Active Operations

On March 10, 2025, Banque Ittihad's fraud detection system flags 4.7 million dirhams in anomalous wire transfers across 6 regional branches. The Cybercrime Unit (ULCC) launches Operation Mosaique - a 72-hour investigation mandate. Your mission: analyze 27 unique network captures, trace the communications of the EnigMar criminal syndicate across 8 Moroccan cities - from Casablanca to Tangier, through Marrakech, Fes, and Nador. Identify the six operatives: L'Architecte, Le Comptable, La Taupe, Le Passeur, Le Technicien, and Le Fantôme. Each PCAP reveals a new fragment of the puzzle. Wireshark will become your primary weapon.

On April 14, 2025, national holiday, e-Maghrib e-government portal WAF logs show an unusual spike in 403 errors. By 03:15, the same IP successfully authenticates to the admin panel. By 04:30, internal DNS logs reveal queries to UNC-7913 infrastructure domains. 12 million citizen records at risk. SOC coverage reduced to 3 analysts instead of 8. The Threat Analysis Division is activated. 21 missions across 8 infrastructure zones - from DMZ-Web to SOC-Hub. Correlate JSON logs, syslog, Windows EVTX, and DNS records. Reconstruct the intrusion timeline before the adversary exfiltrates the data.

On August 12, 2025, the Unified National Log Correlation Platform detects coordinated activities from a single Moroccan IP: 41.137.84.72. Coordinated scanning of 47 government systems, SQL injection attempts, SMB brute-force, payload staging. The IP belongs to TransMaghreb Logistics, a legitimate logistics company in Casablanca. The company denies all malicious activity. Initial assessment: infrastructure compromised and weaponized as a relay node. 21 missions across 7 operational phases - from log correlation to web exploitation, OpenWRT router to SMB lateral movement, via FTP and SNMP, to identifying the SCARAB-7 group and recovering ransomware encryption keys from a KeePass vault.

On June 20, 2025, Souk Digital, Morocco's largest online marketplace, receives a fraud notification: 3,000 customer cards flagged. Common point: all victims shopped on Souk Digital in the past 60 days. The attack ran for 8 weeks before detection. The attackers probed every endpoint, found multiple vulnerabilities, and exploited them in sequence. The Application Security Division is called in to reconstruct the attack. 20 missions covering the OWASP Top 10 - SQL injection, XSS, IDOR, SSRF, authentication bypass. Analyze HTTP logs, decode payloads, and identify exfiltrated data.

On July 8, 2025, Morocco Cobalt Group (MCG), Morocco's leading cobalt mining company, contracts the Offensive Operations Division for a full-scope red team assessment. The question: 'Could an attacker reach our industrial systems?' You are a junior penetration tester on the ULCC red team, supervised by Major Tazi. Your terrain: MCG's IT and OT infrastructure - Active Directory, Exchange, SharePoint, and Siemens SCADA systems. 25 missions across 8 zones - from external recon to SCADA access. Prove the attack path without breaking anything. Only the most skilled will reach the final objective.

On May 5, 2025, Atlas Telecom discovers a Domain Admin account was used to access the CEO's email at 3 AM from an unauthorized workstation. Investigation reveals the compromise is 6 months old - since November 2024. The adversary has had Domain Admin access the entire time. 8 million subscriber records at risk. Mimikatz artifacts found. The Identity Security Division leads the forensic investigation. 18 missions through AD tiers - from User-Base to Tier-0. Map attack paths with BloodHound, detect DCSync, analyze Golden Tickets, and plan remediation.

A data-smuggling network codenamed 'Mgoun' operates a chain of digital dead drops across Morocco's interior. Stolen zero-day exploits are moving from relay to relay, from the Middle Atlas to a buyer in Marrakech. CERT-MAROC can't send a full team without burning the operation. They send you - one agent, one laptop, one rental car. Your cover: a tourist on a road trip. 8 stops. 50 challenges. Web security, network forensics, log analysis, Active Directory, cryptography, steganography, OSINT and Red Team - all mixed together, just like real life. Every clue you find leads to the next city. Every city hides a Mgoun operator. Azrou. Midelt. Errachidia. Merzouga. Kelaa Megouna. Ait Bouguemez. Ouzoud. Marrakech. The wind is rising. Follow the trail before it disappears.