Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground invasion of Gaza in order to release the hostages and take down Hamas. The conflict between these two sides has quickly escalated into the cyber space, turning into an online war of attacks and disinformation, with the involvement of many different hacker groups.


Cyberwarfare-Israel-Hamas-War1Figure 1. Ghost of Palestine cyber group welcomes Hamas attack and calls others under their banner.


In this blog we summarize the selected cyberwarfare used, discuss the differences and similarities in cyberwarfare tactics between the Israel-Hamas war compared to the Ukraine-Russia conflict, and present how other threat actors leveraged the Israel-Hamas conflict in phishing attacks.


Overview of the Cyber Groups Involved

According to Soc Radar, there are 72 pro-Palestinian cyber groups, 17 pro-Israeli and 3 against both sides. During its research, Trustwave SpiderLabs identified 41 more groups mentioned in different cyberattacks, mostly DDoS, related to the cyber operations against Israel; for a total of 133 groups.


Figure 2. The division of cybergroups based on their side preferences.


The majority of cyber groups, approximately 85%, appear to be pro-Palestinians. A smaller percentage, around 13%, seem to be affiliated with, or in support of Israel. Meanwhile, a minor portion, about 3%, appear to be acting against both sides in the conflict. This distribution reflects the diverse and complex nature of the situation in the region.


Cyberwarfare-Israel-Hamas-War3Figure 3. Geographic association of selected cyber groups participating in the online conflict.


The pro-Israeli side includes groups such as Red Evils, Israeli Cyber Defense, SilentOne, but also Indian Cyber Force, Indian Cyber Sanatani, Indian Cyber Force, and UCC Team.


Figure 4. pro-Israeli Red Evils group


The pro-Palestinian list includes teams tied to Hamas, Hezbollah, and Iran as well as other Islamic countries such as Algeria, Morocco, and Malaysia. It was not a major surprise to see KillNet on the list, likely due to the mutual agreements with Anonymous Sudan. Below we can see a Telegram post where KillNet declares support for Palestinian resistance along Anonymous Sudan.


Cyberwarfare-Israel-Hamas-War5Figure 5. Telegram post demonstrating KillNet support for Palestinian resistance.


Some of the underground cyber groups have chosen to stay neutral. An example of such a group is the ThreatSec, which declared to continue attacking both sides of this conflict regardless.


Cyberwarfare-Israel-Hamas-War6Figure 6. ThreatSec statement in Telegram declaring neutrality.


The Differences and Similarities to Russia – Ukraine War

The Israeli-Hamas conflict has a different background than the Russian-Ukrainian war, but there are similarities. The main difference here is that Russia was planning for the invasion, whereas Israel was taken by surprise by the Hamas attack and was not prepared for it particularly from cyberwarfare perspective.

In the Ukraine-Russia war, destructive cyberattacks were often coordinated with ground offensive. One of such attacks happened on February 24, 2022, the day the war started, when a cyberattack against Viasat’s KA-SAT satellite network provider, using AcidRain wiper malware, impacted communication lines used by Ukrainian army, but also several thousand customers in Ukraine and tens of thousands across Europe. In the Israel-Hamas war, however, the destructive attacks against Israel did not seem to be coordinated with the ground offensive, and although few wiper variants were reported, we did not observe any meaningful impact resulting from the use of aforementioned malware.


Cyberwarfare-Israel-Hamas-War7Figure 7. Timeline of the attacks conducted by Pro-Palestinian and Pro-Israeli groups.


Similarities include the use of online propaganda, disinformation, and DDoS attacks against government and private sector websites. Disinformation and propaganda are pivotal elements in the arsenal of informational warfare. The Hamas attack on Israel and the subsequent Israeli assault on Gaza have led to a surge in misinformation, hate speech, and violent content online.

Both factions are employing similar social engineering techniques to discern the positions of combatants or gather information about attack plans. Below we can see an example demonstrated by an Israeli soldier, where an unknown profile, seemingly portraying a woman, attempts to establish contact to acquire intelligence.


Cyberwarfare-Israel-Hamas-War8Figure 8. Israeli soldier demonstrates interaction with a deceptive account attempting to initiate contact.


