Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]

ID: G0076
Version: 1.2
Created: 17 October 2018
Last Modified: 12 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Thrip has obtained and used tools such as Mimikatz and PsExec.[1]

Enterprise T1219 Remote Access Software

Thrip used a cloud-based remote access software called LogMeIn for their attacks.[1]