Cyber Incident Victim: Anonymous
Date:
Apr 2017
Location:
Israel
Summary
Anonymous members participating in the annual #OpIsrael cyber campaign were targeted by an unknown threat actor distributing malware-disguised DDoS tools via social media. Posing as supporters, the actor promoted Android and Windows applications on Twitter that instead deployed remote access trojans (RATs), including Dark Comet, enabling full system compromise. The campaign typically involved disruptive actions against Israeli targets by Muslim-aligned factions, though this incident saw participants themselves compromised through deceptive links to weaponized software. While historical operations focused on website defacements, DDoS attacks, and data leaks against non-governmental entities, this infiltration represented a shift toward exploiting hacktivist infrastructure for intelligence gathering or sabotage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
In early April 2017, participants in the Anonymous collective’s annual #OpIsrael campaign were targeted in an intelligence-gathering operation involving malware-distributed remote access trojans (RATs). The #OpIsrael campaign, conducted each year on April 7 since 2013, involves cyberattacks against Israeli targets by predominantly Muslim factions of Anonymous, typically through distributed denial-of-service (DDoS) attacks, website defacements, or data leaks. Weeks before the 2017 operation, promotional activity for #OpIsrael appeared on social media platforms including Twitter, where an unidentified threat actor disseminated links to malicious tools disguised as DDoS utilities. One tweet directed users to download an Android application from a SendSpace page, which contained malware. Another tweet offered a Windows-based DDoS tool hosted on a compromised legitimate website; this payload contained Dark Comet RAT, enabling full remote control of infected systems. Digital Shadows, a U.S. cybersecurity firm, identified these malicious links during routine threat intelligence monitoring. The Windows-hosted malware was removed from the compromised site before independent analysts could obtain a sample, but forensic analysis confirmed the RAT’s functionality. The operation’s timing aligned with historical #OpIsrael activity, which often escalates ahead of April 7, a date chosen in 2013 to precede Israel’s Holocaust Remembrance Day.
The incident impacted individuals seeking to participate in #OpIsrael by compromising their devices for potential surveillance or identity exposure. While the exact number of victims was unspecified, the operation represented a departure from typical #OpIsrael dynamics, where attacks against Israeli entities—often small businesses or non-critical infrastructure—were routinely dismissed as low-impact nuisances by security experts. Historical context indicated recurring tensions: in 2016, pro-Palestine groups like Anonymous Arab and AnonGhost led attacks, while 2015 saw stolen funds diverted to Palestinian charities by AnonGhost members. Israeli responses in prior years included preemptive website shutdowns by government agencies (2014) and retaliatory doxxing of attackers by Israeli hackers. The 2017 RAT campaign’s perpetrators remained unconfirmed, though Digital Shadows suggested possible involvement by rival Anonymous factions aiming to sabotage #OpIsrael or Israeli intelligence operatives seeking to identify attackers. No claims of responsibility or victim disclosures were documented in the available reporting. The malware’s removal from the Windows hosting site constituted the only confirmed mitigation action, with no additional containment measures or victim assistance detailed.