In 2017, KASPERAGENT and a malware we’re calling Cloudy were identified emanating from threat actors operating in the Middle East and possibly targeting individuals in the Palestinian Territories. The threat actors used decoy documents with Palestinian Authority letterhead and a unique dropper to deliver the malware. In this presentation we’ll discuss these two malware variants and potential connections between the two, focusing specifically on analytical techniques researchers and security personnel can use to analyze this and similar activity in the future.