Such honey trapping techniques do not only rely on text but also on voice and video messages. The most common questions were: Where do you serve, what territory, and when are you going to enter Gaza? We’ve seen this tactic successfully employed by Ukrainian supporters against the Russian army with Russian soldiers giving away unit locations and subsequently being hit by artillery strikes.


Propaganda, Artificial Intelligence, and Fake Claims

The use of believable, AI-generated photos is contributing to the spread of misinformation and propaganda, likely marking this as the first armed conflict to widely use AI in war.

During all conflicts, the public is faced with profoundly distressing and disturbing visuals; but it’s important to recognize that the utilization of AI-generated images can significantly erode the public's confidence in the information being disseminated.

Cyberwarfare-Israel-Hamas-War9Figure 9. An image depicting a man carrying children through rubble shared on Facebook.


An image depicting a man carrying children through rubble has been circulated widely on social media and linked to Israel's bombing of the Gaza Strip. However, as pointed out by Media Forensic Lab Director Siwei, the image exhibits signs of artificial intelligence manipulation.


Cyberwarfare-Israel-Hamas-War10Figure 10. An analysis by Media Forensic Lab Director Siwei Lyu, highlighting signs of AI manipulation. Source: AFP


This is just one instance of numerous social media posts featuring conflict-themed images generated using AI. Below are additional examples of posts containing images with discernible artifacts.

Cyberwarfare-Israel-Hamas-War11Figure 11. Social media posts containing images which appear to be AI generated.


The integration of AI-generated materials into propaganda news is not only prevalent, but has transcended boundaries, especially when certain platforms allow commercialization of this practice. Adobe’s stock platform is actively leveraged to sell AI-generated conflict theme images depicting the violence.


Cyberwarfare-Israel-Hamas-War12Figure 12. AI-generated images depicting Gaza bombing, available on Adobe stock platform.


Conflict zones are always marked by uncertainty and misinformation, and the incorporation of AI-generated content can further muddy the waters. This technology has the potential to blur the distinction between reality and fiction, emphasizing the importance of our vigilance as consumers of the information we encounter.

Some companies have started offering technology for detecting AI-generated content. One such Israeli vendor, Eternity-IT, has offered to use their technology for detecting such content specifically as part of the Israel-Hamas conflict. In some cases, it detects photos that were taken from other events and times, or photos that were created using Generative AI. Interestingly, according to the vendor it uses AI to achieve that. 


Fabricated Evidence of Dorad Power Plant Attack Used by Cyber Av3ngers

An example of a disinformation tactic used in this conflict is the alleged hack on the Israeli Dorad Power Plant announced on October 8, 2023, by the underground group Cyber Av3ngers. The group shared photos of the alleged hack with a logo that has the Palestinian flag colors and political messages. However, Kaspersky researchers found that the data published by Cyber Av3ngers was sourced from older leaks performed by another hacktivist group called Moses Staff. The initial disclosure by Moses Staff in June 2022 contained data from multiple Israeli companies, including files associated with the Dorad Power Plant breach.


Cyberwarfare-Israel-Hamas-War13Figure 13. Comparison of the image released by Cyber Av3ngers, and one discovered within Moses Staff leak. Source: Securelist


Moses Staff is an Iranian hacker group, first identified on underground forums in September 2021 as described by Checkpoint researchers. The group's primary goal revolves around inflicting damage, usually achieved through the utilization of disk encryptors and the subsequent publication of exfiltrated data. While its primary target is Israeli companies, Moses Staff doesn't limit its scope and extends its attacks to organizations in other countries.


Attacks Against IOT Devices and ICS Systems

Cybercriminals frequently target Internet of Things (IoT) devices due to their prevalence and lack of strong security measures. Individual users, but also companies, integrate IoT devices into their network environment without being aware of the hidden security risks, creating an entry point for hackers. Trustwave SpiderLabs identified compromised IOT devices such as network printers and IP cameras in Shodan located both in Israeli and Palestinian territories.


Cyberwarfare-Israel-Hamas-War14Figure 14. Compromised Palestinian devices visible in Shodan discovered by SpiderLabs.


