The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

ID: G0089
Version: 1.1
Created: 02 May 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution

The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

The White Company has the ability to delete its malware entirely from the target system.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

The White Company has obfuscated their payloads through packing.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[1]

Enterprise T1124 System Time Discovery

The White Company has checked the current date on the victim system.[1]

Enterprise T1204 .002 User Execution: Malicious File

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[1]


ID Name References Techniques
S0198 NETWIRE [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Screen Capture, System Information Discovery
S0379 Revenge RAT [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Indirect Command Execution, Ingress Tool Transfer, Input Capture: Keylogging, OS Credential Dumping, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Screen Capture, Signed Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication