Home/ Threat Actors/ Thrip

🌐Thrip

🌐 Thrip is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 4 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0076) ↗

14Use cases

0Articles

4Techniques

0IOCs

About this actor (MITRE)

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. (Citation: Symantec Thrip June 2018)

Known aliases

Thrip

Top techniques

T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1059.001 · PowerShell T1219.002 · Remote Desktop Software

All other tracked techniques

T1588.002 · Tool

Detection use cases (14)

Thrip 'living-off-the-land' remote-access tooling install (LogMeIn / PsExec / WinSCP) on espionage-target hosts AI · profile SΣ Thrip PowerShell-driven exfiltration over non-C2 channel (FTP / SMB / SCP) following credential-access activity AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match DNS tunneling / TXT-heavy domain queries MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match Office app spawning script/LOLBin child process MITRE match Phishing-link click correlated to endpoint execution MITRE match PowerShell encoded / obfuscated command MITRE match Cisco ASA - Device File Copy to Remote Location MITRE match Cisco Secure Firewall - Connection to File Sharing Domain MITRE match Cisco Secure Firewall - Potential Data Exfiltration MITRE match Gsuite Outbound Email With Attachment To External Domain MITRE match Windows NirSoft AdvancedRun MITRE match