Menu
Browse

Cyber Threat Actor: Mr.Moshkela

Actor Type Location Known Incidents
 Icon
Activist
1 incident
Profile

Mr.Moshkela operates as part of the Egyptian hacker collective Anonymous Rabaa Team, with associated aliases including Dr.AFN[D]ENA and Freedom Cry observed during collaborative operations. This group conducts cyber activities primarily to advance political messaging related to Egyptian domestic events, particularly the 2013 Rabaa Square Massacre. Their operations demonstrate opportunistic targeting of foreign entities perceived as relevant to their ideological cause, though without persistent network access or data theft objectives. The collective’s public-facing persona emphasizes propaganda dissemination over technical complexity, aligning with hacktivist traditions of symbolic disruption rather than sustained intrusion campaigns.

The threat actor’s most documented operation occurred on December 24, 2015, when they defaced the Costa Rican Ministry of Environment’s website. Attackers replaced conservation-focused content with a video depicting the Rabaa Square Massacre and a written statement condemning the Egyptian government’s actions. The defacement exploited a vulnerability to alter web pages but did not compromise backend databases or exfiltrate sensitive data. Costa Rica’s diplomatic recognition of Palestine may have influenced target selection, suggesting geopolitical alignment rather than technical feasibility drove victim choice. Operational indicators included links to attacker-controlled social media profiles, though these were displayed for propaganda purposes rather than as functional command channels.

Some participants in this campaign had historical connections to ISIS-aligned cyber groups, though no pro-ISIS rhetoric accompanied the Costa Rican defacement, indicating possible ideological divergence or tactical rebranding. The collective’s operations consistently prioritize low-complexity attacks yielding high visibility, leveraging web application flaws for temporary platform hijacking. Their activities remain confined to website disruptions serving explicit political awareness objectives, distinguishing them from financially motivated or state-sponsored threat groups. No subsequent operations matching this group’s signature have been publicly attributed since 2015.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources