6 malware familiesExploits CVEs in the wild

Group5

Also known asGroup5

Group5 is a suspected Iranian threat actor, though attribution to Iran is not definitive. Reporting cited in the content states the operators appeared comfortable with Iranian Persian dialect tools, used Iranian hosting companies, and appeared to run elements of the operation from Iranian IP space. Group5 has targeted individuals connected to the Syrian opposition using malware delivered through spearphishing and watering hole attacks. The group’s malware has been described as capable of remotely deleting files from victims and capturing the victim’s screen. Group5 also disguised malicious binaries with several layers of obfuscation, including encrypting files. Known alias in the provided content: group5.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇸🇾 Syria

MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics24 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1189×3

Drive-by Compromise

T1566×2

Phishing

T1566.001×3

Spearphishing Attachment

TA0002

Execution

2 techniques

T1203

Exploitation for Client Execution

T1204

User Execution

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

TA0005

Stealth

4 techniques

T1027×6

Obfuscated Files or Information

T1027.002

Software Packing

T1027.013×3

Encrypted/Encoded File

T1036

Masquerading

T1070

Indicator Removal

T1070.004×12

File Deletion

T1564

Hide Artifacts

TA0006

Credential Access

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0009

Collection

4 techniques

T1056

Input Capture

T1056.001

Keylogging

T1113×8

Screen Capture

T1123

Audio Capture

T1125

Video Capture

TA0011

Command and Control

2 techniques

T1105

Ingress Tool Transfer

T1219×2

Remote Access Tools

TA0040

Impact

1 technique

T1485

Data Destruction

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DroidJack"The APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as SandroRAT."2Mar 18, 2026

NanoCore"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."2Mar 18, 2026

njRAT"However, the ultimate malware payload in this case is njRat, another well-known RAT tool."2Mar 18, 2026

PAC Crypt"...obfuscated using a crypter tool named ‘PAC Crypt’."1Mar 18, 2026

RemcosThis activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.1Mar 17, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2014-4114Sandworm Windows OLE Package Manager Remote Code ExecutionIn the wildEvidence1

"In the assadcrimes1.ppsx, the operator has created a PowerPoint file that leverages CVE-2014-4114, a vulnerability in the OLE packager component of the Windows operating system" and later: "This PowerPoint document leverages CVE-2014-4114... causes a file embedded within the PowerPoint document to be copied to disk and executed silently on vulnerable systems."

IOCS

Observables

24 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

24 IOCsView more in app

hash.md5

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

3 total

•••••••••••••••••••••••••••

Domains

2 total

••••••.com•••••••.ru

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Feb 25, 2026

Detection: Clear Unallocated Sector Using Cipher App | Splunk Security Content

Referenced as a threat actor associated with the file deletion / defense evasion technique of clearing unallocated sectors using cipher.exe /w, a behavior noted as used by ransomware to hinder forensic recovery.

splunk researchNews

Feb 25, 2026

Detection: Linux Deletion Of Init Daemon Script | Splunk Security Content

Referenced as a threat actor associated with file deletion and data destruction behavior in the detection annotation.

splunk researchNews

Feb 25, 2026

Detection: Recursive Delete of Directory In Batch CMD | Splunk Security Content

Listed as a threat actor associated with the file deletion technique T1070.004 in the detection annotation.

splunk researchNews

Feb 25, 2026

Detection: Windows Obfuscated Files or Information via RAR SFX | Splunk Security Content

Referenced in the detection annotation as a threat actor/activity cluster associated with use of encrypted/encoded files for defense evasion via RAR SFX-related activity.

+32 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables24

Domains, IPs, and hashes tied to this actor, refreshed continuously.