TA402
Repository Navigation
- Actor workbench: TA402
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566.001 Spearphishing Attachment (M3); T1574.001 DLL Search Order Hijacking (M3)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources:
SRC-PROOFPOINT-TA402-IRONWINDDomains; payload hashes; attachment chain details;SRC-S1-ISRAEL-HAMAS-CYBER-2023Actor context; lure and malware family references - Tool detail pages:
IronWind - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-024/CLM-TA402-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 2 current candidate(s)
- Source IDs in structured data:
SRC-PROOFPOINT-TA402-IRONWIND,SRC-S1-ISRAEL-HAMAS-CYBER-2023
Aliases: Molerats, Gaza Cybergang, Extreme Jackal, Frankenstein.
Assessed sponsor: Palestinian-aligned in public reporting.
Relevance
TA402 is relevant to Israeli and regional diplomatic ecosystems because Proofpoint reported targeting of Middle East government entities with compromised ministry accounts, Dropbox-hosted lures, PPAM/XLL attachment chains, and IronWind malware.
Defensive Focus
- Compromised trusted senders.
- Government-themed phishing.
- Rare Office add-ins such as PPAM and XLL.
- Archive and file-sharing delivery chains.
Detection Ideas
- PPAM, XLL, or RAR execution from email or download paths.
- Dropbox or cloud-file links followed by Office add-in execution.
- Inbound messages from partner ministries that deviate from historical volume or attachment patterns.
Sources: SRC-PROOFPOINT-TA402-IRONWIND, SRC-S1-ISRAEL-HAMAS-CYBER-2023.