BrittleBush
BrittleBush is a small trojan observed in late-2021 to early-2022 spear-phishing campaigns attributed to TA402, also tracked as Molerats, ALUMINUM SARATOGA, APT-C-23, Arid Viper, and related aliases. Reporting assesses the group as likely Palestinian-aligned or of Palestinian origin. The campaigns targeted Middle Eastern governments, foreign policy think tanks, a state-affiliated airline, and more broadly organizations in the Middle East and North Africa. BrittleBush was delivered in malicious RAR archives distributed through phishing lures and actor-controlled infrastructure, including Dropbox links and WordPress-based redirect chains, and was often bundled alongside the NimbleMamba implant. Proofpoint reported that later versions of the RAR files delivering NimbleMamba also included BrittleBush. The malware communicated with easyuploadservice[.]com and received commands in a base64-encoded JSON structure. High-confidence reporting directly links BrittleBush to the TA402/Molerats late-2021 to early-2022 campaign set, but the provided content does not describe additional internal functionality beyond its role as a trojan and its command channel behavior.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Later versions of the RAR files that deliver NimbleMamba also included a small trojan application Proofpoint dubbed BrittleBush.
“A campaign from late 2021 and early 2022 featured phishing lures… and the NimbleMamba and BrittleBush malware.”
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesEach variant of TA402’s attack chain led to a RAR file containing one or multiple malicious compressed executables.
In the recently observed campaigns, TA402 used spear phishing emails containing links that often lead to malicious files.
Stealth
1 techniqueNimbleMamba is written in C# and delivered as an obfuscated .NET executable using third-party obfuscators.
Command and Control
1 techniqueNimbleMamba uses the Dropbox API for both command and control as well as exfiltration.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A small trojan delivered alongside NimbleMamba in later campaign variants. It communicated with easyuploadservice[.]com and received commands as a base64-encoded JSON structure.
Malware used in late-2021/early-2022 phishing campaigns leveraging actor-controlled infrastructure and Dropbox links.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.