Kasablanka: The Emerging North African Cyber Threat Actor

The group known as Kasablanka is considered a cyber threat group originating from North Africa or the Middle East that has matured at a significant rate from regional hacktivism to organized cyber-espionage and financial operations. The group has approximately existed since 2021, and its origins or affiliations are believed to be within Morocco. This group operates with a combination of ideological motivations and profit-seeking. Kasablanka has transitioned from defacing websites and leaving coded messages about political agendas to more sophisticated capabilities that include targeted phishing, credential theft, and intrusion campaigns into cloud-based platforms.

Kasablanka serves as a topical case study of how a regional hacktivist collective has matured into an advanced persistent threat (APT) and has merged activism with intelligence collection and influence operations. Today, Kasablanka’s campaign has an intersection with political agendas, espionage, and criminal enterprise, or a techno-political-activist-criminal-syndicate, blurring the distinction between state or state-sponsored actors and independent cyber actors.

Identity and Motivation

Based on its operational emphasis and targeting profile, Kasablanka likely adopts a hybrid model that spans a continuum of hacktivism, criminal enterprise, and state-aligned espionage. While direct state sponsorship is unconfirmed, Kasablanka’s interests frequently fall in line with regional political narratives supporting a Moroccan geographical interest.

Motivations Include:

1. Political Influence and Hacktivism: To promote nationalistic or anti-rival narratives, especially during regional political tensions.
2. Financial Gain:Credential theft, extortion, and theft of corporate or financial data.
3. Espionage and Intelligence Collection: Targeting government and energy organizations for strategic and economic intelligence.

The combination of motivations contributes to Kasablanka’s overall unpredictability, as it can move between propaganda and attempts at espionage rapidly.

Tactics, Techniques, and Procedures (TTPs)

Kasablanka’s technical capabilities have evolved considerably since its early operations. The group has expanded its use of open-source tools, modified phishing kits, and encrypted channels to maintain long-term access and exfiltrate data.

1. Initial Access

The group relies solely on spearphishing and social engineering. Emails and social media messages often imitate trusted contacts in government or business and lure the victim to enter credentials into a spoofed portal. Many campaigns look indistinguishable from Microsoft 365, Gmail, or government intranets to collect authenticated usernames and passwords.

Kasablanka has also established watering-hole compromises, where it infiltrated websites visited by its targets, and injected malicious JavaScript into legitimate sites, as a means for initial access.

2. Persistence and Privilege Escalation

Kasablanka employs basic yet effective methods of persistence, like credential reuse, remote administration tools (RAT), and stealing cloud tokens. When credentials are available to the group, they often maintain access through originally compromised accounts in either Microsoft 365 or Google Workspace, even after the password changes by stealing or leveraging an existing OAuth token.

3. Command and Control (C2)

The group employs low-tech C2 frameworks hosted on legitimate cloud systems, specifically Dropbox, Google Drive, and Telegram bots for covert and resilient operational support. Kasablanka also utilizes HTTPS encryption and domain fronting to mask its traffic.

4. Malware and Tools

Kasablanka is quite reliant on public resources and custom development with a minimal footprint, which continues to show low-cost, high flexibility trade-offs. The group uses the following:

– QuasarRAT and njRAT: Two commonly available remote access tools for surveillance and file theft.

– Credential Stealers: Based on either browser or Windows extractors, included in phishing scripts.

– Malicious Phishing Kits: Phishing kits hosted on cloud providers and designed to replicate login pages for targeted organizations. 

5. Exfiltration and Evasion

Data exfiltration generally occurs via encrypted channels or cloud-based repositories. The group frequently compresses the stolen documents and credentials into a password-protected zip/archive prior to upload. The group’s tactics to evade detection are rooted in masking malicious activity with legitimate user activity, which meausures similarly to the organization’s ceontext and obfuscating ranging similarities of cyber intrusions.

