{
	"id": "3b74b72c-af66-42e1-9d5a-534d80bc04b3",
	"created_at": "2026-04-06T00:06:54.307858Z",
	"updated_at": "2026-04-10T03:30:33.303568Z",
	"deleted_at": null,
	"sha1_hash": "4722defeebb82ad43c1515e41a4a9e89ec4b3ff8",
	"title": "Iranian Actor “Group5” Targeting Syrian Opposition",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 281110,
	"plain_text": "Iranian Actor “Group5” Targeting Syrian Opposition\r\nBy SecurityWeek News\r\nPublished: 2016-08-04 · Archived: 2026-04-05 18:11:22 UTC\r\nA threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP\r\nspace at times was observed targeting the Syrian opposition in an elaborately staged malware operation,\r\nCitizen Lab researchers reveal.\r\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email\r\ncontaining a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs,\r\nmalicious PowerPoint files, and Android malware.\r\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian\r\nopposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after\r\nregime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a\r\ngroup linked to Lebanon did the same in the past.\r\nTo conduct its attacks, the group uses social engineering, as it “borrows opposition text and slogans for e-mail\r\nmessages and watering holes,” Citizen Lab researchers say. The group’s technical quality, however, is low, and\r\nresearchers suggest that they identified the actor early in its lifecycle, before it could launch a full campaign using\r\nthe malware it staged and prepared.\r\nThe group is believed to be state-sponsored, at least in some form, though it’s yet unclear which state is behind it.\r\nHowever, Citizen Lab researchers reveal that Group5 is likely a new entrant in Syria, and that there is “only\r\ncircumstantial evidence pointing to an Iranian nexus.” Yet, the group’s activity shows that Syrian opposition is\r\nfacing continuing information security risks.\r\nThe investigation was triggered by a suspicious email received in early October 2015 by Noura Al-Ameer, a well-connected Syrian opposition political figure, which was sent from the same IP address that hosted the command\r\nand control (C\u0026C) server the malware inside it was connecting to.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition\r\nPage 1 of 3\n\nThe email was sent from an address on assadcrimes[.] info, a website found to be distributing other malicious\r\nfiles, including a . ppsx and a .exe. The PPSX documents, for example, were found to be leveraging the CVE-2014-4114 vulnerability to drop and execute malicious code, but also to execute OLE objects using animation\r\nactions within a PowerPoint slideshow.\r\nResearchers also discovered that the group was employing two commonly available Remote Access Trojans\r\n(RATs): njRat and NanoCore RAT for its nefarious operations. The binaries were delivered hidden under several\r\nlayers of obfuscation to reduce the possibility of detection by antivirus software.\r\nThe two malware variants were used to collect data from the compromised machines, to keep an eye on the\r\nvictim’s screen, or capture passwords and keystrokes. They were also used to remotely delete files and even to spy\r\non the computer user via the microphone or webcam.\r\nIn addition to these malicious applications for Windows, the assadcrimes[.]info website also contained a decoy\r\nFlash Player update page that linked to a piece of Android malware called DroidJack. The Trojan, which evolved\r\nfrom a piece of malware called SandroRAT, was recently used in a global attack, hidden inside a fake Pokémon\r\nGO application.\r\nThe Trojan was created to capture messages, contacts, photos and other data from the infected Android device, as\r\nwell as to remotely activate the phone camera and microphone, without notifying the victim. The use of this\r\nmalware isn’t surprising, researchers say: “It is common for Syrians to share Android APK files outside the\r\nGoogle Play Store, as Google Play Services are not available within Syria.”\r\nBecause the assadcrimes[.]info operators left a folder containing the website logs public, researchers were able to\r\nidentify the IP addresses used by Group5 while developing the site, though they couldn’t conclusively identify\r\nvictims’ IPs. During the site’s early development in the first half of October, it was accessed hourly from an\r\nIranian IP block. The operators also accessed the site from the malware’s C\u0026C server, Citizen Lab says.\r\n“These links provide evidence for an Iranian nexus, and suggest that the operator may have been taking steps to\r\nconceal their true origin IP. However, these steps were not well executed, which enabled us to track Group5 as\r\nthey continued to access the site,” researchers reveal. According to them, however, the threat actor appears to have\r\nabandoned the site after New Year, following a flurry of activity in October 2015.\r\nhttps://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition\r\nPage 2 of 3\n\nAccording to researchers, there is also the possibility that a known group was behind all this operation and that a\r\nkey piece that was missing from the puzzle prevented the investigators from making the correct associations,\r\nalthough the tools used to obfuscate the RATs link the group to known threat actors (Mr. Tekide) and tools (the\r\nPAC Crypt tool).\r\n“We cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined\r\nabove provides a circumstantial case. The IP addresses observed during early stages of development of the\r\nAssadcrimes website, as well as the Iranian hosting provider and the Persian language mailer, all speak to a level\r\nof Iranian presence. The additional apparent involvement of an Iranian malware developer with ties to a known\r\nIranian cyber actor, whether his involvement was unwitting or intentional, only strengthens the Iranian\r\nconnection,” researchers say.\r\nRelated: India-Linked Threat Actor Targets Military, Political Entities Worldwide\r\nRelated: Hacktivists Leak 43GB of Data From Syrian Government\r\nSource: https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition\r\nhttps://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition"
	],
	"report_names": [
		"iranian-actor-group5-targeting-syrian-opposition"
	],
	"threat_actors": [
		{
			"id": "9aa9b489-a297-4dbd-8601-8fc0370201a6",
			"created_at": "2022-10-25T16:07:23.696796Z",
			"updated_at": "2026-04-10T02:00:04.71508Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "ETDA:Group5",
			"tools": [
				"Atros2.CKPN",
				"Bladabindi",
				"DroidJack",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf0704ab-99e4-44d7-96d9-3cba91339229",
			"created_at": "2022-10-25T15:50:23.485375Z",
			"updated_at": "2026-04-10T02:00:05.332806Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"Group5"
			],
			"source_name": "MITRE:Group5",
			"tools": [
				"njRAT",
				"NanoCore"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "094d8210-4c64-4457-ad97-a94fc7af7630",
			"created_at": "2023-01-06T13:46:38.98103Z",
			"updated_at": "2026-04-10T02:00:03.170376Z",
			"deleted_at": null,
			"main_name": "Group5",
			"aliases": [
				"G0043"
			],
			"source_name": "MISPGALAXY:Group5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "76fc6d92-0710-4640-bfa7-3000fe3940a5",
			"created_at": "2022-10-25T16:07:24.251595Z",
			"updated_at": "2026-04-10T02:00:04.911951Z",
			"deleted_at": null,
			"main_name": "Syrian Electronic Army (SEA)",
			"aliases": [
				"ATK 196",
				"Deadeye Jackal",
				"Syria Malware Team",
				"Syrian Electronic Army",
				"TAG-CT2"
			],
			"source_name": "ETDA:Syrian Electronic Army (SEA)",
			"tools": [
				"AndoServer",
				"CypherRat",
				"SLRat",
				"SandroRAT",
				"SilverHawk",
				"SpyNote",
				"SpyNote RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4722defeebb82ad43c1515e41a4a9e89ec4b3ff8.pdf",
		"text": "https://archive.orkl.eu/4722defeebb82ad43c1515e41a4a9e89ec4b3ff8.txt",
		"img": "https://archive.orkl.eu/4722defeebb82ad43c1515e41a4a9e89ec4b3ff8.jpg"
	}
}