Threats Feed

This Trend Micro report details the activities of Rocket Kitten, a cyber threat group targeting Israeli and European organisations. The report focuses on two campaigns: a malware campaign using the GHOLE malware, possibly dating back to 2011, and a suspected state-sponsored operation, 'Operation Woolen-GoldFish', involving spear-phishing attacks. Analysis shows possible links to an individual using the alias "Wool3n.H4t", possibly Iranian, and highlights the group's increasing sophistication despite using relatively simple techniques such as macros. The overall aim is to inform readers of Rocket Kitten's methods and suspected politically motivated objectives, suggesting Iranian involvement.

During the 2014 Israel-Gaza conflict, an operation themed "protective edge" spear phishing campaign emerged, targeting Israeli entities. The Gholee malware, delivered via a malicious Excel file named ‘Operation Protective Edge.xlsb’, utilized social engineering and VBA macro execution to compromise systems. The malware featured advanced obfuscation and evasion techniques, including ASCII character encoding and debugger detection, to avoid security measures. It communicated with a server in Kuwait, using an outdated SSL certificate, suggesting sophisticated threat actors possibly linked to state-sponsored activities.

Seculert researchers uncovered a sustained spear-phishing campaign dubbed Mahdi, which relied on malicious Word document attachments delivering a simple malware dropper alongside decoy content related to Iran–Israel electronic warfare. The malware communicated with command-and-control servers using disguised, Google-like web pages, with payload modules Base64-encoded inside HTML. Analysis revealed Farsi language artifacts and Persian calendar dates, suggesting an Iranian nexus. Variants were active from at least December 2011, initially hosted in Iran and later in Canada. The campaign targeted critical infrastructure companies, financial services, and government embassies across Iran, Israel, and other Middle Eastern countries, compromising more than 800 victims over eight months.

The Madi campaign is a long-running cyber espionage operation that has been active for nearly a year, targeting individuals and organizations primarily across Iran, Israel, Afghanistan, and other countries worldwide. The attackers relied on basic but effective social engineering techniques, including spearphishing emails with malicious PowerPoint slide shows and executables disguised using Right-to-Left Override (RTLO) filenames. Once executed, the Delphi-based malware enabled extensive surveillance through keylogging, screenshot capture, audio recording, and large-scale data theft. Victims included government agencies, critical infrastructure engineering firms, financial institutions, academia, and selected individuals whose communications were monitored over extended periods.