Notable Operations

Kasablanka’s operations show its evolution away from ideological cyberattacks in the future, to planned intelligence collection operations. Below are the significant operations:

• 2021 – Defacement and Propaganda Campaigns: he group gained prominence through mass defacements of Algerian and Tunisian government websites while disseminating alternative nationalist and anti-country sentiments.
• 2023 – Energy Sector Phishing Campaign: Executed phishing campaigns against various European and North Africa energy organizations, using different fictitious Microsoft 365 login pages to acquire a corporate credential to access the internal environment.
• 2024 – Regional Disinformation Drive: Coordinated social media campaigns to advance disinformation regarding protests and diplomatic tensions in North Africa. These disinformation operations combined cyber intrusion and influence campaigns.
• 2025 – Government Espionage Operation: Ultimately moved into multilayered phishing campaigns against North African ministries and diplomatic entities. Analysts additionally reported increased use of QuasarRAT implants for collection and continuous telemetry of government conversations.

The operations mentioned above exhibit a clear transition from symbolic attacks to aligned operations supporting intelligence based priorities and objectives.

Evolution and Tradecraft

The evolution of Kasablanka reflects the maturing of regional cyber capabilities in North Africa. The group has evolved from working with amateur methods, to professional operational security and cloud-native persistence. This evolution indicates emerging cyber threat actors are leveraging open-source ecosystems and tools that are readily available, and can inflict high impact.

Evolutionary Highlights:

• Hacktivism to Espionage: From defacing websites to credential theft and espionage operations.
• Use of Commercial Infrastructure: Using Telegram, Google Drive and Dropbox for C2 and for exfiltration.
• Social Engineering Focus: High profile activities requiring psychological influence over complexity in malware.
• Operational Agility: Able to respond quickly to takedown issues and quickly rebuild infrastructure.

The focus on the use of malware frameworks such as njRAT and QuasarRAT indicates Kasablanka’s focus on being both accessible and deniable – indicators common to blended criminal and politically motivated actors.  

Strategic Impact and Defensive Takeaways

Kasablanca represents an emerging set of threat actors that occupy the space between the realms of politics, espionage, and cybercrime. Its operations are more regionally focused, but the group’s targeting of energy and diplomatic sectors in Europe suggests that Kasablanca wants to expand beyond North Africa.

Strategic Implications:

1. Regional Cyber Escalation: Signals cyber capabilities are increasing and broadening among nontraditional actors within the North Africa region.
2. Espionage Expansion: Signals realizable collection of intelligence within the region based on economic and diplomatic issues.
3. Information Warfare: Provides operational side, mixes disinformation, and works toward influencing narratives.

Defensive Recommendations:

1. Strengthen Identity Protection: Implement and monitor MFA and all OAuth activities on cloud accounts.
2. Phishing Defense: Implement domain monitoring for impersonation websites as well as regular employee phishing tests.
3. Network Monitoring: Use data science practices to detect unauthorized access, specifically review anomalous cloud access logs and data movement.
4. Threat Intelligence Sharing: Recommended CERT collaboration with other regionally CERTs on shared infrastructure and attack patterns.
5. Incident Response Planning: Provide incident response preparedness training based on the social engineering activity of Kasablanca and credential theft.

Conclusion

In conclusion, Kasablanka represents a new breed of regional APT groups – technically adept, politically flexible, and opportunistic in nature. The transition of an apparent hacktivist group into a hybrid actor capable of espionage and financial activity is indicative of the democratization of cyber capabilities globally. Kasablanka is operating from the edges of the established APT ecosystem, which serves as a clear indication of the evolving ability of regional groups to become significant threats, formally or informally, at the local level but also internationally.

As of 2025, Kasablanka continues to further extend their operational capabilities, combining propaganda, espionage, and cyber crime. As defenders, it is important to continue to assess the complexity and convergence of motivations for these actors to not only be better prepared to detect and respond to the threats, but also understand what becomes of the emerging geopolitical implications of cyber actors within this North African context.

You can download and review the sheet for all the details!