Cyberwarfare-Israel-Hamas-War15Figure 15. Compromised Israeli devices visible in Shodan discovered by SpiderLabs.


Multiple underground groups made claims about the alleged compromise of network devices in Israel and Gaza. One such claim was published by the Indian Cyber Force, which claimed to have conducted a mass attack against network devices in the Gaza region, however Trustwave was unable to confirm the compromise of the alleged 200 devices involved.


Cyberwarfare-Israel-Hamas-War16Figure 16. Indian Cyber Force claimed to get access to more than 200 Network devices.


Attacks on Industrial Control Systems (ICS) represent a critical cybersecurity concern, posing substantial risks to critical infrastructure worldwide. ICS systems, responsible for managing and controlling industrial processes in sectors such as energy and utilities, have become attractive targets for malicious actors. The consequences of successful ICS breaches can often lead to physical damage, operational disruptions, and potentially threats to public safety.

In the middle of October 2023, the Pro-Israeli Red Evil team claimed to have infiltrated the Iranian energy system and two Iranian oil supply systems. There were no official reports regarding power outages in Iran, but Red Evil posted a vast number of files, in total 12 GB related to the mentioned breach.


Cyberwarfare-Israel-Hamas-War17Figure 17. Pro-Israeli Red Evils claims to have accessed the Iranian energy system and two Iranian oil systems.

Red Evils is a very concentrated and active group. During this period, it targeted many Hamas websites and businesses related to the nuclear, oil, and energy sectors of Iran. They also keep attacking targets in various countries that support the Palestinians.


Attacks Against Water Utility Control Systems

On November 25, 2023, The Municipal Water Authority of Aliquippa, Pennsylvania, reported that one of their booster stations had been hacked by an Iranian-backed cyber group. As reported by CNBC, the station located on the outskirts of town monitors and regulates pressure for Raccoon and Potter Townships.

The compromised system was Unitronics PLC V570, and the message left on the display indicated that Cyber Av3ngers group was responsible for this attack.


Cyberwarfare-Israel-Hamas-War18Figure 18. Message left by Cyber Av3ngers on compromised Unitronics PLC device. Source: CNBC news


The November 28 the message appeared on Cyber Av3ngers cyber group telegram channel, claiming a hack into the Municipal Water Authority of Aliquippa.


Cyberwarfare-Israel-Hamas-War19Figure 19: Cyber Av3ngers telegram channel, stating that all Israeli-made equipment would be a target for the cyber group.


An intriguing observation is that the group removed all previous publications, opting to retain only the most recent one, likely anticipating heightened interest in their activities.

Unitronics is an Israeli manufacturer of Programmable Logic Controllers (PLC), and its devices are widely used worldwide. SpiderLabs identified over 1,800 Unitronics devices exposed to the internet in Shodan.


Cyberwarfare-Israel-Hamas-War20Figure 20. Interned exposed Unitronics PLC devices.


Trustwave SpiderLabs was likely able to locate in Shodan the Unitronics PLC V570 controller that has been the object of the attacks reported, PLC Name indicates “Raccoon Primary PLC” and location points to McKeensport which is very close to the affected area. This device was observed with Unitronics PCOM TCP port exposed. PCOM is a proprietary protocol by Unitronics for remote management of the PLC (TCP port 20256). The PCOM protocol allows unauthenticated queries to PLCs that can be used to retrieve, the PLC model, the hardware version, the OS build and OS version, the PLC name and the UnitID value. This information allows an attacker to look up potential vulnerabilities and exploits.


Cyberwarfare-Israel-Hamas-War21Figure 21. Unitronics PLC V570 controller located in affected area.


Similar attacks have been observed against exactly the same Unitronics PLC devices in Israel. On 9th April 2023, as reported by JNS news, a cyberattack shut down ten water controllers in agricultural areas. Earlier attacks against Unitronics devices in Israel took place on February 07, 2022, as reported by Firedome. Attackers targeted postal office offering smart mailbox services in Israel.

