Trending

ee-track">
Link copied!

Table of Contents

Group5 Threat Actor Profile

Threat Actor Profile: Group5 

Overview 

Group5 is a state-linked threat actor with ties to Iran, active since at least late 2015. The group has consistently focused on cyber operations targeting individuals affiliated with the Syrian opposition. Its operations reveal strong alignment with Iranian geopolitical interests and exhibit characteristics commonly seen in other regime-backed cyber units. 

Group5 utilizes infrastructure rooted in Iranian IP ranges and often leverages Iranian-language tools and domestic hosting services. These operational patterns, coupled with its historical focus on Middle Eastern political adversaries, point strongly toward a state-sponsored origin. 

Geopolitical Focus and Targeting 

image 23
Cyble Vision Threat Library (Source: Cyble Vision)   

Group5 primarily targets Syria, focusing its efforts on this key geopolitical area. Although the group’s main intent is political, its influence extends across multiple global sectors, often because of the shared use of malware tools with affiliated groups.  

The industries affected by Group5 include aerospace and defense, government and law enforcement, education, energy and utilities, technology, healthcare, pharmaceuticals and biotechnology, media and entertainment, banking, financial services and insurance (BFSI), transportation and logistics, hospitality, manufacturing, automotive, and retail. 

These sectors are considered high-value intelligence targets, especially in conflict-prone regions, making them attractive to threat actors aiming to broaden their espionage activities and gather critical information. 

Tactics, Techniques, and Procedures (TTPs) 

Group5 primarily initiates attacks through: 

  • Spearphishing campaigns often contain malicious PowerPoint files or Android applications. 
  • Watering hole attacks, wherein legitimate websites are compromised to serve malware to unsuspecting visitors. 

Their phishing lures are tailored to appeal to Syrian opposition members, leveraging social engineering and regional context. 

Malware Toolset 

image 22
Malware Families Used by Group5 (Source: Cyble Vision)   

Group5 is known for deploying a wide range of malware targeting both Windows and Android systems. Their malware arsenal includes several well-established remote access tools (RATs), each with distinct functionalities designed to support surveillance, data theft, and persistent access. 

  • DroidJack: A remote access tool designed for Android platforms, DroidJack is often disguised as popular mobile applications such as Pokémon GO or Super Mario Run. Once installed, it grants full remote control over the infected device. Threat actors use it to monitor user activity, access sensitive data, and perform other malicious operations without the victim’s knowledge. 
  • NanoCore RAT: This modular, .NET-based remote access tool has been active since 2013. It is primarily used on Windows systems and supports a wide range of functions, including spying, credential theft, and evasion of detection mechanisms. Its flexibility and extensive capabilities have made it a popular tool among cybercriminals and nation-state actors alike. 
  • njRAT (also known as Bladabindi): njRAT is another widely used Windows-based remote access tool. It enables threat actors to log keystrokes, capture screens, delete files remotely, and fully control the compromised system. Its lightweight design and widespread availability have made it a t0ool of choice for both state-sponsored and criminal cyber operations. 

These tools collectively enable Group5 to conduct comprehensive surveillance and data exfiltration across multiple platforms, increasing their operational reach and effectiveness. 

How They Operate: A Case Scenario 

In a typical campaign, Group5 may target a Syrian opposition figure via a spearphishing email. The email might contain an enticing attachment, such as a politically themed PowerPoint file or a link to an Android APK mimicking a popular mobile game. 

Once executed, the malware, like NanoCore or DroidJack, is silently deployed. This grants the attackers remote access to the victim’s device, enabling them to: 

  • Capture keystrokes 
  • Monitor screen activity 
  • Extract sensitive files 
  • Delete incriminating data 
  • Persist undetected for extended periods 

By leveraging these tools, Group5 can infiltrate private communications, gather intelligence on political opposition networks, and extend their surveillance to connected individuals and devices. 

