3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Islamic Resistance Movement

Islamic Resistance Movement

ID: 9916aac2f961e3d05be21e211d072bca
Hacktivist Group Hacktivism
Threat types: Defacement
Unknown UNKNOWN
Updated: 2026-01-26
Created: 2025-10-25
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Islamic Resistance Movement (Hamas) — militant-political organization with an established cyber apparatus conducting espionage, information operations, and occasional disruption against Israeli government, military, media, and civilian targets (2012–2025). TTPs prominently include social engineering of IDF personnel via Android 'dating' and sports apps, bespoke mobile RATs, and application-layer C2. Open sources also document Israel’s 2019 kinetic strike against a Hamas cyber facility following an attempted cyber operation.


Technique Technique name Tactics Evidence
T1566.002 Spearphishing Link TA0001
  • 2018-07-03 — Use of fake dating/World Cup apps to socially engineer IDF soldiers into installing Android malware. · ref
  • 2020-02-16 — Check Point details lures and delivery via crafted websites and personas; affiliates linked to APT-C-23. · ref
T1476 Deliver Malicious App via Other Means TA0027
  • 2020-02-16 — Delivery of malicious Android applications (MRAT) via off-store sites posing as dating tools (GrixyApp/ZatuApp/Catch&See). · ref
T1071 Application Layer Protocol TA0011
  • 2020-02-16 — C2 communications over application-layer protocol (MQTT) from infected Android devices. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-30T03:01:01+00:00
Islamic Resistance Movement (Hamas) — Cyber apparatus

CLASSIFICATION: Unclassified / Open Source Intelligence (OSINT)

Category: Militant / Political organization (Cyber wing) – Origin: Palestinian Territories (Gaza/West Bank)


Executive Summary

Open sources since 2012 describe a Hamas-aligned cyber capability focused on espionage, data collection, and information operations against Israeli military and governmental targets, with occasional disruptive actions. Recurrent campaigns leveraged Android lure apps (dating/sports) to compromise Israel Defense Forces (IDF) personnel devices, install MRATs, and exfiltrate communications and location data. Technical reporting documents application-layer C2 (e.g., MQTT) and bespoke delivery infrastructure registered under commodity providers. In May 2019, Israel reportedly conducted a kinetic strike on a Hamas cyber facility following an attempted cyber operation, signaling escalatory risk at the cyber-to-kinetic threshold. The broader 2023–2025 war context saw amplification by allied/ideological hacktivists, complicating attribution and increasing noise. Overall confidence is medium-high based on converging vendor reports, mainstream media, and doctrinal analyses.

  • Industries / Sectors: Military (IDF), government, media; opportunistic civilian spillover via lures and social platforms.
  • Geography (Region): Primarily Israel; collection against targets in the Middle East noted by multiple vendors.
  • Timeframe: Active reporting from ~2012 through 2025; major publicized waves in 2017–2018 and 2020; wartime surge in/after Oct 2023.
  • Orientation / Motive: Strategic intelligence collection on Israeli military and state apparatus; propaganda/influence during conflict escalation.
  • Typical tradecraft: Persona-driven social engineering; off-store Android app delivery; custom MRATs; application-layer C2; controlled leak/propaganda channels.
  • INFERENCE: Elements of APT-C-23/Arid Viper/Gaza Cybergang have been assessed by some vendors as Hamas-linked; confidence medium given mixed attributions across years.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

Subject: Hamas cyber apparatus – mobile-centric ISR targeting military personnel

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Operational Use

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:00+00:00

IOC Appendix (TLP:WHITE)

Selected indicators extracted from public reporting (verify before enforcement):

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2025-11-25T20:46:02+00:00

2020-02-16 — Check Point Research — “Hamas Android Malware On IDF Soldiers — This is How it Happened”

https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.