Following the digital trails of an app shared on Telegram, analysts have uncovered a cyber threat group’s infrastructural traits and links.

According to a report by an intelligence firm, an application shared on a Telegram channel used by members/supporters of the Hamas movement is likely linked to TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber threat group believed to be part of the organization.

Furthermore, based on domain naming conversions another infrastructure link was identified that is suggestive of a likely Iran-related link.

Firstly, the application dropped in a Telegram Channel claiming affiliation to Hamas’ Izz Ad Din al Qassam Brigades was done to enhance the dissemination of the organization’s narratives via that application. Analysis of multiple domains revealed that they shared a specific Google Analytics code; various domains were also identified redirecting to the Izz Ad Din al Qassam Brigades website.

Secondly, domain registration tradecraft commonly associated with TAG-63 was observed, which shared the website redirect to the Izz Ad Din al Qassam Brigades website. A significant uptick in network traffic to the IP addresses hosting alqassam[.]ps has been observed, which overlapped with the start of Hamas’s attack on October 7, 2023. Also noted was a significant reduction in traffic on October 10. This is potentially due to website outages or denial-of-service attacks directed at the website by third parties.

Thirdly, analysts from Insikt Group believe that the infrastructure likely operated by the same threat actors have revealed an Iran-nexus, based on subdomain naming registration conventions. One of the subdomains associated with this cluster hosted a spoofed page associated with the World Organization Against Torture.

From October 11, 2023, onward, the domain pointed to multiple different IP addresses, which is likely related to attempts to ensure operability, evade website takedowns or, potentially, denial-of-service (DoS) attacks. The infrastructure overlaps that were identified between the Hamas application and the cluster of domains suspected to be linked to TAG-63 tradecraft are notable because they depict not only a possible slip in operational security, but also ownership of the infrastructure shared between groups.  One hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.