Compromise of the Red Alert Applications Used in Israel

In Israel, Red Alert applications serve as vital tools for public safety, offering real-time warnings of potential bombings or security threats. on October 9, just two days after Hamas’ attack on Israel, , the hacktivist group AnonGhost compromised the Israeli alert app ‘Red Alert’ developed by Koby Snir by exploiting the application's API to send threatening notifications.


Cyberwarfare-Israel-Hamas-War22Figure 22. RedAlert app showing threatening notifications to the users.


The attackers also had shared a python code snippet allowing to flood the application chat.


Cyberwarfare-Israel-Hamas-War24Figure 23. AnonGhost exposing the API request used to flood the Red Alert application chat.


The creators of other popular alert apps "Red Alert" and "Tzofar" also seemed to be targeted with Distributed Denial of Service (DDoS) attacks as indicated by the comments left by users.


Cyberwarfare-Israel-Hamas-War25Figure 24. RedAlert Application review page, user reports application issues. Developers confirm DDoS attack


Cyberwarfare-Israel-Hamas-War26Figure 25. Tzofar Application review page, users report about application issues.


Data Exfiltration

SiegedSec, a hacktivist group that emerged during the conflict between Russia and Ukraine, has rapidly gained prominence under the leadership of the hacktivist figure known as "YourAnonWolf," as reported by SocRadar. The group's inception seems to coincide with the unfolding geopolitical events, and since its emergence, SiegedSec has demonstrated a notable escalation in its capabilities. Under the guidance of YourAnonWolf, the group has asserted itself by consistently announcing a growing number of victims, showcasing an expanding influence within the cyber realm, such as US government websites, Atlassian, Communities of Interest (COI), Cooperation Portal (platform for NATO members), and Liberia Revenue Authority.

The first significant SiegedSec attack against an Israeli company during the ongoing Israeli-Hamas war took place against a major Israeli Internet service provider. The cybergroup claims it hacked into the provider system and extracted sensitive data, claiming to send an email from the telecommunication company portal to the company’s subscribers.


Cyberwarfare-Israel-Hamas-War27Figure 26. SiegedSec leaked file, illustrating customers of Israeli telecom provider.


Trustwave SpiderLabs examined portions of the leaked data, and the email addresses revealed were not mentioned in earlier leaks. Approximately 46,500 unique emails were identified, a figure that appears relatively low when compared to the customer base. This discrepancy suggests the possibility that the leak may have originated from one of the company's contractors, rather than the primary telecommunications service provider. The telecommunication company has not issued any official statements regarding the reported data leak.


Cyberwarfare-Israel-Hamas-War28Figure 27. SiegedSec group telegram channel, November 16, 2023, claiming the hacking of several targets in Israel.


On November 16, SiegedSec posted a new statement, where it mentioned a hack into one of the largest Israeli supermarket chains, a major airline company based in Israel, and others.


Cyberwarfare-Israel-Hamas-War29Figure 28. SiegedSec provided file with samples content, claiming to target an airline company.


Upon a thorough investigation, our analysis reveals a complex timeline associated with the leaked files. While certain files date to 2016, indicating an older leak as potential origin, we observed more recent entries ranging from 2019 to 2022.

The most recent file identified was from the first half of October 2023.


Cyberwarfare-Israel-Hamas-War30Figure 29. An example of a leaked file providing an update on ongoing Israel-Hamas war.


No significant information or company secrets were revealed in the published archive. As of the latest update, the airline company and the Israeli supermarket chain have not issued any formal responses to the claims made by the cyber group. Similarly, the pro-Israeli hacker group We Red Evils OG claimed on November 29th that it broke into the computer systems of the Iranian judiciary and parliament and provided a link to the documents. Their announcement was mixed Hebrew and Arabic. Here’s the translation to English:

We broke into the computerized systems of the Iranian judiciary and parliament and were able to obtain thousands of classified documents of the decision makers on behalf of the Revolutionary Guards.

These documents will not please the Iranian citizens.

It's time for the Iranians to take to the streets and demonstrate!

We heard that soon a huge protest will break out in the streets of Iran, and the organizers will update the participants via text messages to a widely distribution.

Among our exposures you can find bills that harm the status of women in Iran, conclusive evidence of corruption across governmental sectors and more.

Some of the documents are civil matters, full disclosure coming soon, but here's a taste of the stuff in the link below.

A message to the Iranian citizens:

When we entered Iran's judicial system and some of the documents that Iranian citizens don't like to read, it's time for Iranians to go to the streets and demonstrate, we heard that soon every Iranian citizen will send a message with a date for the largest demonstration in Iran. In this case, we will also update the group.

Link to the documents:

The documents which were uploaded there were mostly procedural documents from legal and civilian discussions, nevertheless they probably should not be publicly accessible. Here are two examples from those documents, translated to English :

Cyberwarfare-Israel-Hamas-War31Cyberwarfare-Israel-Hamas-War32Figure 30. Iranian Documents Claimed to Exfiltrated by We Red Evils OG


RedLine Stealer

As reported by SentinelOne, between October 15-19, 2023, the Iranian group Haghjhoyan claimed to infect 1,000 Israeli computers. The full message shared on telegram channel is as follows:

“1000 computers from Israel were infected. This is a gift from Palestinian children to Israel hac*kers and the bast*ard people of Israel.”


Cyberwarfare-Israel-Hamas-War33Figure 31. Screenshots from infected computers of Israeli citizens posted by Haghjhoyan. Source: SentinelOne

Screenshots posted on the Haghjhoyan Telegram channel show filenames suggesting the possible utilization of malware and social engineering lures. Additional screenshots led SentinelOne researchers to conclude the RedLine stealer was employed in conjunction with PrivateLoader.


SysJoker Backdoor

Recently, Checkpoint researchers reported a new variant of SysJoker malware written in Rust programming language. The file was submitted to VirusTotal on October 12, 2023. SysJocker is a multi-platform backdoor, which may have been utilized by a Hamas-affiliated group to target Israel, according to Checkpoint. Analysis of newly discovered SysJoker variants revealed connection to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017.

SysJoker uses PowerShell cmdlet to obtain persistence by adding entry into registry Run key in HKEY_CURRENT_USER hive. C2 address is retrieved from OneDrive storage in XOR encrypted form. Using OneDrive allows the attackers to easily update the C2 address. It’s a typical behavior across different versions of SysJoker.

The response from the C2 server is JSON formatted data containing an array of actions for the sample to execute. One of the possible actions allows SysJocker to download, unpack, and execute secondary payload from ZIP archive.


DDoS Attacks

In the realm of modern conflicts, Distributed Denial of Service (DDoS) attacks have emerged as a potent weapon, strategically employed to cripple essential services, and render them unavailable. The ease of access to certain tools on the internet means that anyone can launch a DoS (Denial of Service) attack. More sophisticated attackers leverage the power of multiple compromised systems to inundate a target, overwhelming its infrastructure and causing disruptions.

The utilization of DoS and DDos attacks is not a novel tactic. Many organizations and hosting providers have developed advanced strategies and technologies to effectively fend off such assaults. The evolving landscape of cybersecurity has prompted the implementation of proactive measures, including sophisticated mitigation tools and resilient infrastructure, to safeguard against disruptions caused by these attacks.

Ganosec, an Indonesia-based group, has gained notoriety for previous DDoS attacks on India, especially during the G20 Summit in September 2023. Its expertise extends beyond simple disruptions, encompassing more sophisticated cyber operations such as defacements. One of the defacement examples linked to the G20 Summit in September, was the official site of the Indian Directorate General of Training (DGT.GOV.IN). Ganosec publicly declared its pro-Palestinian affiliations and initiated attacks on Israeli websites, including those of Poriya and Sheba Medical Centers.


Cyberwarfare-Israel-Hamas-War34Figure 32. Ganosec Team in telegram, claims to DDoS Sheba and Poriya Medical centers on October 8th.


As opposed to these attacks, the pro-Israeli Indian Cyber Force launched some of the first attacks against Palestinian websites, targeting the Palestine Telecommunication company, Palestine National Bank, Palestine Web Mail Government Services, and Hamas’ official website. These companies moved to Russian hosting after this attack.


Cyberwarfare-Israel-Hamas-War35Figure 33. Indian Cyber Force claims putting down Hamas official website.


Later, India was attacked in retaliation by pro-Palestinian cyber group members. The main targets were Indian government websites, including the Delhi government and the All India Institute of Medical Sciences (AIIMS). According to Indian government officials, all attacks, the majority of which were DDoS, were successfully defended.


Cyberwarfare-Israel-Hamas-War36Figure 34. Indian Cyber Force statement about the latest cyber-attacks on India



Defacement attacks against websites involve unauthorized alterations to the appearance and content of a site, typically by hackers who exploit vulnerabilities in web security. Hackers often use techniques such as SQL injection or exploiting weak passwords to gain access to a website's administrative functions, allowing them to manipulate its appearance. These attacks can range from the insertion of political or ideological messages to the replacement of content with offensive or malicious material.

Trustwave SpiderLabs identified several Israeli websites compromised by Pro-Palestinian hacking groups. All these websites are fairly minor and carry little weight in the context of this conflict.


Cyberwarfare-Israel-Hamas-War37Figure 35. Compromised Israeli websites visible in Google search identified by SpiderLabs.


Malware Attacks

 Web Shells

Attackers frequently deploy web shells upon successful exploitation of vulnerable web services, as a stealthy means to maintain unauthorized access and control over compromised systems. These web shells are usually in the form of malicious scripts, but also programs that provide a command-and-control interface to the attackers.

Unit 42 researchers reported a series of destructive cyberattacks commencing in January 2023 and persisting until October 2023, specifically targeting the education and technology sectors in Israel, conducted by Iranian-backed APT group known as Agonizing Serpens (also known as Agrius, BlackShadow, Pink Sandstorm and DEV-0022).

The attackers reportedly gained initial access to the environment by exploiting vulnerable internet-facing web servers and deploying web shells, which granted them access to the network. Following the successful theft of information, the threat actors deployed wiper malware designed not only to cover tracks but also to render the affected endpoints inoperable.


Cyberwarfare-Israel-Hamas-War38Figure 36. Two aspx web shells presenting minor differences used by Agonizing Serpens.


This piece of code seems to function as a webpage granting attackers the ability to execute server commands via a form submission.


Wiper Malware

Upon successful installation of web shells, attackers proceeded to steal sensitive data such as personally identifiable information (PII) and intellectual property. SpiderLabs researchers were able to retrieve the “sqlexctractor” tool used in these attacks. The tool is an application with wide abilities to work with SQL databases. Its main purpose is to extract all possible data from targeted SQL database.


Cyberwarfare-Israel-Hamas-War39Figure 37. The sqlexctractor method dumps limited numbers of rows from SQL database to file.


This application extracts SQL Server table data. Depending on the presence of binary data, it adopts different strategies, directly writing values for non-binary data or converting binary data to Base64 format before appending it to the file. After the data theft was completed, attackers moved to the final phase and deployment of three types of data wipers on the systems. The specific wipers reported include:


MultiLayer Wiper: A .NET malware that enumerates files for deletion or corruption with random data, making data recovery extremely challenging and rendering the system unusable by wiping the boot sector.


Cyberwarfare-Israel-Hamas-War40Figure 38. MultiLayer wiper routine using a scheduled task and wevtutil to delete events logs. Source: Unit42


PartialWasher: A C++-based wiper that scans drives to wipe specified folders and their subfolders.


BFG Agonizer: This wiper leverages the open-source project CRYLINE-v5.0 and has the ability to corrupt boot sectors rendering targeted system inoperable.


Cyberwarfare-Israel-Hamas-War41Figure 39. BFG wiper routine overwriting the boot sectors. Source: Unit42


Unit 42 researchers have also identified an apparent enhancement in the group's capabilities, including efforts to bypass endpoint detection and response (EDR) and other security measures. To achieve this, Agonizing Serpens strategically rotates between various known proof-of-concept (PoC) and pen testing tools, as well as custom tools, signaling an ongoing and concerning evolution in their tactics and resources.


BiBi Wiper

On October 30, SecurityJoes reported on the new Linux wiper targeting Israeli organizations, dubbed BiBi. The name is unusual and was mentioned in the dropped filename: “bibi-linux.out.” It is the nickname of Israeli Prime Minister Benjamin Netanyahu. One day later, ESET research mentioned a new version of BiBi wiper for Windows. The compilation date on the Windows executable is 2023-10-22 00:24:41 UTC. Windows variant covered extensively in research published on github. Both Bibi wipers are linked to a cyber group BiBiGun, related to Hamas.

Trustwave SpiderLabs Security Researchers performed additional analysis of the BiBi wiper samples to confirm the validity of published findings. Both variants operate in a similar way, where files are overwritten based on the file size random sequence of bytes, then the filename is replaced with random characters and numbers, adding “BiBi” followed by one digit in range 0-9 to the file extension: <random_name>.BiBi[0-9]. Both iterations of the wiper possess the capability to leverage multiple threads. This sophisticated feature enables the wipers to execute tasks concurrently, enhancing their efficiency and potentially accelerating the damage they inflict. The wiper will operate with an infinite loop until it overwrites all the files.

Additionally, on Windows-based systems, the BiBi wiper targets files in hardcoded directory - "C:\Users" and all available removable, ramdisk and fixed type drives except C: drive. To further hinder recovery, BiBi executes commands to disable recovery environment and deletes shadow copies. BiBi wiper utilizes simple string obfuscation method where command strings are simply reversed.

  • cmd.exe /c bcdedit /set {default} recoveryenabled no
  • cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures
  • cmd.exe /c wmic shadowcopy delete
  • cmd.exe /c vssadmin delete shadows /quIet /all


Cyberwarfare-Israel-Hamas-War42Figure 40. The Windows version of BiBi wiper and shadow copy deletion command revealed in the code.


The nature of the behavior of the wiper looks like ransomware activity and there is a possibility that ransomware attacks that pretend to be done on some Israeli facilities could be a usage of BiBi or similar wipers.


Hostage Rescue Operations and Pegasus Spyware

 As reported by Bloomberg, Israeli security services requested help from several companies, including NSO, the maker of the controversial Pegasus software, to help track hostages in the Gaza Strip. The Pegasus spyware, developed by Israeli firm NSO Group, is marketed to governments and law enforcement agencies for the purpose of infiltrating mobile phones, allowing them to record emails, phone calls, text messages, and more. In 2021, Amnesty International, Citizen Lab, and Forensic Architecture documented over 60 cases where this spyware was utilized to target government critics across various nations. Among the countries involved were Rwanda, Togo, Spain, the United Arab Emirates, Saudi Arabia, Poland, Mexico, Morocco, and India.

NSO Group and Candiru, both blacklisted by the U.S., were reportedly requested to enhance their spyware capabilities to align with the requirements specified by the country's security forces.

This information was sourced from four cybersecurity industry insiders and one Israeli government official according to Bloomberg. The Israeli Defense Forces and NSO Group have refrained from providing comments on the matter.


Cyberwarfare-Israel-Hamas-War43Figure 41. NSO Pegasus 2013 manual - dashboard provides information like the current location of 'targets' on the map.


Scams Leveraging the Israel – Hamas Conflict Theme

Undoubtedly, threat actors have their own motives for exploiting conflicts, including financial gain. An analysis of telemetry from Trustwave MailMarshal revealed the presence of numerous phishing emails taking advantage of the Israel-Hamas conflict. These emails exploit people's willingness to assist those affected by the war.

The below screenshot shows a scam email using an Israel bombing as a lure. It asks for a donation and uses multiple Zoho Campaign URL redirectors. The links are inaccessible now.



Cyberwarfare-Israel-Hamas-War44Figure 42. Scam email using the recent Israel bombing as lure.


Other scam operators pretend to be a charity collecting funds for Gaza in the form of crypto. Trustwave SpiderLabs observed other variations using King Salman Center for Humanitarian Aid and Relief (KS/Relief).



Cyberwarfare-Israel-Hamas-War45Figure 43. Donation crypto scam. Operator pretends to be a charity collecting funds for Gaza.


