Another cyberespionage campaign by the Molerats (aka TA402) APT group has come under the scanner of researchers. The Arabic-speaking hacking group is back this time with a new piece of malware, dubbed NimbleMamba, that is likely an update of the LastConn malware.

What’s the update?

  • Researchers from Proofpoint spotted a new email phishing campaign that targeted multiple Middle Eastern governments, foreign-policy think tanks, and a state-affiliated airline.
  • These entities were targeted using NimbleMamba, a new intelligence-gathering trojan, that was delivered via various phishing lures.
  • In some of these attacks observed by the team, a secondary payload BrittleBush was also used.
  • The campaign leveraged three types of emails,  pretending to be from Quora, Ugg boots, or  Dropbox, and were distributed between November 2021 and January 2022.
  • One of these phishing emails also used a Gmail account to send the email but later shifted to Dropbox URLs to deliver the malicious .rar files containing NimbleMamba.

About NimbleMamba

  • NimbleMamba is believed to share some similarities with Molerats’ previous executable LastConn that was first reported in June 2021.
  • According to Cybereason, LastConn was likely an updated version of the SharpStage malware.
  • While NimbleMamba and LastConn share similarities such as being written in C#, base64 encoding within the C2 framework, and use of Dropbox API for C2 communication, there appears to be little code overlap between the two.
  • Although the malware is still being actively developed, ProofPoint notes that it contains multiple capabilities designed to complicate both automated and manual analysis.

MiddleEast remains a favorite target

  • Since its inception, the state-sponsored Molerats APT group has been persistent in targeting organizations and governments in the Middle East by routinely updating its malware implants and delivery methods.
  • One such attack campaign was discovered by the Zscaler research team in December 2021.
  • The campaign was active since at least July 2021 and leveraged multiple macro-based MS office files to deliver a new variant of the DotNET backdoor.


Molerats continues to be an effective threat actor that demonstrates its persistence with its highly targeted campaigns focused on the Middle East. It is highly likely that the APT group will continue to update both its malware implants and infection chains to thwart defensive efforts.

Cyware Publisher