A spear phishing campaign used a file titled “Operation Protective Edge.xlsb” to infect targets with malware when they enabled macros in Excel.

Who was behind the attack?

While the report does not name a specific group, it suggests the attacker was a highly skilled and professional actor due to the malware’s sophistication.

What was the goal of the attack?

The goal was likely intelligence gathering or system compromise, achieved by tricking victims into executing hidden malicious code.

The campaign targeted Israeli recipients during the 2014 Gaza conflict, likely aiming at sensitive or high-value individuals or entities.

How did the malware work?

Once the victim enabled macros, the malware built a hidden file and executed it, establishing communication with a remote server while evading detection.

Why use the Gaza conflict theme?

Conflict themes increase emotional engagement and perceived urgency, improving the chances of the target opening the file and enabling macros.

How can people protect themselves?

Avoid opening unexpected documents, never enable macros unless certain they are safe, and keep antivirus software and policies up to date.

Is this a widespread threat?

This campaign was targeted and sophisticated, not widespread. However, the techniques used are common in advanced phishing attacks.

Threats Feed|Unknown|Last Updated 09/06/2025|AuthorCertfa Radar|Publish Date04/09/2014

Gholee Malware Exploits Israel-Gaza Conflict Theme in Targeted Cyberattack

Actor Motivations: Espionage,Exfiltration
Attack Vectors: SSL Stripping,Dropper,Malicious Macro,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

During the 2014 Israel-Gaza conflict, an operation themed "protective edge" spear phishing campaign emerged, targeting Israeli entities. The Gholee malware, delivered via a malicious Excel file named ‘Operation Protective Edge.xlsb’, utilized social engineering and VBA macro execution to compromise systems. The malware featured advanced obfuscation and evasion techniques, including ASCII character encoding and debugger detection, to avoid security measures. It communicated with a server in Kuwait, using an outdated SSL certificate, suggesting sophisticated threat actors possibly linked to state-sponsored activities.

Reference and Credit: ClearSky - September 2014

Gholee – a “protective edge” themed spear phishing campaign

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	High
Region	Israel	Verified

Extracted IOCs

48573a150562c57742230583456b4c02
916be1b609ed3dc80e5039a1d8102e82
d0c3f4c9896d41a7c42737134ffb4c2e
83[.]170.33.37
83[.]170.33.60

download

Tip: 5 related IOCs (2 IP, 0 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.

FAQs

Understanding the "Gholee" Spear Phishing Campaign

: A spear phishing campaign used a file titled “Operation Protective Edge.xlsb” to infect targets with malware when they enabled macros in Excel.
: While the report does not name a specific group, it suggests the attacker was a highly skilled and professional actor due to the malware’s sophistication.
: The goal was likely intelligence gathering or system compromise, achieved by tricking victims into executing hidden malicious code.
: The campaign targeted Israeli recipients during the 2014 Gaza conflict, likely aiming at sensitive or high-value individuals or entities.
: Once the victim enabled macros, the malware built a hidden file and executed it, establishing communication with a remote server while evading detection.
: Conflict themes increase emotional engagement and perceived urgency, improving the chances of the target opening the file and enabling macros.
: Avoid opening unexpected documents, never enable macros unless certain they are safe, and keep antivirus software and policies up to date.
: This campaign was targeted and sophisticated, not widespread. However, the techniques used are common in advanced phishing attacks.

About Affiliation

Unknown

Associate threats