Malware Deep Dives 

DroidJack (Android) 

  • Function: Full-device surveillance and control. 
  • Delivery: Typically disguised as APKs of trending apps. 
  • Capabilities: 
  • Read messages 
  • Access stored files 
  • Activate the microphone or the camera 
  • Send SMS or initiate calls 
  • Track GPS location 

NanoCore RAT 

  • Function: Modular espionage platform. 
  • First Seen: 2013 
  • Capabilities: 
  • Credential theft 
  • Screen and webcam spying 
  • File manipulation 
  • Anti-analysis and obfuscation features 
  • Alternate Names: Nancrat, Atros2.CKPN, Zurten 

njRAT (Bladabindi) 

  • Function: Lightweight but versatile RAT. 
  • Capabilities: 
  • Keylogging 
  • Screen capture 
  • Credential harvesting 
  • File manipulation 
  • USB spreading 
  • Aliases: Jorik, Bladabindi 

Notable Techniques (Mapped to MITRE ATT&CK) 

Group5 uses a range of covert techniques to avoid detection and maintain control over compromised systems. One of their primary methods involves disguising malicious files through layers of obfuscation and encryption. This makes it difficult for traditional security tools to recognize and block the malware, allowing it to operate undetected. 

Another tactic they rely on is the remote deletion of files. After successfully infecting a device, their malware can erase specific data to cover their tracks, making it harder for investigators to trace the intrusion or recover evidence. 

To gather sensitive information, Group5 also uses keylogging tools. These tools silently record everything a user types, including passwords and private messages, which are then sent back to the attackers for further exploitation. 

Additionally, the group is known to capture screen activity on compromised devices. By spying on what victims see and do on their screens, the attackers can collect valuable visual data, including documents, communications, and credentials, often without the user ever realizing they’ve been watched.   

Related Threat Actors and Associations 

Group5’s malware toolset and tactics closely align with various regional and global threat actors, some of which may share resources or tradecraft. 

Closely Related Groups 

Group Name Country of Origin Last Seen 
APT 33 Iran Nov 2023 
Gorgon Group Pakistan Jul 2021 
Vendetta Turkey Jul 2025 
Transparent Tribe Pakistan Jun 2025 
Aquatic Panda China Jul 2025 
SideCopy Pakistan Oct 2023 
RevengeHotels Unknown N/A 
RedAlpha China N/A 

Conclusion 

Group5APT is a persistent, state-linked cyber threat focused on long-term espionage, especially in politically sensitive areas like Syria. Using tools like DroidJack, NanoCore, and njRAT, they effectively target both mobile and desktop devices. 

To combat such advanced threats, Cyble offers AI-driven cybersecurity solutions recognized globally for proactive threat intelligence and automated defense. Cyble helps organizations stay protected from actors like Group5APT with real-time visibility and intelligent protection. 

Schedule a free demo today and see how Cyble can better protect your organization! 

Mitigation Recommendations 

To defend against Group5 and similar adversaries, organizations and individuals—particularly those in high-risk political or activist roles—should adopt a multi-layered defense strategy: 

  • Use advanced phishing filters and train users to recognize suspicious attachments or APKs. 
  • Block installation of unauthorized APKs and monitor for sideloaded apps. 
  • Deploy tools capable of detecting obfuscated malware and unauthorized remote access activity. 
  • Keep all software and operating systems updated to minimize exploitable vulnerabilities. 
  • Look for anomalous behaviors like encrypted outbound connections or unexpected file transfers. 
  • Enforce multi-factor authentication (MFA) and monitor for credential leaks. 

MITRE ATT&CK Techniques Associated with Group5 

image 24
MITRE ATT&CK Techniques (Source: Cyble Vision)   
  • Encrypted/Encoded Files (T1027.013): Group5 disguises its malicious binaries with multiple layers of obfuscation, including encryption, to evade detection. 
  • File Deletion (T1070.004): The malware can remotely delete files on infected systems to remove traces of the attack. 
  • Keylogging (T1056.001): Group5’s malware captures keystrokes to harvest credentials and sensitive data. 
  • Screen Capture (T1113): The malware records the victim’s screen to collect visual intelligence during an infection. 
Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!

Share Post:

Subscribe to Cyble

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Related Topics

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams