Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage


Community Feature - @ChicagoCyber

A Curated Intelligence APT hunter - Joshua Miller - recently published new intelligence with Proofpoint on TA402 (aka Molerats), a likely Palestinian-aligned advance persistent threat actor. 

Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage | Proofpoint US

The group is actively engaged in campaigns leveraging a new implant, dubbed NimbleMamba, which is likely a replacement for its LastConn implant used previously. These campaigns have a complex attack chain that leverages geofencing and URL redirects to legitimate sites in order to bypass detection efforts.

TA402 activities:

  • In June 2021, TA402 appeared to halt its activities for a short period of time, almost certainly to retool
  • In a November 2021 campaign, TA402 masqueraded as the Quora website while using an actor-controlled Gmail account with an actor-controlled domain
  • In December 2021, TA402 used multiple phishing pretences, including clickbait medical lures and ones allegedly sharing confidential geopolitical information
  • In their latest campaigns (January 2022), TA402 continued to use lure content customized for each of their targets but slightly adjusted their attack chain by inserting an additional actor-controlled WordPress URL


Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!