SameCoin
SameCoin is a custom wiper malware used by the Hamas-affiliated WIRTE threat actor in destructive attacks against Israeli entities. Check Point reported two 2024 waves, in February and October, and assessed clear links between SameCoin and WIRTE malware development. The malware was used in campaigns targeting Israeli organizations, including hospitals and municipalities, and one October 2024 campaign impersonated a legitimate Israeli ESET reseller. SameCoin is described as multi-platform, with Windows and Android variants.
In the October 2024 activity, a ZIP archive named ESETUnleashed_081024.zip contained legitimate DLLs and a malicious Setup.exe that deployed a newer SameCoin variant. The malware attempted to connect to oref.org.il and used the first bytes of the response as an XOR key to verify that the victim was in Israel before proceeding. Components included MicrosoftEdge.exe, identified as the wiper, and csrs.exe, identified as an infector capable of spreading within organizations via Outlook attachments and Active Directory scheduled tasks. The wiper overwrote files outside protected directories with random bytes, excluding filenames containing "desktop.ini" or "conf.conf."
Reporting also states that a February 24 campaign impersonated the Israeli National Cyber Directorate (INCD). In broader WIRTE operations, SameCoin is associated with a shift from espionage toward sabotage, while WIRTE continued parallel espionage campaigns across the Middle East. Check Point noted code overlap between the SameCoin wiper component and newer WIRTE loader variants, specifically a shared XOR/encryption function, supporting common development. Mentioned indicators and related artifacts include ESETUnleashed_081024.zip, MicrosoftEdge.exe, csrs.exe, and the geofencing/check target oref.org.il.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2024, however, Check Point observed WIRTE employing SameCoin, a custom wiper malware, to attack Israeli entities in February and October.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive wiper used in WIRTE-linked operations (including activity branded as 'Cyber Toufan Al-Aqsa').
Destructive wiper malware used in WIRTE-linked operations (including activity associated with 'Cyber Toufan Al-Aqsa').
SameCoin is a custom wiper malware used by the WIRTE/APT group for destructive attacks, particularly targeting Israeli entities, to destroy data as part of sabotage operations.
Custom wiper malware used by WIRTE in disruptive attacks against Israeli entities. The malware was deployed via phishing-themed lures and was described as activating only in Israeli environments, using the first bytes of a response as its XOR key to verify Israeli targets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.