1 malware familyExploits CVEs in the wild

SOURGUM

Also known assourgum

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics29 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1591

Gather Victim Org Information

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.006

Web Services

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1189

Drive-by Compromise

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

1 technique

T1203

Exploitation for Client Execution

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

TA0004

Privilege Escalation

3 techniques

T1068

Exploitation for Privilege Escalation

T1078

Valid Accounts

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

TA0005

Stealth

4 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1078

Valid Accounts

T1620

Reflective Code Loading

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1003.001

LSASS Memory

T1528

Steal Application Access Token

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1557

Adversary-in-the-Middle

TA0009

Collection

2 techniques

T1005

Data from Local System

T1557

Adversary-in-the-Middle

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

CandiruFinding: Catalans Targeted with Candiru. In July 2021, we published “Hooking Candiru,” in which we identified and analysed Candiru’s mercenary spyware, in cooperation with Microsoft.1May 25, 2026

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-31979Windows Kernel Elevation of Privilege VulnerabilityIn the wildEvidence1

Microsoft also discovered two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) employed by Candiru to infect Windows systems, and patched them in July 2021.

CVE-2021-33771Windows Kernel Elevation of Privilege VulnerabilityIn the wildEvidence1

Microsoft also discovered two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) employed by Candiru to infect Windows systems, and patched them in July 2021.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.