Keypoints
- An application shared on a Telegram channel is configured to communicate with the Hamas Izz ad-Din al-Qassam Brigades website.
- Infrastructure analysis revealed a cluster of domains whose registration patterns mimic TAG-63 (AridViper/APT-C-23/Desert Falcon) tradecraft.
- Multiple domains in the cluster were interconnected using a common Google Analytics code, indicating shared configuration or ownership.
- One domain in the cluster hosted a spoofed site impersonating the World Organization Against Torture (OMCT).
- Since October 11, 2023, the Hamas-linked domain has resolved to multiple different IP addresses, likely to maintain operability or evade takedowns/DoS.
- Domain registration patterns suggest a likely nexus to Iranian actors; Recorded Future notes IRGC/Quds Force as the only known Iranian entity providing cyber assistance to Hamas-aligned groups.
- Researchers hypothesize TAG-63 and broader Hamas operators may share or reuse infrastructure resources, implying operational overlap or a lapse in OPSEC.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – The application “is configured to communicate with Hamas’s Izz ad-Din al-Qassam Brigades website” indicating C2 or data exchange over web protocols.
- [T1583.001] Acquire Infrastructure: Domains – Researchers “identified a cluster of domains that mimic the domain registration tradecraft of TAG-63,” showing purposeful domain acquisition to support operations.
- [T1102] Web Service – The domains “were interconnected via a Google Analytics code,” demonstrating use of third‑party web services for operational linkage or tracking.
- [T1036] Masquerading – A domain in the cluster “hosted a website that spoofs the World Organization Against Torture (OMCT),” reflecting impersonation of legitimate entities to deceive users.
Indicators of Compromise
- [Domain] Hamas-linked site (Izz ad-Din al-Qassam Brigades) – referenced as the application’s contact/endpoint (exact domain not listed in article).
- [Domain] Cluster domains mimicking TAG-63 tradecraft – several domains identified (exact names not provided) and one hosted an OMCT spoof site.
- [IP addresses] Rotating IPs – the Hamas-linked domain “point[ed] to multiple different IP addresses” since Oct 11, 2023 (specific IPs not published).
- [Analytics/Tracking ID] Google Analytics code – used to interconnect the cluster of domains (specific GA ID not disclosed).
- [Report URLs] Recorded Future report PDF and article – https://go.recordedfuture.com/hubfs/reports/cta-2023-1019.pdf, https://www.recordedfuture.com/hamas-application-infrastructure-reveals-possible-overlap-tag-63-iranian-threat-activity
The application’s binary and associated infrastructure were observed communicating directly with a Hamas-linked web endpoint; telemetry shows the domain has been remapped to multiple IP addresses since October 11, 2023, likely to preserve availability and mitigate takedown or DoS attempts. Domain registration analysis uncovered a cluster of domains that follow TAG-63 registration patterns, and the same Google Analytics tracking code appeared across several domains, indicating shared configuration or centralized management of those domains. Additionally, one domain hosted a spoof of the World Organization Against Torture (OMCT), and registrant patterns suggest a possible Iranian nexus, supporting a hypothesis that TAG-63 and other Hamas-aligned operators may be sharing or reusing infrastructure resources.
The technical posture observed includes web-based command-and-control or data exchange (application contacting a web endpoint), acquisition and operation of multiple domains aligned with a specific adversary’s registration tradecraft, use of third-party web services (Google Analytics) to link and possibly track or manage domains, and domain/IP rotation to maintain service continuity or avoid disruption. These behaviors together indicate intentional infrastructure planning to support resilient communications and operational deception (spoofed sites), which analysts used to infer likely overlaps in operational control or support networks.
For further technical detail and full analysis, see the original Recorded Future write-up and PDF report.