Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇮🇱 IL

Mossad

Also known asMossad

Mossad is a Mirai-variant botnet, not related to the Israeli intelligence service, that was disrupted in a coordinated March 2026 law enforcement operation alongside the Aisuru, KimWolf, and JackSkid botnets. The operation, led by the U.S. Department of Justice with support from U.S., Canadian, and German authorities and private-sector partners, seized domains, virtual servers, IP addresses, and other command-and-control infrastructure associated with the botnet. The botnet was used for distributed denial-of-service attacks and formed part of a broader cybercrime-as-a-service ecosystem in which operators rented attack capability and proxy services to other criminals. Reporting in the provided content states that Mossad issued approximately 1,000 DDoS attack commands. Like the other botnets disrupted in the same action, it contributed to the compromise of internet-connected devices at scale, including IoT infrastructure such as routers, digital video recorders, security cameras, and related devices. The content attributes Mossad’s development to the involvement of a young German hacker known as "Snow" or "Lucy," possibly named Philip, and assesses that Mossad appears to have been a solo project by that individual. The content also notes that KimWolf, Aisuru, and Mossad were created with that hacker’s involvement. Mossad is described as part of the Mirai malware family and associated with the same criminal botnet ecosystem as Aisuru and KimWolf.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇮🇷 Iran

Where they're from

Attributed origin per open-source reporting.

  • IL
MITRE ATT&CK

Tradecraft

14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1598
Phishing for Information
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.005×4
Botnet
T1584.008
Network Devices
TA0001
Initial Access
4 techniques
T1078
Valid Accounts
T1190
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1200
Hardware Additions
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0011
Command and Control
2 techniques
T1071×7
Application Layer Protocol
T1090
Proxy
T1090.003
Multi-hop Proxy
TA0040
Impact
2 techniques
T1496×2
Resource Hijacking
T1498×11
Network Denial of Service
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
hackreadNews
Mar 25, 2026
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth

Named botnet network disrupted by the US Department of Justice.

Read more
hackreadNews
Mar 23, 2026
Global Crackdown Dismantles 4 Botnets Behind Major DDoS Attacks

Botnet used in large-scale DDoS attacks and operated as part of a rentable attack-for-hire ecosystem.

Read more
toms hardwareNews
Mar 21, 2026
US Departments of Justice and Defense crush four massive botnets totaling 3,000,000 devices - botnets responsible for a combined 316,000 DDoS attacks globally | Tom's Hardware

Botnet operation involved in DDoS activity; the content says Mossad was responsible for about 1,000 DDoS attacks.

Read more
scworldNews
Mar 20, 2026
US, Canada and Germany take down four large DDoS botnets | news | SC Media

Botnet involved in distributed-denial-of-service attacks using infected Internet-of-Things devices worldwide.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping14

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.