Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
4 malware familiesExploits CVEs in the wild

Gorgon Group

Also known asGorgon Group

Gorgon Group is a tracked threat actor referred to in the provided content as Gorgon Group. The content associates the group with spearphishing-based delivery using malicious Microsoft Office attachments and attempts to induce user execution of those attachments. Observed tradecraft includes PowerShell execution, including use of the WindowStyle hidden parameter (-W Hidden) to conceal PowerShell windows; use of PowerShell to download and execute payloads and open decoy documents; and use of cmd.exe to download and execute payloads and run commands on victim systems. The group's malware can decode Base64-encoded payload content and write the decoded content to disk. For persistence, the malware can create .lnk files and add Registry Run keys. For defense evasion, the malware can attempt to disable security features in Microsoft Office and Windows Defender using taskkill, and can deactivate Microsoft Office security mechanisms by modifying keys and values under HKCU\Software\Microsoft\Office. The content also states that Gorgon Group has obtained and used tools such as QuasarRAT and Remcos. No nation-state attribution is stated in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics35 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1588
Obtain Capabilities
T1588.002×3
Tool
T1608
Stage Capabilities
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×12
Spearphishing Attachment
TA0002
Execution
5 techniques
T1059
Command and Scripting Interpreter
T1059.001×12
PowerShell
T1059.003×4
Windows Command Shell
T1106
Native API
T1129
Shared Modules
T1204
User Execution
T1204.002×6
Malicious File
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1112×10
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001×4
Registry Run Keys / Startup Folder
T1547.009
Shortcut Modification
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001×4
Registry Run Keys / Startup Folder
T1547.009
Shortcut Modification
TA0005
Stealth
4 techniques
T1036
Masquerading
T1036.008
Masquerade File Type
T1140×4
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.003×2
Hidden Window
T1564.006
Run Virtual Instance
T1574
Hijack Execution Flow
TA0112
Defense Impairment
1 technique
T1112×10
Modify Registry
TA0007
Discovery
3 techniques
T1012
Query Registry
T1087
Account Discovery
T1087.002
Domain Account
T1518
Software Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0011
Command and Control
1 technique
T1105
Ingress Tool Transfer
TA0040
Impact
1 technique
T1531
Account Access Removal
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RemcosGorgon Group has obtained and used tools such as QuasarRAT and Remcos.2May 26, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026
NishangThe following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server.1Mar 17, 2026
QuasarRATGorgon Group has obtained and used tools such as QuasarRAT and Remcos.1May 26, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
May 12, 2026
Detection: Powershell Defender Threat Actions Set to Allow | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 16, 2026
Detection: Windows Anomalous Registry Value Length in Environment Key | Splunk Security Content

Referenced as a threat actor associated with registry modification behavior (MITRE ATT&CK T1112: Modify Registry) in the context of this detection analytic.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.