Hamas-linked app offers window into cyber infrastructure, possible links to Iran

The administrators of a news site linked to Hamas have struggled to keep it online amid fighting with Israel.
Fighters from the Ezzedine al-Qassam Brigades, the armed wing of the Palestinian Hamas movement, attend a memorial service for the leader of the brigade Ibrahim Abu Al-Naja in Rafah in the southern Gaza Strip on June 10, 2017, after he was killed in an "accidental explosion" earlier in the month. (SAID KHATIB/AFP via Getty Images)

An Android app designed to share updates for supporters of Hamas’ military wing is linked to a long-running Hamas-linked cyber espionage group, according to analysis by the security firm Record Future that sheds light on how the group is attempting to spread its messaging amid ongoing fighting with Israel.

The app in question was posted to a Telegram channel associated with the Izz al-Din al-Qassam Brigades four days after fighting began, and was configured to communicate with a news site linked to the group.

That site has only intermittently been available amid fighting between Hamas and Israel. It is unclear why, but Recorded Future’s analysts speculate that it could be the result of providers refusing to work with the group or as a result of the relentless wave of tit-for-tat distributed denial-of-service attacks from all sides in the conflict.

The operators of the news site have been working to keep it online by moving it between several different infrastructure providers. Analyzing that movement revealed several clusters of domains with a shared Google Analytics code that showed signs of connections to a group Recorded Future tracks as TAG-63 — tracked otherwise as APT-C-23, Desert Falcons, Arid Viper or Mantis — perhaps the longest-running Arabic cyber operations group publicly known.


With Israel carrying out a siege against Gaza in the aftermath of a Hamas attack that left more than 1,300 people dead and some 200 kidnapped, electricity and internet access in the enclave has been severely limited or shut off. Recorded Future’s analysis indicates that Hamas may be working with groups or individuals outside of Gaza — potentially including in Iran — to keep its news site available online.

One cluster of domains associated with the site includes references to Iran in some subdomains, including the word “Iran,” and Farsi terms for “attendant” or “comrade,” as well as “director” or “manager.”

“Whoever was responsible for running these assets was potentially doing so from outside the territories,” said a Recorded Future analyst who spoke with CyberScoop on the condition of anonymity given the heightened security concerns. “We don’t have the information to suggest that that did occur, but we find it suspicious that they kept trying to run that.”

The researcher who spoke with CyberScoop emphasized that the links to Iran are far from conclusive. “It is one of the hypotheses,” the researcher said.

While policymakers and researchers have puzzled over Iran’s role in planning the most recent Hamas attack, Tehran has a well-documented history of providing the terrorist group with support. “Iran’s Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups,” Recording Future analysts note in their report.


The Hamas cyber operation, TAG-63, to which the news site is linked, began operating as early as 2011 and was perhaps the first known group of Arabic-speaking cyber mercenaries, Kaspersky reported in 2015. The group has since targeted thousands of victims in Israel, Palestine and around the world using various malware to steal data and information.

The group is known to target government, military, financial, media, education, energy and research and policy entities, according to an April 2023 analysis of the group’s activity by Symantec’s Threat Hunter Team. That analysis documented the group’s deployment of “a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks” that used updated versions of its custom Micropsia and Arid Gopher backdoors.

Latest Podcasts