Overview
Group5 is a state-linked threat actor with ties to Iran, active since at least late 2015. The group has consistently focused on cyber operations targeting individuals affiliated with the Syrian opposition. Its operations reveal strong alignment with Iranian geopolitical interests and exhibit characteristics commonly seen in other regime-backed cyber units.
Group5 utilizes infrastructure rooted in Iranian IP ranges and often leverages Iranian-language tools and domestic hosting services. These operational patterns, coupled with its historical focus on Middle Eastern political adversaries, point strongly toward a state-sponsored origin.
Geopolitical Focus and Targeting

Group5 primarily targets Syria, focusing its efforts on this key geopolitical area. Although the group’s main intent is political, its influence extends across multiple global sectors, often because of the shared use of malware tools with affiliated groups.
The industries affected by Group5 include aerospace and defense, government and law enforcement, education, energy and utilities, technology, healthcare, pharmaceuticals and biotechnology, media and entertainment, banking, financial services and insurance (BFSI), transportation and logistics, hospitality, manufacturing, automotive, and retail.
These sectors are considered high-value intelligence targets, especially in conflict-prone regions, making them attractive to threat actors aiming to broaden their espionage activities and gather critical information.
Tactics, Techniques, and Procedures (TTPs)
Group5 primarily initiates attacks through:
- Spearphishing campaigns often contain malicious PowerPoint files or Android applications.
- Watering hole attacks, wherein legitimate websites are compromised to serve malware to unsuspecting visitors.
Their phishing lures are tailored to appeal to Syrian opposition members, leveraging social engineering and regional context.
Malware Toolset

Group5 is known for deploying a wide range of malware targeting both Windows and Android systems. Their malware arsenal includes several well-established remote access tools (RATs), each with distinct functionalities designed to support surveillance, data theft, and persistent access.
- DroidJack: A remote access tool designed for Android platforms, DroidJack is often disguised as popular mobile applications such as Pokémon GO or Super Mario Run. Once installed, it grants full remote control over the infected device. Threat actors use it to monitor user activity, access sensitive data, and perform other malicious operations without the victim’s knowledge.
- NanoCore RAT: This modular, .NET-based remote access tool has been active since 2013. It is primarily used on Windows systems and supports a wide range of functions, including spying, credential theft, and evasion of detection mechanisms. Its flexibility and extensive capabilities have made it a popular tool among cybercriminals and nation-state actors alike.
- njRAT (also known as Bladabindi): njRAT is another widely used Windows-based remote access tool. It enables threat actors to log keystrokes, capture screens, delete files remotely, and fully control the compromised system. Its lightweight design and widespread availability have made it a t0ool of choice for both state-sponsored and criminal cyber operations.
These tools collectively enable Group5 to conduct comprehensive surveillance and data exfiltration across multiple platforms, increasing their operational reach and effectiveness.
How They Operate: A Case Scenario
In a typical campaign, Group5 may target a Syrian opposition figure via a spearphishing email. The email might contain an enticing attachment, such as a politically themed PowerPoint file or a link to an Android APK mimicking a popular mobile game.
Once executed, the malware, like NanoCore or DroidJack, is silently deployed. This grants the attackers remote access to the victim’s device, enabling them to:
- Capture keystrokes
- Monitor screen activity
- Extract sensitive files
- Delete incriminating data
- Persist undetected for extended periods
By leveraging these tools, Group5 can infiltrate private communications, gather intelligence on political opposition networks, and extend their surveillance to connected individuals and devices.
Malware Deep Dives
DroidJack (Android)
- Function: Full-device surveillance and control.
- Delivery: Typically disguised as APKs of trending apps.
- Capabilities:
- Read messages
- Access stored files
- Activate the microphone or the camera
- Send SMS or initiate calls
- Track GPS location
NanoCore RAT
- Function: Modular espionage platform.
- First Seen: 2013
- Capabilities:
- Credential theft
- Screen and webcam spying
- File manipulation
- Anti-analysis and obfuscation features
- Alternate Names: Nancrat, Atros2.CKPN, Zurten
njRAT (Bladabindi)
- Function: Lightweight but versatile RAT.
- Capabilities:
- Keylogging
- Screen capture
- Credential harvesting
- File manipulation
- USB spreading
- Aliases: Jorik, Bladabindi
Notable Techniques (Mapped to MITRE ATT&CK)
Group5 uses a range of covert techniques to avoid detection and maintain control over compromised systems. One of their primary methods involves disguising malicious files through layers of obfuscation and encryption. This makes it difficult for traditional security tools to recognize and block the malware, allowing it to operate undetected.
Another tactic they rely on is the remote deletion of files. After successfully infecting a device, their malware can erase specific data to cover their tracks, making it harder for investigators to trace the intrusion or recover evidence.
To gather sensitive information, Group5 also uses keylogging tools. These tools silently record everything a user types, including passwords and private messages, which are then sent back to the attackers for further exploitation.
Additionally, the group is known to capture screen activity on compromised devices. By spying on what victims see and do on their screens, the attackers can collect valuable visual data, including documents, communications, and credentials, often without the user ever realizing they’ve been watched.
Related Threat Actors and Associations
Group5’s malware toolset and tactics closely align with various regional and global threat actors, some of which may share resources or tradecraft.
Closely Related Groups
| Group Name | Country of Origin | Last Seen |
| APT 33 | Iran | Nov 2023 |
| Gorgon Group | Pakistan | Jul 2021 |
| Vendetta | Turkey | Jul 2025 |
| Transparent Tribe | Pakistan | Jun 2025 |
| Aquatic Panda | China | Jul 2025 |
| SideCopy | Pakistan | Oct 2023 |
| RevengeHotels | Unknown | N/A |
| RedAlpha | China | N/A |
Conclusion
Group5APT is a persistent, state-linked cyber threat focused on long-term espionage, especially in politically sensitive areas like Syria. Using tools like DroidJack, NanoCore, and njRAT, they effectively target both mobile and desktop devices.
To combat such advanced threats, Cyble offers AI-driven cybersecurity solutions recognized globally for proactive threat intelligence and automated defense. Cyble helps organizations stay protected from actors like Group5APT with real-time visibility and intelligent protection.
Schedule a free demo today and see how Cyble can better protect your organization!
Mitigation Recommendations
To defend against Group5 and similar adversaries, organizations and individuals—particularly those in high-risk political or activist roles—should adopt a multi-layered defense strategy:
- Use advanced phishing filters and train users to recognize suspicious attachments or APKs.
- Block installation of unauthorized APKs and monitor for sideloaded apps.
- Deploy tools capable of detecting obfuscated malware and unauthorized remote access activity.
- Keep all software and operating systems updated to minimize exploitable vulnerabilities.
- Look for anomalous behaviors like encrypted outbound connections or unexpected file transfers.
- Enforce multi-factor authentication (MFA) and monitor for credential leaks.
MITRE ATT&CK Techniques Associated with Group5

- Encrypted/Encoded Files (T1027.013): Group5 disguises its malicious binaries with multiple layers of obfuscation, including encryption, to evade detection.
- File Deletion (T1070.004): The malware can remotely delete files on infected systems to remove traces of the attack.
- Keylogging (T1056.001): Group5’s malware captures keystrokes to harvest credentials and sensitive data.
- Screen Capture (T1113): The malware records the victim’s screen to collect visual intelligence during an infection.