One of the crypto donation scams impersonating Islamic Relief Worldwide caught our attention. Crypto wallets used here had transactions in 2021-2022.


Cyberwarfare-Israel-Hamas-War46Figure 44. Crypto donation scam impersonating Islamic Relief Worldwide.

Cyberwarfare-Israel-Hamas-War47Figure 45.Transaction history of bitcoin wallet related to aforementioned scam.


Cyberwarfare-Israel-Hamas-War48Figure 46. Transaction history of Ethereum wallet related aforementioned scam.



Modern warfare no longer means solely using missiles, drones, and satellite-guided bombs. Cyberwarfare has become a necessary weapon capable of causing significant harm through cyberattacks on critical infrastructure and planting false and unverified claims on social media.

Remarkably, this conflict attracted distinct cybergroups from distant countries not directly affected by the war. While cybercrime entities based in the region focus on familiar targets, newly joined groups entered the fray directing their efforts toward disrupting social and government websites.

This multifaceted conflict not only encompasses traditional cyberwarfare but extends into the area of informational propaganda, disinformation, fake news, and the strategic use of AI-generated imagery to sway public opinions on a massive scale. The parties involved wield the power to significantly alter the perceived reality of events, blurring the lines between fact and fiction. The ongoing information warfare that we're witnessing could be considered a groundbreaking AI-driven battle due to the extensive use of AI-generated images. It's a unique and unprecedented situation where technology is at the forefront of shaping the narrative and public opinion.

As is often the case, some other cybergroups view the conflict not as an ideological battleground but rather as a means of financial gain. For these groups, it's a matter of "nothing personal, just business," as they exploit the chaos of conflict for their enrichment.








Agonizing Serpens Sqlextractor


Agonizing Serpens MultiLayer wiper



Agonizing Serpens PartialWasher Wiper


Agonizing Serpens BFG Agonizer Wiper


Agonizing Serpens Web shells





Agonizing Serpens NimScan



Agonizing Serpens Mimikatz


Agonizing Serpens ProcDump



Agonizing Serpens Plink


Agonizing Serpens GMER Driver Loader - agmt.exe



Agonizing Serpens GMER Driver


Agonizing Serpens Rentdrv2 Loader - drvIX.exe


Agonizing Serpens Rentdrv2 Driver



Agonizing Serpens Infrastructure
















Appendix A.


The Division of cyber groups based on their side preference:




Against both sides

Anonymous Israel

177 Members

Cyber Army Of Russia

Dark Cyber Warrior

1915 Team


Garuna Ops



Gaza parking lot crew

4 Exploitation





ICD-Israel Cyber Defense



Indian Cyber Force



Indian Cyber Sanatani



Indian Darknet Association






IT ARMY of Ukraine



Kerala Cyber Xtractors




Anonymous Algeria



Anonymous Morocco


Team NWH Security

Anonymous Russia


Termux Israel

Anonymous Sudan


UCC Team



Arab Anonymous Team








Bangladesh Civilian Force








Cyb3r Drag0nz


CYBER Sederhana Team








Dark Strom Team


Dark Team


Dragon Force Malaysia


Eagle Cyber Crew


Electronic Tigers Unit


End Sodoma


Esteem Restoration Eagle










Ganosec team


Garnesia Team




Garuda Security




Gb Anon 17


Ghost Clain Malaysia




Ghosts of Palestine






Hacktivism Indonesia




Hizbullah Cyb3r Team










Irox Team


Islamic Cyber Team




Jakarta Error System




Jateng Cyber Team








KhalifahCyberCrew (KCC)












Moroccan Black Cyber Army


Moroccan Defenders Group


Moroccan Ghosts



Muddy Water



Muslim Cyber Army


Mysterious Team Bangladesh




Pakistani Leet Hackers


Panoc team








StarsX Team




Stucx Team




Sylhet Gang-SG






T.Y.G Team






Team Azrael Angel of Death


Team Herox


Team R70






TengkorakCyberCrew (TCC)


The Cyber Watchers


The White Crew




TYG Team




US Nexus Cyber Team








YourAnon T13x





Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More