macros, suspicious scheduled-task-like process creations, outgoing HTTP(C) requests using curl-style libraries, politically themed filenames/executables, and Namecheap-registered domains hosted on Stark Industries as prioritized IOCs for detection and response.

Read more: https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint