Skip to main content
Mallory
Back to threat actors
6 malware familiesExploits CVEs in the wild

Group5

Also known asGroup5

Group5 is a threat actor referenced in the provided content as using malware with screen capture capability and anti-forensic/defense evasion features. Reported capabilities include remotely deleting files from victims and watching or capturing the victim's screen. The content also states that Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting files. MITRE ATT&CK technique references in the content associate Group5 with T1070.004 (File Deletion), T1027.013 (Encrypted/Encoded File), and T1113 (Screen Capture). One cited report states that Group5 stood out because the operators appeared comfortable with Iranian Persian dialect tools and Iranian hosting companies, and elements of the operation appeared to have been run from Iranian IP space. No additional high-confidence aliases or sub-groups are provided beyond the name Group5.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics24 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1189×2
Drive-by Compromise
T1566
Phishing
T1566.001×2
Spearphishing Attachment
TA0002
Execution
2 techniques
T1203
Exploitation for Client Execution
T1204
User Execution
TA0003
Persistence
1 technique
T1547
Boot or Logon Autostart Execution
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
TA0005
Stealth
4 techniques
T1027×6
Obfuscated Files or Information
T1027.002
Software Packing
T1027.013×3
Encrypted/Encoded File
T1036
Masquerading
T1070
Indicator Removal
T1070.004×12
File Deletion
T1564
Hide Artifacts
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001
Keylogging
TA0009
Collection
4 techniques
T1056
Input Capture
T1056.001
Keylogging
T1113×8
Screen Capture
T1123
Audio Capture
T1125
Video Capture
TA0011
Command and Control
2 techniques
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
TA0040
Impact
1 technique
T1485
Data Destruction
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DroidJack"The APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as SandroRAT."2Mar 18, 2026
NanoCore"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."2Mar 18, 2026
njRAT"However, the ultimate malware payload in this case is njRat, another well-known RAT tool."2Mar 18, 2026
PAC Crypt"...obfuscated using a crypter tool named ‘PAC Crypt’."1Mar 18, 2026
RemcosThis activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.1Mar 17, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2014-4114Sandworm Windows OLE Package Manager Remote Code ExecutionIn the wildEvidence1

"In the assadcrimes1.ppsx, the operator has created a PowerPoint file that leverages CVE-2014-4114, a vulnerability in the OLE packager component of the Windows operating system" and later: "This PowerPoint document leverages CVE-2014-4114... causes a file embedded within the PowerPoint document to be copied to disk and executed silently on vulnerable systems."

IOCS

Observables

24 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

24 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Feb 25, 2026
Detection: Clear Unallocated Sector Using Cipher App | Splunk Security Content

Referenced as a threat actor associated with the file deletion / defense evasion technique of clearing unallocated sectors using cipher.exe /w, a behavior noted as used by ransomware to hinder forensic recovery.

Read more
splunk researchNews
Feb 25, 2026
Detection: Linux Deletion Of Init Daemon Script | Splunk Security Content

Referenced as a threat actor associated with file deletion and data destruction behavior in the detection annotation.

Read more
splunk researchNews
Feb 25, 2026
Detection: Recursive Delete of Directory In Batch CMD | Splunk Security Content

Listed as a threat actor associated with the file deletion technique T1070.004 in the detection annotation.

Read more
splunk researchNews
Feb 25, 2026
Detection: Windows Obfuscated Files or Information via RAR SFX | Splunk Security Content

Referenced in the detection annotation as a threat actor/activity cluster associated with use of encrypted/encoded files for defense evasion via RAR SFX-related activity.

Read more
+31 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables24

Domains, IPs, and hashes tied to this actor, refreshed continuously.