Home/ Threat Actors/ Group5

🌐Group5

🌐 Group5 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 13 detection use cases to this actor across 4 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0043) ↗

13Use cases

0Articles

4Techniques

0IOCs

About this actor (MITRE)

[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

Known aliases

Group5

Top techniques

T1027.013 · Encrypted/Encoded File T1056.001 · Keylogging T1070.004 · File Deletion

All other tracked techniques

T1113 · Screen Capture

Detection use cases (13)

Group5 commodity RAT install chain — script/document parent drops EXE to AppData and self-registers Run key (njRAT / NanoCore) AI · profile S Clear Unallocated Sector Using Cipher App MITRE match Linux Account Manipulation Of SSH Config and Keys MITRE match Linux Deletion Of Cron Jobs MITRE match Linux Deletion Of Init Daemon Script MITRE match Linux Deletion Of Services MITRE match Linux Deletion of SSL Certificate MITRE match Remcos RAT File Creation in Remcos Folder MITRE match Suspicious Image Creation In Appdata Folder MITRE match Suspicious WAV file in Appdata Folder MITRE match Windows Obfuscated Files or Information via RAR SFX MITRE match Windows Screen Capture in TEMP folder MITRE match Windows Screen Capture Via Powershell MITRE match