Checkpoint reports ongoing attacks against Israel attributed to TA402, a threat actor that has historically engaged in conducting espionage operations against governments in the Middle East and North Africa region. TA402 reportedly leveraged a Rust-written variant of the SysJoker backdoor, enabling trojan-like capabilities, including remote control. It serves as an access broker for the deployment of additional malware stagers.
The backdoor utilizes OneDrive to retrieve command-and-control (C2) information, enabling the actor to quickly change the C2 addresses and likely providing effective endpoint detection and response (EDR) evasion, as OneDrive is a high-reputation service.
TA402 has been linked to the so-called 'Gaza Hacker Team,' a threat actor believed to serve as the cyber arm of Hamas.
Clipeus covered TA402 in a post on November 14, referencing a separate Checkpoint analysis of a campaign in the Arabic language targeting the MENA region.