While many Hamas-associated cyber activities have been halted amid the ongoing war, one advanced persistent threat group is gaining notoriety

In recent months amid persistent tensions in the Middle East, various threat actors have taken advantage of the conflict to create targeted deceptive lures.

One advanced persistent threat (APT) is the WIRTE group, originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organization has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts.

The group targets entities in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, Iraq, and Saudi Arabia. 

WIRTE activities examined

According to Check Point Research (CPR), several WIRTE espionage campaigns utilize malicious RAR files leading to initial stage malware that sends the attacker the victim’s MS Office version, operating system version, computer name, username, and a list of installed programs. The campaigns are likely precursors to infections with additional malware with wider capabilities:

  • In September 2024, the APT had started a new infection chain using malicious PDF files containing Havoc, an open-source framework intended for advanced cyber operations. Once attackers gain access, they can maintain persistent control, enabling them to carry out various malicious activities, including data exfiltration, lateral movement, and remote access.
  • In October 2024, a malicious email campaign was launched by WIRTE to target various organizations in Israel, such as hospitals and municipalities, claiming that the user’s device was a target of a state-backed threat actor. The email would include a link to a URL that claims to install a threat protection program. However, this link actually points to a wiper, specifically designed to cause data destruction. This wiper is an updated version of a previously reported Samecoin wiper. Earlier this year, it had been used in a malicious campaign that impersonated the Israeli National Cyber Directorate (INCD). The URL in the malicious email initiates an infection chain which, at some point, directs victims to a malicious file that tries to connect to the Israel Home Front Command site to verify that the victim is Israeli, as the site can only be accessed within Israel. The malware then decrypts the following files to be executed:
    • A wallpaper mentioning Al-Qassam Brigades, the military wing of Hamas
    • A graphic Hamas propaganda video showing attacks from 7 October
    • A wiper designed to erase or corrupt data on a computer or network
    • An “infector component” that sends an attachment to other addresses in the same organization and copies the wiper files to other computers in the same network

Forensic analysis

CPR has noticed the threat group’s consistent focus on the Palestinian Authority (political rivals of Hamas), and other addition clues suggest a connection between WIRTE and Hamas. The use of imagery associated with Hamas’s military wing, the Al-Qassam Brigades, could potentially indicate a false flag operation: however, such references have not been observed in attacks attributed to other groups, including Iranian factions.

WIRTE’s propaganda content and themes specifically target Israeli audiences, along with phishing emails directed at Israeli recipients. Additionally, the wiper malware is activated only if the target country is Israel, or when the system language has been set to Hebrew.

It seems there are two critical goals at play here: one focused on disruption within Israel, while the other targets espionage activities in neighboring countries. This dual approach highlights the intricate dynamics of regional conflicts and the differing priorities of those involved.