Check Point research links recent ESET impersonation to group.
The WIRTE threat actor, formerly linked to Hamas, is using lures related to recent events in Gaza for espionage operations and cyber–attacks.
According to Check Point, the group has expanded its operations beyond espionage to conduct disruptive attacks, and determined clear ties between the custom malware used by the group and SameCoin, a wiper malware targeting Israeli entities in two waves in February and October 2024.
Multiple Campaigns
The company said it had observed multiple campaigns using malware connected to WIRTE since October 2023, with several espionage campaigns where malicious RAR files were identified.
“This led to initial stage malware that sends the attacker the victim’s Office version, operating system version, computer name, username, and a list of installed programs,” the company claimed. “It’s likely to be followed by additional malware with wider capabilities.”
Check Point also related the group to the recent email campaign, where an attacker claimed to be an affiliate of ESET, and impersonated the Israeli National Cyber Directorate (INCD).
“The campaign’s messaging in distruptive attacks and a consistent focus on the Palestinian Authority, political rivals of Hamas, together with multiple historical links published over the years, suggests a connection between WIRTE and Hamas,” the company said, also citing the use of imagery associated with Hamas’s military wing and the Al-Qassam Brigade.
“WIRTE’s targeting strategy aligns closely with Hamas’s interests, particularly about Palestinian issues,” it said. “Furthermore, WIRTE’s historical associations with groups like the Molerats and the Gaza Cyber Gang, both of which have ties to Hamas, reinforce the likelihood of their connection to the organization.”
Targeting Israel
The lures are most likely targeting the Palestinian Authority, Jordan, Egypt, Iraq, and Saudi Arabia, while propaganda content and themes specifically targeted Israeli audiences, along with phishing emails directed at Israeli recipients.
Also, the Wiper is activated only if the target country is Israel or the system language is set to Hebrew.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.