Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Gallmaker

🌐Gallmaker

🌐 Gallmaker is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 13 detection use cases to this actor across 6 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0084) ↗
13Use cases
0Articles
6Techniques
0IOCs

About this actor (MITRE)

[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)

Known aliases

Gallmaker

Top techniques

T1027 · Obfuscated Files or InformationT1059.001 · PowerShellT1204.002 · Malicious File

All other tracked techniques

T1559.002 · Dynamic Data ExchangeT1560.001 · Archive via UtilityT1566.001 · Spearphishing Attachment

Detection use cases (13)

Gallmaker DDE-borne Office macro-less execution spawning PowerShell reverse-shell tradecraft AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match