Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Whitefly

🌐Whitefly

🌐 Whitefly is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 13 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0107) ↗
13Use cases
0Articles
9Techniques
0IOCs

About this actor (MITRE)

[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)

Known aliases

Whitefly

Top techniques

T1003.001 · LSASS MemoryT1027.013 · Encrypted/Encoded FileT1036.005 · Match Legitimate Resource Name or Location

All other tracked techniques

T1059 · Command and Scripting InterpreterT1068 · Exploitation for Privilege EscalationT1105 · Ingress Tool TransferT1204.002 · Malicious FileT1574.001 · DLLT1588.002 · Tool

Detection use cases (13)

Whitefly Vcrodat loader: signed AV/security-vendor binary side-loading malicious DLL from user-writable directory AI · profile SΣ Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match