The sub-techniques beta is now live! Read the release blog post for more info.


Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]

ID: G0043
Version: 1.1
Created: 31 May 2017
Last Modified: 25 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1107 File Deletion

Malware used by Group5 is capable of remotely deleting files from victims.[1]

Enterprise T1056 Input Capture

Malware used by Group5 is capable of capturing keystrokes.[1]

Enterprise T1027 Obfuscated Files or Information

Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[1]

Enterprise T1113 Screen Capture

Malware used by Group5 is capable of watching the victim's screen.[1]

Enterprise T1045 Software Packing

Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.[1]

Enterprise T1065 Uncommonly Used Port

Group5 C2 servers communicated with malware over TCP 8081, 8282, and 8083.[1]


ID Name References Techniques
S0336 NanoCore [1] Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0385 njRAT [1] Application Window Discovery, Command-Line Interface, Credentials from Web Browsers, Custom Command and Control Protocol, Data Encoding, Data from Local System, Disabling Security Tools, File and Directory Discovery, File Deletion, Input Capture, Modify Registry, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture