{ "id": "e1a577b0-b1c5-44cf-8212-ed1df4d83d60", "created_at": "2026-04-06T02:12:31.852327Z", "updated_at": "2026-04-10T13:11:40.812545Z", "deleted_at": null, "sha1_hash": "4cd158310f71226c89ea045ca677732c00778c87", "title": "Group5: Syria and the Iranian Connection - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11861402, "plain_text": "Group5: Syria and the Iranian Connection - The Citizen Lab\r\nArchived: 2026-04-06 01:37:43 UTC\r\nExecutive Summary\r\nThis report describes an elaborately staged malware operation with targets in the Syrian opposition. The operators use a\r\nrange of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers\r\nof well-connected individuals in the Syrian opposition.\r\nWe first discovered the operation in late 2015 when a member of the Syrian opposition spotted a suspicious e-mail\r\ncontaining a PowerPoint slideshow. From this initial message, we uncovered a watering hole website with malicious\r\nprograms, malicious PowerPoint files, and Android malware, all apparently designed to appeal to members of the\r\nopposition.\r\nElements of the Syrian opposition have been targeted by malware campaigns since the early days of the conflict: regime-linked malware groups, the Syrian Electronic Army, ISIS, and a group linked to Lebanon reported by FireEye in 2015 have\r\nall attempted to penetrate opposition computers and communications. Some of these operations are still active as of the time\r\nof writing. This report adds one more threat actor to the list: Group5, which we name to reflect the four other known\r\nmalware groups.\r\nGroup5 stands out from the operations that have already been reported on: some of the tactics and tools used have not been\r\nobserved in this conflict; the operators seem comfortable with Iranian Persian dialect tools and Iranian hosting companies;\r\nand they appear to have run elements of the operation from Iranian IP space.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 1 of 51\n\nLike a chameleon, Group5 borrows opposition text and slogans for e-mail messages and watering holes, showing evidence\r\nof good social engineering and targeting. However, Group5’s technical quality is low, and their operational security uneven.\r\nThis is a common feature of many operations in the Syrian context: since the baseline security of many of the targets is very\r\nlow, many successful threat actors seem to conserve (and in some cases not possess) more sophisticated techniques. We\r\nbelieve we identified Group5 early in its lifecycle, before all of the malware that had been staged and prepared could be\r\ndeployed in a full campaign.\r\nOur analysis indicates that Group5 is likely a new entrant in Syria, and we outline the circumstantial evidence pointing to an\r\nIranian nexus. We do not conclusively attribute Group5 to a sponsor, although we suspect the interests of a state are present,\r\nin some form. Group5 is just the latest addition to an expanding cast of actors targeting Syrian opposition groups, and its\r\nentry into the conflict shows the continuing information security risks that they face.\r\nBackground: The Perpetual Targeting of the Syrian Opposition\r\nSyrians have experienced monitoring and blocking of their electronic communications for many years. As a result, many\r\nmore technically literate Syrians have familiarized themselves with VPNs and other tools to circumvent simple blocking,\r\nand achieve a degree of privacy. After the 2011 Uprising began, the regime disconnected telecommunications services in\r\nmany areas controlled by opposition groups. This led, in these areas, to the widespread adoption of satellite internet\r\nconnectivity, mostly via VSAT (Very Small Aperture Terminal) services like Tooway and iDirect, and to a lesser extent the\r\nuse of BGAN (Broadband Global Area Network) terminals.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 2 of 51\n\nAt the same time, the Syrian opposition’s activities outside the country, both in neighboring countries like Turkey, as well as\r\nin the diaspora, dramatically increased. Much of this activity takes place over social networks, free e-mail accounts like\r\nGmail (and Google Apps for Work), and via tools like Skype’s VoIP services.\r\nThese shifts in connectivity limited the effectiveness of the passive monitoring and blocking used by the Al Assad Regime,\r\nand frustrated its abilities to monitor the opposition.\r\nHowever, the shift towards social networks and other online tools has created new opportunities for the regime to target the\r\nopposition. Opposition members constantly share information, files, tools and programs, via social media. This highly-connected environment enables them to be highly aware of changing events, and quickly mobilize resources. In addition, a\r\nnumber of online services, such as the Google Play Store, are blocked or restricted for Syria. As a result, a culture of sharing\r\nAndroid APK files has also developed.\r\nThe heavy reliance on popular online platforms, and regular sharing of tools, presents many opportunities to seed malicious\r\nfiles. For the regime, a successful operation means a chance to regain visibility into the activities of groups within the\r\ngeographic borders of Syria, while extending their reach outside into the diaspora. For other groups, such as ISIS, the digital\r\nvulnerability of the opposition presents an opportunity to develop a capability against opposition communications. The\r\nfollowing section outlines several of these known threat actors.\r\nRegime-Linked Groups\r\nThe most well-known threat actor to target the Syrian Revolution is the Syrian Electronic Army (SEA). However, many of\r\nthe targets of the SEA have been Western organizations, although the SEA continues to conduct lower-profile operations that\r\ninclude malware against the opposition. Less notorious, although still the subject of reporting, are malware groups linked to\r\nthe regime. These malware groups have been active since 2011, and have used a wide range of Commercial-Off-The-Shelf\r\n(COTS) Remote Access Trojans (RATs) to target the opposition. Typically, these groups bundle RATs with a wide range of\r\ndocuments and programs designed to appeal to the opposition. Over the years, these campaigns have included everything\r\nfrom “revolution plans,” lists of “wanted suspects,” to fake security and encryption tools. These campaigns have been\r\nextensively characterized by reports from the Citizen Lab, The Electronic Frontier Foundation, and private companies like\r\nTrendMicro and Kaspersky. A range of reports have documented these regime-linked campaigns over the years.\r\nPro-Regime Groups Outside Syria\r\nThere is also evidence of pro-Assad groups outside Syria participating in malware campaigns against opposition. Notably, a\r\ngroup reported on in 2015 by FireEye (in collaboration with one of the authors of this report) used female avatars to send\r\ntrojaned documents to high profile figures in opposition politics, aid, and armed groups. The operation yielded over 31,000\r\nconversations, and a trove of sensitive information about a variety of groups’ plans and activities. This group also made use\r\nof fake matchmaking websites and social media accounts to backstop their deception.\r\nISIS-Linked Groups\r\nOn a different side of conflict, the Citizen Lab documented a malware operation linked to ISIS against the group ‘Raqqa is\r\nBeing Slaughtered Silently’ (RBSS) in 2015. The operators, masquerading as a group of RBSS sympathizers based in\r\nCanada, targeted victims with a file that claimed to contain locations of ISIS forces and US Airstrikes within Syria. The file\r\nactually contained custom malware that collected and transmitted information about the infected computer. The report\r\nconcluded that there was strong circumstantial evidence linking the malware to members of ISIS.\r\nMany Groups, Similar Tactics\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 3 of 51\n\nEach of these groups has distinct Tactics, Techniques and Procedures (TTPs). However, one common thread among the\r\nmany publicly-reported groups is that they rarely use exploits in their campaigns, instead relying heavily on social\r\nengineering and trickery to convince targets to execute malicious files, disguised as innocuous documents.\r\nThis may reflect some of these groups’ lack of technical sophistication. For example, many regime-linked groups seem to\r\nhave very limited skills and technical resources, and rely almost entirely on RATs coupled with well-informed social\r\nengineering. These techniques have evolved, but not improved radically since 2011. In other cases, such as the Lebanon-linked group reported on by FireEye, operators may have access to more sophisticated techniques, but see little reason to use\r\nthem against their targets, given the limited technical capabilities of the opposition.\r\nPart 1: Discovering Group5\r\nThis section describes the e-mails that first alerted us to an operation targeting the Syrian political opposition in October\r\n2015.\r\nOn October 3rd 2015, Noura Al-Ameer, a well-connected Syrian opposition political figure, negotiator, and former Vice\r\nPresident of the opposition Syrian National Council (SNC), received a suspicious e-mail.1 The e-mail purported to come\r\nfrom a human rights documentation organization she had never heard of: “Assad Crimes.” The sender, using the e-mail\r\naddress office@assadcrimes[.]info claimed to be sharing information about Iranian “crimes,” a theme familiar to many in\r\nthe opposition.\r\nInterestingly, Al-Ameer’s own name was used in the assadcrimes[.]info domain registration, along with other false\r\ninformation (we speculate on the reason for using her name in Part 6: Analysis of Competing Hypotheses).\r\nAlong with a brief pretext in the Subject and Body, the e-mail also contains an attached Microsoft PowerPoint Slideshow\r\n(PPSX) document that, when clicked, directly opens and runs a PowerPoint slideshow.\r\nE-mail 1: The Initial Message (Dropper Doc 1)\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 4 of 51\n\nOn October 3rd 2015, Al-Ameer received the initial e-mail message, containing the first malicious file:\r\nTranslation:\r\nFrom: office@assadcrimes[.]info\r\nTo:\r\nSubject: Iran is killing the Pilgrims in Mina\r\nBody: Iran’s Crimes in the Kingdom of Saudi Arabia\r\nExamination of the header of the message indicates that the message was sent via 88.198.222[.]163, the same IP address as\r\nthe Command \u0026 Control (C2) for the malware dropped by the file (See Part 3: Windows Malware).\r\nAssadcrimes.ppsx\r\nMD5 : 76F8142B4E52C671871B3DF87F10C30C\r\nCommunication with the Operator\r\nAl-Ameer, who is no stranger to digital threats, recognized that the e-mail was suspicious, and on our instruction made\r\ncontact with the operator, hoping to elicit further malware.\r\nAl-Ameer’s E-mail:\r\nTranslation:\r\nFrom: [Redacted]\r\nTo: office@assadcrimes[.]info\r\nBody:\r\nHello\r\nThe file didn’t work …. Please send a correct version\r\nE-mail 2: The Operator Replies (Dropper Doc 2)\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 5 of 51\n\nShortly after the target’s message, the operator replied with an updated file, sent via a webmail client (RoundCube):\r\nTranslation:\r\nFrom: office@assadcrimes[.]info\r\nTo:[Redacted]\r\nBody:\r\ninf* download\r\nWe are unsure why the second e-mail does not contain additional social engineering text. It is possible this was an oversight,\r\nor that the Group5 operator at the time was not comfortable writing in Arabic.\r\nAssadcrimes1.ppsx\r\nMD5: F1F84EA3229DCA0CCACB7381A2F49F99\r\nBait Content: Syria and Iran-Themed PowerPoint Slideshows\r\nThe PPSX documents (assadcrimes.ppsx \u0026 assadcrimes1.ppsx) contain a series of images and Arabic text, including\r\ncartoons and photographs describing politically sensitive events, such as aggressions launched by Iran against Saudi Arabia,\r\nand the politics surrounding the current Syrian conflict. The documents also provide a historical overview of Iranian-linked\r\n“attacks” and other events in the Kingdom of Saudi Arabia.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 6 of 51\n\nTranslation:\r\nOn 1404 A.H – 1984 A.D Iranian warship attacked Saudi Arabia\r\nOn 1404 A.H, two Iranian war planes headed to Jubail industrial city, to bomb and hit critical factories (Petrochemical\r\nfactory) and by god’s well, the Saudi’s air forces was able to hit one plane, while the other managed to escape.\r\nWhen opened, both files download malware onto the victim’s machine. Malware from these files is analyzed in Part 3:\r\nWindows Malware.\r\nPart 2: The Assadcrimes Website\r\nGroup5 operated a website, assadcrimes[.] info that served as a watering hole for Android and Windows malware. This\r\nsection outlines the various files hosted on the site.\r\nAfter the initial e-mails, we began to monitor a website linked to the e-mails: assadcrimes[.]info. At the time of these e-mails\r\n(Oct. 3, 2015), the site was not fully functional. However, within a few days (Oct. 11, 2015) the main page displayed “Posts\r\nTagged Bashar Assad Crimes” with content apparently critical of Bashar Assad. The content appears to have been scraped\r\nfrom an opposition blog, as well as from other opposition sites. This blog was created in the name of Tal al-Mallohi, known\r\nas Syria’s youngest prisoner of conscience. The original blog creation predates the current unrest in Syria.\r\nShortly before this publication of Group5, the website was listed as “expired” and parked, indicating that the owner chose\r\nnot to renew the domain.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 7 of 51\n\nMalware Seeding on the Website (Dropper Doc 3)\r\nWhile monitoring the website, we identified several directories that auto-download a further malicious file\r\n(assadcrimes.info.ppsx). These links seem designed for other forms of social engineering, perhaps using similar bait to the\r\nmessages targeting Al-Ameer. The Assadcrimes.info.ppsx file concerns the Syrian conflict, with characters and cartoons\r\nculled from social media and online sites.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 8 of 51\n\nTranslation:\r\nA new Play in Syria\r\nRussian-American plan to divide the Syrian cake.\r\nWhen viewed, the victim’s computer is silently infected with malware (See Part 3: Windows Malware).\r\nAssadcrimes.info.ppsx\r\nMD5: 30BB678DB3AD0140FC33ACD9803385C3\r\nMartyred Children (Decoy Dropper 4)\r\nElsewhere on the site we found several HTML pages that, when visited, triggered the downloading of a malicious\r\nexecutable named “martyred children” (alshohadaa alatfal.exe). When executed, the program pulls images hosted on\r\nassadcrimes[.]info of the Ghouta Chemical Attacks, while simultaneously infecting the target machine with malware.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 9 of 51\n\nMalware from the website is described in Part 3: Windows Malware\r\nalshohadaa alatfal.exe\r\nMD5: 2FC276E1C06C3C78C6D7B66A141213BE\r\nAndroid Malware\r\nWhile examining the assadcrimes[.]info website, we identified Android malware, seeded via a fake Adobe Flash Player\r\nupdate notification. We describe this Android malware in detail in: Part 4: Android Malware.\r\nadobe_flash_player.apk\r\nMD5: 8EBEB3F91CDA8E985A9C61BEB8CDDE9D\r\nPart 3: Windows Malware\r\nGroup5 used (or was staging) a range of malware in this operation, ranging from malicious PowerPoint slideshows using\r\nexploits to executable files that directly drop malware. A comprehensive analysis of their malware is found in Appendix A:\r\nWindows Malware Analysis.\r\nMalicious PowerPoint\r\nThe initial Group5 targeting that we observed in the e-mails to Al-Ameer included PPSX documents as a vehicle for\r\nmalware using two different techniques: (1) executing OLE objects using animation actions within a PowerPoint slideshow\r\nand; (2) using CVE-2014-4114 to drop and execute malicious code.\r\nIn assadcrimes.ppsx the operators embed an OLE Package object within a PowerPoint slideshow. When displayed as an\r\nanimation, the object is executed while the slideshow is viewed, a technique that has been previously described (for more\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 10 of 51\n\ndetail, see Appendix A: Dropper Doc 1 \u0026 Appendix A: Dropper Doc 3). In this case the user is presented with a prompt\r\nasking whether they wish to run the object.\r\nIn the assadcrimes1.ppsx, the operator has created a PowerPoint file that leverages CVE-2014-4114, a vulnerability in the\r\nOLE packager component of the Windows operating system (See Appendix A: Dropper Doc 2).\r\nDecoy Applications\r\nThe operators have also created a decoy application, hosted on assadcrimes[.]info, that displays images of child victims of\r\nthe 2013 Ghouta Chemical Attacks. When executed, the application silently decrypts and drops the malware (See Appendix\r\nA: Decoy Dropper 4).\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 11 of 51\n\nThe RATs\r\nThe operators use these techniques to deliver two commonly available Remote Access Trojans (RATs): njRat and NanoCore\r\nRAT. In both cases, Group5 disguised the malicious binaries with several layers of obfuscation, including crypting and\r\npacking to reduce the possibility of detection by antivirus software.\r\nBoth RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen,\r\nto capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer\r\nuser via the microphone or webcam.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 12 of 51\n\nAntivirus Detection\r\nOn July 26, 2016 we conducted a VirusTotal search for the MD5 hashes of each of the files encountered during this\r\noperation. The results, provided in Appendix D: File Hashes, were consistent with a highly focused or targeted operation in\r\nthat only two of the 16 (12.5%) unique MD5s were found.\r\nPart 4: The Android Malware\r\nWhile examining assadcrimes[.]info, we determined that the site was also hosting a decoy Flash Player update page. This\r\npage, located on a subdomain, included a download link to a malicious Android APK. For a full analysis of this malware see\r\nAppendix B: Android Malware.\r\nWhile examining the website we found that the operators had prepared Android malware masquerading as an Adobe Flash\r\nPlayer update notification. Clicking on the “Update” link (See Figure 8) downloads a malicious file, masquerading as a\r\nsoftware update.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 13 of 51\n\nThe APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as\r\nSandroRAT. The RAT provides a wide range of functionality, enabling the operator to capture messages, contacts, photos\r\nand other materials from the device. In addition, DroidJack can also remotely activate the phone camera and microphone,\r\nwithout notifying the victim. Figure 9 shows some of the functionality available.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 14 of 51\n\nA more extensive analysis of the DroidJack malware, can be found in Appendix B: Android Malware. Interestingly,\r\nDroidJack has also emerged recently, bundled with versions of Pokémon Go.\r\nThis approach to mobile malware seeding, while cumbersome, might be assumed to have greater success in the target group\r\nof Syrians than other populations. It is common for Syrians to share Android APK files outside the Google Play Store, as\r\nGoogle Play Services are not available within Syria. This practice carries over to the Syrian diaspora in other countries,\r\ndespite the availability of Google Play. As a result, we suspect that most devices are set to accept APK files from unknown\r\ndevelopers.\r\nPart 5: Attribution\r\nGroup5 left a number of clues as to their origin and identity, including the tools they used, where they hosted their website\r\nand C2, and how they accessed the website. Notably, Group5 may have also been using a customized version of an Iranian\r\nobfuscation tool.\r\nThis section provides an overview of the clues left by Group5 on the website, and in the malware. First, we analyze logs that\r\nthe operator mistakenly left publicly visible on the assadcrimes[.]info website. These logs include not only the visitors to the\r\nsite, but also the IP addresses and user agent strings that belong to the operator as she or he logged into the site during the\r\ndevelopment phase. These artifacts provide interesting clues as to the operator’s identity and operational security practices,\r\nsuch as using a VPN, and suggest a strong Iranian nexus.\r\nSecond, we note the use of Persian-language tools in Group5, from the mailer to the packer.\r\nFinally, we analyze a recurrent theme in the binaries: “Mr. Tekide” – a name that appears regularly in the implants. We link\r\nthis name to the Iranian developer of a series of malware tools, several of which were used in this operation. Additionally,\r\nwe examine the circumstantial evidence connecting this developer to Group5’s activities.\r\nUnprotected Logs\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 15 of 51\n\nSeveral key directories on the assadcrimes[.]info site were left as public, including a folder containing the website logs, a\r\nfeature Group5 seems to have enabled early in the operation. These logs date to the early development and operation of the\r\nwebsite, and reveal interesting clues about operator origin and operational security.\r\nAfter processing the logs to remove crawlers belonging to Google, Bing, Yandex and others, we scrutinized the logs of the\r\nsite for evidence of victims, but were unable to locate any victim IPs with high confidence.\r\nIdentifying the Operator from Website Logs\r\nWhile the logs provided few clues as to victims, they proved to be exceptionally useful for identifying the IP addresses used\r\nby Group5 as they developed the site. Looking at the earliest logs in the set, from October 11, 2015, we find the operator\r\naccessing the site hourly from an Iranian IP block as the development continues.\r\nThe first logged visits to the site come from the IP address 37.137.131[.]70, which belongs to a block registered to ‘Rightel\r\nCommunication’, an Iranian mobile phone network operator.\r\ninetnum: 37.137.128[.]0 – 37.137.255[.]255\r\nnetname: RighTel\r\ndescr: “Rightel Communication Service Company PJS”\r\ncountry: IR\r\nadmin-c: RP12366-RIPE\r\ntech-c: RP12366-RIPE\r\nstatus: ASSIGNED PA\r\nmnt-by: TA59784-MNT\r\ncreated: 2013-08-20T11:13:17Z\r\nlast-modified: 2014-05-17T05:28:10Z\r\nsource: RIPEperson: RighTel PJS\r\naddress: 9th floor, Chooka Building, No 8 , west Armaghan Street, Vali-e-Asr Street\r\n(After Niayesh Highway), Tehran, Iran\r\nphone: + 982127654530\r\nnic-hdl: RP12366-RIPE\r\nmnt-by: TA59784-MNT\r\ncreated: 2014-05-17T05:23:47Z\r\nlast-modified: 2014-05-17T05:23:47Z\r\nsource: RIPE\r\nFurther confirming the link is that the operator’s traffic includes a referrer from the Iranian hosting company\r\n(hostnegar[.]com) for the site.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 16 of 51\n\nTracing the operator through an initial UserAgent string (a version of Windows NT 6.3)2\r\n and IP address, we found them\r\naccessing the site from an iPhone, other Iranian IP addresses, as well as VPNs.\r\nAdditionally, the operator accessed the site directly from the malware’s C2 server (88.198.222[.]163).\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 17 of 51\n\nThese links provide evidence for an Iranian nexus, and suggest that the operator may have been taking steps to conceal their\r\ntrue origin IP. However, these steps were not well executed, which enabled us to track Group5 as they continued to access\r\nthe site.\r\nInterestingly, after the flurry of activity in October 2015, by November-December the operator accessed the site only 7\r\ntimes, and between January-February 2016 only twice (it is possible we have missed some access attempts that appear to be\r\ninnocuous traffic). We concluded from this that Group5 may have stepped back from the site at some point after the New\r\nYear.\r\nA Persian-language Mailer\r\nBefore the assadcrimes[.]info page was fully populated with decoy content, we found that the site was hosting a Persian-language mailer (See Figure 20 below). We were not able to determine how the mailer was being used by Group5, as it was\r\nnot observed sending any of the e-mails we were able to analyze.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 18 of 51\n\nLinks to Known Threat Actors\r\nGroup5 appears to have used only a single shared web hosting provider and a single command and control IP address for\r\nthis operation. We are unsure whether this strategy was the product of limited resources, an effort to compartmentalise the\r\noperation from other activities, or simply a highly targeted operation with a specific focus.\r\nThe narrow infrastructure and small number of observed targets limited our search base for potential infrastructure overlap\r\nwith known groups. In a holistic evaluation of the campaign, we failed to identify links with the TTPs of previously\r\ndocumented threat actors or groups active in Syria. We also failed to find a link in searches of malware databases and open\r\nsource searching.\r\nOn the level of TTPs, superficially there is similarity between this group and other active groups originating in Iran. The\r\ngroup multiply documented by Palo Alto Networks, which they call “Infy,” is also known to use PowerPoint files in their\r\ntargeting, although we found no overlap in infrastructure. Furthermore, their targeting (according to what Palo Alto\r\nNetworks has said publicly) is slightly different, and involved PowerPoint 97-2003 documents (not PPSX files) during the\r\nsame period in which Group5 was using a different tactic.\r\nWe cannot not rule out the possibility that a known group is behind this operation, and that we missed or lacked access to a\r\nkey piece of evidence that would link such a group to Group5’s infrastructure or tools. One interesting direction for further\r\ninvestigation came from analysis of the tool used to obfuscate the RATs, which yielded a number of interesting connections\r\nto known threat actors and tools. Notably, the PAC Crypt tool, and Mr. Tekide, the alias of an Iranian malware developer.\r\nPAC Crypt\r\nCommonly used in malware campaigns, crypters are programs which are designed to disguise the underlying malicious\r\nbinary by hiding it within a layer of obfuscation which is then deobfuscated at the time of execution. In this way, crypting a\r\nmalicious binary provides a level of protection against signature-based endpoint security tools such as antivirus. In\r\nAppendix A we describe the discovery of a series of strings which suggest that both the njRAT and NanoCore RAT payloads\r\nwere built, and then subsequently obfuscated using a crypter tool named ‘PAC Crypt’.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 19 of 51\n\nCareful inspection revealed that the crypter in this case had been compiled in debug mode, thus preserving PDB reference\r\ndata. PDB file references are common in .Net applications when compiled in ‘debug’ mode, and they frequently reveal the\r\noriginal file path of the application source code on the developer’s computer.\r\nBelow are the PDB strings discovered when examining the ‘crypted’ njRAT and NanoCore files:\r\nReference: Doc Dropper\r\n1 Crypter\r\nMD5:\r\na4f1f4921bb11ff9d22fad89b19b155d\r\nCompile Time: 9/30/2015\r\n00:02:51\r\nc:usersmr.tekidedocumentsvisual studio 2013projectspaccryptnano core dehgani -\r\nvdswindowsapplication2objdebuglaunch manager.pdb\r\nTable 1\r\nReference: Doc Dropper\r\n3 Crypter\r\nMD5:6161083021b695814434450c1882f9f3\r\nCompile Time:\r\n10/6/2015 02:13:45\r\nC:Usersmr.tekideDocumentsVisual Studio\r\n2013Projectspaccrypt11njratmaliipaccryptalipnahzadeobjDebugLManager.pdb\r\nTable 2\r\nThese PDB strings reveal two facts relevant to the discussion of attribution. The first is that the username of the individual\r\nwho compiled the .Net application in both cases was ‘mr.tekide’. The second is that in both PDB strings we find not only a\r\nreference to the malware crypter used (a tool called ‘PAC Crypt’), but also an explicit reference to the crypted malware\r\npayloads – ‘nano core’ and ‘njrat’.\r\nThese two facts together suggest that an individual having the username ‘mr.tekide’ compiled a copy of PAC Crypt for\r\nspecific projects involving njRAT and NanoCore RAT.\r\nA common usage scenario for a malware crypter involves an operator purchasing a copy of the crypter in a compiled form\r\n(or using a cracked version), then using the crypter to obfuscate the malware executable which is to be distributed. In this\r\nscenario the developer of the crypter has no knowledge of what specific malware the threat actor will eventually choose to\r\nencrypt with the purchased copy of the crypter.\r\nThe fact that the ‘PAC Crypt’ PDB strings discovered in this case contained the ‘njrat’ and ‘nano core’ references is therefore\r\nnoteworthy because it indicates the possibility of prior knowledge of the precise malware payload which was to be crypted.\r\nResearch into the PAC Crypt tool revealed that this program is developed and sold by an Iranian malware developer known\r\nas ‘Mr. Tekide’.\r\nMr. Tekide\r\nMr. Tekide is the online alias of an Iranian malware developer who is also the administrator of the website http://crypter[.]ir,\r\nan Iranian hacking forum and online shop. Notably, this storefront offers various hacking tools and services, including the\r\naforementioned ‘PAC Crypt’ (see figure 21 below).\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 20 of 51\n\nIn addition to the crypter[.]ir forum and shop, Mr. Tekide appears to be in the midst of creating a new online storefront for\r\nselling his various malware tools and services. The content shown in Figure 16 below, obtained from http://crypting[.]org,\r\nshows a ‘rat service’ being offered to visitors. The store also touts a Windows Rootkit (“coming soon”) and various\r\n‘exploits.’\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 21 of 51\n\nMr. Tekide also maintains an active presence as a moderator on the Ashiyane forums,3\r\n an Iranian security discussion board\r\nrun by the Ashiyane Digital Security Team (ADST). The ADST is a well-known Iranian security and hacking group which\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 22 of 51\n\nhas earned notoriety for its prolific website defacement activities. These defacements invariably contain a list of ADST\r\n‘defacers’ alongside the phrase ‘We Love Iran’.\r\nWeb site defacements conducted by ADST have explicitly named Mr. Tekide as a member, as shown in Figure 17 below.\r\nIn addition to its defacement activities, ADST has been recently linked to the indictment by the US Department of Justice of\r\nseven Iranian nationals for cyber attacks against the US financial sector. In its indictment, the Department of Justice alleges\r\nthat members of two Iranian security companies, ITSecTeam and Mersad Company, were responsible for Distributed-denial-of- Service (DDoS) attacks against numerous US bank websites between September 2012 and May 2013. The DoJ\r\nindictment also describes that Mersad was founded by members of the ADST, and furthermore that ADST had made prior\r\npublic claims regarding its activities on behalf of the Iranian Government.\r\nAdditional open source information about Mr. Tekide is included in Appendix C: Mr. Tekide.\r\nA Consistent Iranian Nexus\r\nWe cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined above\r\nprovides a circumstantial case. The IP addresses observed during early stages of development of the Assadcrimes website, as\r\nwell as the Iranian hosting provider and the Persian language mailer, all speak to a level of Iranian presence. The additional\r\napparent involvement of an Iranian malware developer with ties to a known Iranian cyber actor, whether his involvement\r\nwas unwitting or intentional, only strengthens the Iranian connection.\r\nPart 6: Analysis of Competing Hypotheses\r\nThis section evaluates several competing hypotheses for explaining the identity of the operator. While we cannot\r\nconclusively support one of these hypotheses, we think the most plausible is that this operation is the work of an Iranian\r\ngroup newly active in Syria.\r\nWe believe we found Group5 fairly early in the process of preparing a larger malware campaign, thanks to Noura Al-Ameer’s vigilance. This gave us unique visibility into some of their staging, but we had only a limited view of other possible\r\ntargeting. Group5’s reliance on a narrow infrastructure limited our ability to connect the operation to other known groups, as\r\ndiscussed above.\r\nWith these caveats and limitations in mind, we outline the known elements of the operation, and evaluate several\r\nhypotheses: (Hypothesis 1) an Iranian group newly active in Syria; (Hypothesis 2) that the operation is from known regime-linked groups, like the Syrian malware groups; and (Hypothesis 3) that it is from some other unknown group. After\r\naddressing the fit of each hypothesis with available evidence, we provide an overall evaluation of the three, and conclude\r\nthat Hypothesis 1 provides the best explanation for what we have observed.\r\nHypothesis 1: Iranian Group Newly Active in Syria\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 23 of 51\n\nA group previously unreported in Syria with uneven skills but displaying thought and care in selecting the target, and\r\npreparing the operation, with an Iranian nexus and a possible government connection.\r\nPreviously Unseen in Syria: We have been unable to find a high-confidence overlap in infrastructure or malware to\r\npreviously-reported groups active around Syria. We also had difficulty connecting the operation to other known groups in\r\nthe global threat actor space. Furthermore, the use of exploits, as well as DroidJack and other tools, is inconsistent with the\r\nTTPs of known groups targeting the Syrian opposition, especially the regime-linked groups. Notably, these groups have\r\nshown little ability or appetite for: (a) standing up multifaceted seeding websites; (b) targeting Android users; (c) using\r\nexploits in PowerPoint files.\r\nPreviously reported groups, especially regime-linked groups, have had a tendency to re-use infrastructure, and repurpose\r\nsimilar tools and approaches. It would be surprising for them to suddenly abandon tactics that still “work,” and cease using a\r\nC2 infrastructure that cannot be taken down (because it is inside Syria).\r\nWhile Group5’s tactics have more in common with the group reported in this FireEye report, such as the use of a fake\r\nwebsite, COTS .Net malware, and Android malware, there is no direct infrastructure or tool overlap, and only limited\r\nevidence of social engineering sophistication (e.g. the use of avatars).\r\nFurthermore, the lack of technical sophistication, combined with low operational security, suggest that, had this group been\r\npreviously active for any length of time, it would have run the risk of discovery, perhaps especially given all of the existing\r\nreporting about pro-Regime malware groups in Syria.\r\nUneven Technical Sophistication: The operators showed familiarity with a range of cybercrime tools, yet also committed a\r\nrange of operational security oversights, such as leaving their logs open and public-facing, connecting via their C2 server,\r\nand leaving debugging strings in compiled files. These characteristics would be inconsistent with the work of an in-house\r\ngovernment capability.\r\nIranian Connection: Analysis of the malware and seeding yields a consistent Iranian presence. The binary contains Iranian\r\nand Iranian-Persian traces, as do the tools used for obfuscation, which are popular in Iranian cybercrime forums. Similarly,\r\nthe mailer discovered on the assadcrimes[.]info website is in Persian. There is also the intriguing, but ultimately unproven\r\nspeculation that the crypter may have been sold to Group5 by a known Iranian malware developer. Furthermore, logs of\r\naccess to the assadcrimes[.]info site suggest that the operators are working from within Iranian IP space. In addition, the bait\r\ncontent also contains substantial Iranian themes. Finally, the hosting provider (Hostnegar) is Iranian. A final piece of highly\r\ncircumstantial evidence is that PowerPoint documents containing exploits, albeit often with quite different (and sometimes\r\ncustom) malware, is a commonly reported feature of many recently-reported Iranian campaigns.\r\nTargeting Sophistication: Group5 not only targeted a well-connected individual within the Syrian opposition, but also\r\nmasqueraded as her to register the assadcrimes[.]info site. Both the site and the bait content also indicate a degree of\r\nfamiliarity with the opposition’s concerns and activities, and their targeting indicates they were targeting a key person in\r\nopposition politics and multilateral negotiations, yet not highly visible outside of informed circles. Speculatively, the choice\r\nof target is indicative of the interests and resources of a state-level actor, or a group receiving direction or providing\r\ninformation to such an actor. A number of governments and non-state actors in the region have an interest in the workings of\r\nthe opposition, and several are providing direct or indirect support to the Assad Regime. We discuss this possibility in\r\ngreater detail below in Evaluating Hypotheses.\r\nHypothesis 2: Known Regime-Linked Group\r\nA known Regime-linked group has modified its tactics to operate against familiar targets\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 24 of 51\n\nFamiliar Targets: The most widely documented threat against the Syrian opposition comes from regime-linked groups,\r\nnotably malware groups and the Syrian Electronic Army (to a lesser degree). These groups benefit from known links to the\r\nregime of Bashar al-Assad, which has a direct and strong interest in monitoring members of the Syrian Opposition,\r\nincluding the groups apparently targeted in this operation. We are familiar with previous operations by regime-linked groups\r\ntargeting the same organizations.\r\nModified Tactics: We cannot rule out the possibility that existing groups have added a range of new TTPs to their existing\r\nset as the conflict continues.\r\nRegime-linked groups certainly have the motivation to conduct this operation. Do known groups have the skills to conduct\r\nsuch an operation? There are a range of features of this operation that suggest Group5 may not be a regime-linked group.\r\nFirst, known regime-linked Syrian groups have tended to use a limited set of C2 servers, almost always with at least one\r\nserver (or a fallback) located within a narrow set of servers within Syria. Group5 does not have a fallback C2 in Syria.\r\nSimilarly, the servers that Group5 does use are not from companies previously associated with Syrian regime groups, nor is\r\nthere any prior evidence of regime-linked groups making use of Persian-language tools, or Iranian IP space. Further, known\r\nSyrian groups have been active for almost 5 years without evidence of familiarity with PPSX exploits. It is unclear why they\r\nwould deploy so many new tactics all at once, even they continue to gently iterate on techniques familiar to them.\r\nOther Syria-Focused Groups? In the introduction we mentioned two other groups that have previously targeted the Syrian\r\nopposition: a Lebanon-linked group uncovered in 2014, and an ISIS-linked operation in 2015. The first group, described in a\r\n2015 FireEye Report, coauthored by one of the authors of this report, conducted an extensive campaign against the Syrian\r\nopposition. The campaign relied heavily on Arabic-speaking female avatars to flirt with opposition figures and trick them\r\ninto downloading malware for Windows or Android. That campaign, however, differed in malware tools, infrastructure, and\r\nsocial engineering style from Group5. In addition, it lacked any Persian-language elements, or connection to Iranian IP\r\nspace.\r\nIn late 2014 a Citizen Lab report coauthored by one of the authors of this report, identified a malware operation linked to\r\nISIS that targeted Raqqa is Being Slaughtered Silently, a documentation and media group working to uncover human rights\r\nabuses in Raqqa and other ISIS-controlled territories. That malware was apparently custom-made but very unsophisticated.\r\nLacking the functionality of a RAT, and exfiltrating via e-mail, the operation was substantially less sophisticated than\r\nGroup5’s activities. We think it unlikely that the operator behind that malware has (a) grown much more sophisticated, or (b)\r\nbegun to rely on Iranian tools and hosting providers.\r\nHypothesis 3: Other Unknown Group\r\nAn unknown group, not located in Iran and not linked to prior groups\r\nIt is possible that the operation is the work of some other unknown group. One possibility that we consider is that the\r\noperation is a false flag from another state sponsor, deliberately crafted to appear to be an Iranian group. In another, we also\r\nconsider the other common motivations for such operations, including financial crime.\r\nA False Flag: Certainly, many other governments are actively interested in information about the Syrian opposition. Given\r\nthe extensive circumstantial evidence strewn throughout the operation that points to a group based in Iran, one possibility we\r\nconsider is that the operators are deliberately masquerading as an Iranian group, while acting on behalf of another sponsor.\r\nIn such a scenario, each of the pieces of circumstantial evidence we have assembled is a string of deliberately planted\r\nartifacts, intended to deflect from the threat actor’s true identity. This hypothesis is an intriguing possibility that cannot be\r\nconclusively ruled out. However, it is worth asking why, given the noisiness of existing groups targeting the Syrian\r\nopposition, a false flag operation would not simply be populated with the many publicly reported strings and other tools\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 25 of 51\n\nassociated with pro-regime groups. Similarly, we wonder why a threat actor sophisticated enough to mount such an\r\noperation would not also have used more sophisticated malware or seeding techniques.\r\nFinancial / Commercial Hacking: We find no evidence to suggest that financial crime or commercial espionage played a\r\npart in this operation. For a narrowly focused operation, the targeting, for example, does not appear to be geared towards\r\nwealthy individuals, or those with access to serious financial resources.\r\nEvaluating Hypotheses\r\nWe have moderate confidence that the best hypothesis is Hypothesis 1: Iranian Group Newly Active in Syria. The Group5\r\noperation shows strong Iranian connections, with few indicators linked to previously reported groups, including Syrian\r\nregime-linked groups. The important caveat is that, perhaps partially by design, we have a limited view on the targets of the\r\ncampaign, and it is possible that this analysis would change.\r\nWe further believe that Group5 shows some signs of being state-directed, however we do not have sufficient evidence to link\r\nGroup5 to a particular government. Two possibilities seem likely: (1) Group5 is working under the control or direction of a\r\ngovernment entity within Iran, or sympathetic to such an entity and receiving and sharing information with them; (2)\r\nGroup5 is collaborating or working on behalf of a government entity within Syria for ideological or mercenary reasons.\r\nBoth governments are belligerents within the Syrian conflict, and both would have a strong interest in accessing the\r\ncommunications of the Syrian opposition.\r\nThe Iranian government has been a strong supporter of the regime throughout the conflict, and clearly has an interest in\r\nlearning and frustrating the political maneuvering of the Syrian opposition. Iranian intelligence and security services have\r\nreportedly provided a wide range of military and intelligence gathering assistance to the regime, ranging from troops and\r\ntraining, to electronic monitoring capabilities. At minimum, operators based in Iran certainly would be unlikely to face\r\npunishment from their government for work against the Syrian opposition. Speculatively, sponsoring such an operation (held\r\nat arm’s length and consigned to a deniable, less experienced group) could provide useful information about the activities\r\nand thinking of key individuals within the Syrian Opposition, such as advanced knowledge of negotiating points in\r\nmultilateral meetings, or internal disagreements.\r\nImportantly, there is no evidence to directly connect Group5 to any entities within the Iranian government, security\r\nestablishment, or military. Nor can we rule out the possibility that Group5 is Iran-based, but working on behalf of some\r\nother entity.\r\nThe most perplexing part of the activity we observe is that the operation appears to have been extensively prepared, and then\r\napparently paused after initial seeding. This pause took place not long after Al-Ameer was initially targeted: the website\r\ndevelopment continued for a period after she had received the initial e-mail, and then ceased. Group5 may have initially\r\ntargeted Al-Ameer hoping to leverage her well-connected position and digital identity to target others within the Syrian\r\nopposition. Theft of her digital identity would explain why her name was used in the WHOIS for assadcrimes[.]info, and\r\nwhy, after failing to infect Al-Ameer, the campaign did not appear to receive much further work, and the infrastructure was\r\nultimately abandoned.\r\nOther explanations for the pause in activity are possible, and we cannot discount them based on our limited evidence:\r\nGroup5 may have undergone a shift in the focus of its targeting, concluded that their campaign was ‘blown’ and abandoned\r\nit, experienced human resources or political issues, or simply concluded that the operation was using an ineffective\r\ntechnique.\r\nConclusion\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 26 of 51\n\nWhen Syrian opposition figure Noura Al-Ameer sensed something wrong and refrained from clicking, she frustrated a\r\nreasonably well put together deception. We suspect she may have been targeted in order to steal her digital identity for the\r\npurposes of mounting a larger campaign. Beginning with this initial message, we were able to identify and characterize\r\nGroup5, a seemingly new entrant into the game.\r\nWith the identification of Group5, the number of publicly identified operations known to have targeted the opposition with\r\nmalware has risen to five, at least: Regime-linked groups (Syrian malware groups and the Syrian Electronic Army), a\r\nLebanese Group, ISIS, and most recently Group5. We believe that the most compelling explanation of Group5’s activities is\r\nthat a group in Iran may be attempting to compromise the communications of the opposition. The circumstantial evidence\r\npointing to an Iranian group is unsurprising, given Iran’s active military engagement in Syria, and the sympathies of many in\r\nthat country for the Assad regime. However, mindful of the limits of our investigation, we stop short of conclusive\r\nstatements of attribution about the identity of the operators, or their possible sponsors. We hope that by publishing this report\r\nand sharing indicators, our work will be helpful to other researchers who may see pieces of the puzzle that we do not.\r\nDespite the diversity of the groups targeting the Syrian opposition, they share general features: uneven or low technical\r\nsophistication plus good social engineering and well-informed targeting. These elements are characteristic of the majority of\r\nmalware and phishing operations targeting the Syrian opposition over the past several years.\r\nThe continued targeting, and entry of new groups, reflects the continued weakness in the Syrian opposition’s digital security,\r\nand more generally the risks groups face when using popular online platforms for contested political activities.\r\nOperators targeting the Syrian opposition plainly do not need sophisticated tools, because easily available malware\r\ncontinues to “work,” when paired with good social engineering. The technical requirement for entering the game is low,\r\nenabling unsophisticated groups to achieve successes, while permitting more advanced groups to conserve better techniques\r\nfor harder targets.\r\nThe lack of a centralized communications hierarchy can make opposition groups responsive, and quick to adapt. However,\r\ndecentralization also provides many opportunities for digital exploitation. Operators can target groups for long periods while\r\nremaining unnoticed, without fear of being spotted and blocked by a security team. Even when exploitation attempts are\r\nnoticed, because the security of these groups relies on the behavior of individuals, it can be extremely difficult to ensure that\r\nmore secure behaviors are adopted.\r\nOpposition groups and their partners face many challenges, and we appreciate the difficulty of securing behavior. The\r\ninfrastructure that we analyzed is, at time of writing, apparently abandoned. However, we suspect that Group5, or the\r\ninterests behind it, may be continuing to pursue efforts to target the opposition. We hope to reinforce the message that\r\ncontinued vigilance is necessary to defend against these operations.\r\nClick here for some suggestions about how to improve your digital hygiene. If you believe you may have been targeted by\r\nthis operation, or other Syrian malware, you are welcome to get in touch with our researchers at submit@citizenlab.ca.\r\nAcknowledgements\r\nWe thank Noura Al-Ameer for collaborating with this investigation, and for graciously agreeing to be included in this report.\r\nThe targeted nature of many cases means that, without the help of brave targets and victims, we are often left with a very\r\nlimited view of what is taking place.\r\nWe are exceptionally grateful to colleagues at Citizen Lab for comments, critical feedback, and assistance with document\r\npreparation including Ron Deibert, Bill Marczak, Morgan Marquis-Boire, Sarah McKune, Masashi Nishihata, Irene\r\nPoetranto,Christine Schoellhorn, and Adam Senft.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 27 of 51\n\nThanks also to Justin Kosslyn and Brandon Dixon for helpful feedback.\r\nWe would also like to thank the following teams: Lookout, PassiveTotal and RiskIQ, VirusTotal, and Cisco’s AMP Threat\r\nGrid Team for data correlation.\r\nVery special thanks to other investigators who wished to remain anonymous but provided exceptionally helpful assistance,\r\nespecially TNG and Tuka.\r\nNote: the night sky image of Syria used as background for several illustrations is from CIMSS at the University of\r\nWisconsin Madison.\r\nAppendix A: Windows Malware Analysis\r\nThis section analyzes the malware used by Group5. It walks through the distinct droppers, which range from malicious\r\nOLEs in a PowerPoint Slideshow file (PPSX) combined with an exploit, to executable files directly containing malware.\r\nDropper Doc 1 (From E-mail 1)\r\nAssadcrimes.ppsx\r\nMD5: 76F8142B4E52C671871B3DF87F10C30C\r\nThis slideshow deploys its malicious payload by (ab)using the OLE object embedding capabilities of PowerPoint.4\r\nSpecifically, the malware executable is embedded into the slideshow as an OLE Object of type Package:\r\nOnce embedded, the slideshow “Animation” feature is used to trigger the execution of the object immediately upon viewing\r\nthe first slide.\r\nIn one of the malicious PPSX files, we can see the embedded package object by viewing the slides in normal view mode:\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 28 of 51\n\nOnce activated, the embedded object is saved to disk as %TEMP%putty.exe, and then executed. This executable is a .Net\r\ndownloader.\r\nThe %temp%dwm.exe file has the following hashes:\r\nIn Figure 26 we can see that the second stage payload is obtained from the URL http://assadcrimes[.]info/1/dvm.exe [Ref 1].\r\nThis second stage executable is saved to disk as %temp%dwm.exe [Ref 2], and then executed [Ref 3].\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 29 of 51\n\nMD5 SHA256\r\n7d898530d2e77f15f5badce8d7df215e c19bc1ff5f8472fb7ba64f33c2168b42ea881a6ae6e134a1cc142e984fb6647f\r\ntable 3\r\nThe malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan)\r\nthat enables the remote monitoring of victims via their computers. The NanoCore binary is wrapped using several layers of\r\ncode obfuscation, which we describe in detail below.\r\nDeobfuscating the Malware\r\nThe malware was obfuscated first with crypting, followed by packing before being distributed.\r\nWe will unwrap these steps in reverse order below.\r\nUnpacking\r\nThe packer used on this executable employs a simple technique of base64 encoding the PE file and breaking it up into\r\nnumerous lines which are then embedded into the resource section of the .Net packer stub file. At runtime, the packer\r\nreverses this process, then invokes the resulting .Net assembly from memory.\r\nExtracting this packed code reveals a .Net assembly which is yet another layer of code protection applied using a ‘crypter’.\r\nThis binary has the following hashes:\r\nMD5 SHA256\r\na4f1f4921bb11ff9d22fad89b19b155d d81ec563387e2ea47bc8ed50fd36e1de955cb2331d6eaae9f966b5d7ab094806\r\nTable 4\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 30 of 51\n\nDecrypting\r\nThis executable is stub code which performs in-memory AES decryption of a base64 encoded string variable. This string\r\nvariable holds an encrypted copy of the NanoCore RAT binary.\r\nThis encryption of the underlying malware is typically employed to bypass detection by endpoint security controls such as\r\nantivirus programs. Many ‘crypter’ tools, as they are known, are available for purchase or trade on various hacking forums.\r\nOf particular note, this decrypting stub code retained its PDB (short for Program Database) information. PDB file references\r\nare common in .Net applications when compiled in ‘debug’ mode, and they frequently reveal the original file path of the\r\napplication source code on the developer’s computer.\r\nThis executable revealed the following PDB file path:\r\nc:usersmr.tekidedocumentsvisual studio 2013projectspaccryptnano core dehgani -vdswindowsapplication2objdebuglaunch\r\nmanager.pdb\r\nThis PDB string indicates that ‘mr.tekide’ was the username of the developer who compiled this particular stub, and further\r\nthat it was compiled as part of a Visual Studio project named ‘paccryptnano core dehgani -vds’. In addition, a single\r\nsubroutine found inside the decrypting stub was named ‘tekide’. The relevance of this PDB string was discussed above in\r\nPart 5: Attribution.\r\nIn order to obtain the intended malware payload from this decrypting stub executable, we created a small .Net application to\r\nmimic the decryption steps and output the file to disk. Once complete, we obtained a malicious executable with hashes:\r\nMD5 SHA256\r\ndd5bedd915967c5efe00733cf7478cb4 a9db5a548ea17d6606bfbdb20306a3a08b38dbfe720f9f709f4d3369288be104\r\nTable 5\r\nOriginal NanoCore binary\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 31 of 51\n\nNow that we have arrived at the original NanoCore binary, we can examine the configuration as specified by the operator. In\r\norder to extract the configuration settings from this copy of NanoCore, we used Kevin Breen’s RATDecoders.\r\nUsing Breen’s tool we arrived at the following configuration:\r\nNotably, 88.198.222[.]163 port 8081 is the command and control channel for this malware. As noted in Part 1, the same IP\r\nwas also present in the seeding e-mail header.\r\nDropper Doc 2\r\nassadcrimes1.ppsx\r\nMD5:F1F84EA3229DCA0CCACB7381A2F49F99\r\nThis PowerPoint document leverages CVE-2014-4114, a vulnerability in the OLE packager component of the Windows\r\noperating system. As described in previous reporting, this vulnerability causes a file embedded within the PowerPoint\r\ndocument to be copied to disk and executed silently on vulnerable systems.\r\nThe document under examination drops a file named dvm.gif to disk, renames it to dvm.exe and then executes it. This\r\ndvm.exe is the same packed and crypted copy of NanoCore as retrieved and executed by the .Net downloader described in\r\nthe previous section.\r\nDropper Doc 3\r\nassadcrimes.info.ppsx\r\nMD5: 30BB678DB3AD0140FC33ACD9803385C3\r\nThis malicious PowerPoint document uses the same weaponization method described above with respect to Dropper Doc 1.\r\nThe executable is embedded as an OLE package object, and subsequently executed using animation actions within the\r\nPowerPoint slideshow.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 32 of 51\n\nAs with Dropper Doc 1, activation of the OLE Package object saves the embedded executable to disk as\r\n%TEMP%putty.exe, then executes it. This file is a .Net application employing the same layers and methods of packing and\r\ncrypting as seen in the payloads delivered by Dropper Docs 1 and 2. However, the ultimate malware payload in this case is\r\nnjRat, another well-known RAT tool.\r\nAfter unpacking the OLE embedded executable putty.exe, we again arrive at a decrypting stub file which will AES decrypt a\r\nbase64 string variable and run it from memory. The hashes of this file are:\r\nMD5 SHA256\r\n6161083021b695814434450c1882f9f3 d72676bbf8de82486c3cebfdad2961cc68a6b564a43f9f987c95320fcd6a330a\r\nTable 6\r\nSimilar to the case of Dropper Doc 1 above, we find a PDB entry present in the decrypting stub executable:\r\nC:Usersmr.tekideDocumentsVisual Studio 2013Projectspaccrypt11njratmaliipaccryptalipnahzadeobjDebugLManager.pdb\r\nAgain we can observe the same username of ‘mr.tekide’ in the project source code path within the PDB string. Further, we\r\nnote the development path components paccrypt11njratmalii and paccryptalipnahzade.\r\nTo obtain the malicious njRat executable from this decrypting stub we used the same .Net program we built for use in the\r\nDropper Doc 1 example above. The resulting njRat binary had the following hashes:\r\nMD5 SHA256\r\nb4121c3a1892332402000ef0d587c0ee 1a287331e2bfb4df9cfe2dab1b77c9b5522e923e52998a2b1934ed8a8e52f3a8\r\nTable 7\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 33 of 51\n\nInterestingly, the njRat executable appears to have been compiled from source by the same user who compiled the crypter\r\ndescribed above. Note the PDB strings found inside the njRat executable:\r\nC:Usersmr.tekideDocumentsVisual Studio 2013Projectsnjrat7stubsoures – Copynjrat7stubsouresobjDebugdvvm.pdb\r\nA quick look at the configuration data embedded within this njRat binary reveals the command and control IP address and\r\nport:\r\nDecoy Dropper 4\r\nalshohadaa alatfal.exe\r\nMD5: 2FC276E1C06C3C78C6D7B66A141213BE\r\nThis file is a .Net application designed to act as a decoy by displaying a window depicting images of dead children (see\r\nFigure: 5). While displaying these images, the decoy application also silently extracts an executable file from the .Net\r\nassembly’s resource section, copies it to %TEMP%dvm.exe, and then launches a new process from this newly created file.\r\nSee Figure 26 below:\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 34 of 51\n\nThe dropper also includes a PDB reference:\r\nC:usersenterokdesktopslideshowslideshowobjx86debugalshohadaa alatfal.pdb\r\nThe dvm.exe file is itself a .Net executable which is packed using the same .Net packer used above in the cases of Dropper\r\nDocs 1 – 3. Once unpacked, the resulting file is the same crypted .Net application analysed above from Dropper Doc 3,\r\nhaving MD5 hash 6161083021b695814434450c1882f9f3, and containing the njRat payload.\r\nMalware Infrastructure\r\nCommand and Control Server\r\nEach of the three distinct RAT tools used by Group5 (njRAT, NanoCore RAT, and DroidJack) were configured to\r\ncommunicate with a single command and control server operating on IP address 88.198.222[.]163.\r\nIP Reverse DNS PTR Assignee\r\n88.198.222[.]163 static.88-198-222-163.clients.your-server.de\r\nHETZNER-RZ-NBG-BLK4\r\nHetzner Online GmbH\r\nTable 8\r\nThis server was the sole point of data exfiltration for each of the malware components. As detailed above for njRAT and\r\nNanoCore, and below in Appendix B for DroidJack, the TCP ports used for command and control for each of the RAT tools\r\nwere as follows:\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 35 of 51\n\nAdditionally, we believe a controller for yet another remote access trojan, XpertRAT, was also hosted on this IP in\r\nNovember 2015; however, we did not uncover any samples designed to communicate with this XpertRAT controller.\r\nAs noted in the above table, the IP address 88.198.222[.]163 is assigned to Hetzner Online, a Germany based web hosting\r\nprovider. Hetzner offers web hosting services as well as virtual and dedicated server rentals. Contact was made with Hetzner\r\ntechnical personnel subsequent to the discovery of the malicious activity outlined in this report. A synopsis of this contact is\r\nprovided in Appendix F: Notification.\r\nCurrent data available for this IP address suggests that it was likely reprovisioned to a different Hetzner customer in early\r\nFebruary 2016 at the latest, and then possibly again in May. A series of domain names associated with online multi-player\r\ngames were directed to this Hetzner IP, one of which was apparently hosting a malicious HTML document.\r\nAssadcrimes Web Hosting\r\nThe assadcrimes[.]info domain name was registered in June 2015, but it remained parked until early October, at which time\r\nit was migrated to an Iran-based shared web hosting provider named Hostnegar. This action coincided with the delivery of\r\nthe initial e-mails outlined in Part 1.\r\nThe assadcrimes[.]info website was hosted on a shared hosting platform, and as such the IP address associated was also\r\nshared by a significant number of other, unrelated, websites.\r\nIP Reverse DNS PTR\r\n212.7.195[.]171 server22.rayanegarco[.]com\r\nTable 9\r\nHeaders from the initial e-mail are shown below in Figure 28. These headers indicate that the initial e-mail was most likely\r\nsent using the Horde webmail application running on the web hosting server. Furthermore, the headers indicate that the\r\nsender was accessing the webmail application from the IP address of the command and control server discussed above.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 36 of 51\n\nFinally, available domain name service data indicates that the assadcrimes[.]info domain name was moved back to its\r\noriginal parked location on May 4, 2016.\r\nAppendix B: Android Malware Analysis\r\nThe Malicious APK – Overall Description\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 37 of 51\n\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 38 of 51\n\nUpon execution, the malware is installed and then hidden from the list of installed applications in order to remain covert.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 39 of 51\n\nAfter the installation, the Application icon will be removed from the installed applications list, yet it will still be running in\r\nthe background.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 40 of 51\n\nThe APK package in question had the following characteristics:\r\nAdobe_Flash_Player.apk\r\nMD5: 8EBEB3F91CDA8E985A9C61BEB8CDDE9D\r\nThis APK is an instance of DroidJack. According to Symantec, this application evolved from an older codebase known as\r\nSandroRAT.\r\nThe discovered APK sample also contains references to both names, as shown in Figure 38 below:\r\nThe APK Manifest file reveals important information about the sample’s capabilities and the intentions of its operator. The\r\nAndroid operating system requires information from the Manifest file before the application can execute. This application\r\nwill request the following permissions and use the following features from the device:\r\nIn the Android system, Activities are components typically used to let the user of the device perform an action. The Main\r\nActivity is also defined in the Manifest, pictured in Figure 33.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 41 of 51\n\nIn this case, the Main Activity is designed to start the Controller as a Service and finish. The controller will be discussed in\r\nmore detail in the next section.\r\nAndroid applications can also have Services and Receivers defined. Services are used for background operations while\r\nReceivers define the types of broadcast messages the application can receive from other applications as well as the device.\r\nThese messages are known as Intents.\r\nThis APK sample enables several services including “Controller,” “GPSLocation” and “Toaster” (See Figure 34).\r\nThe Controller class, referred to by the Main Activity and started as a service on the device, handles the malware operator’s\r\ninteraction with the application while the GPSLocation class is responsible for obtaining the GPS position from the device’s\r\nLocationManager. The Toaster class is not implemented in this APK; however, it is implemented in older SandroRAT\r\nsamples.\r\nThe APK file has several Receiver classes defined to handle specific messages from the device (See Figure 42).\r\nReceiver Intent Usage\r\nConnectivity\r\nChange\r\nAllows the application to monitor any connectivity changes, including moving\r\nbetween mobile data and Wi-Fi. The constant value is set every time a change occurs.\r\nBoot Completed\r\nAllows the application to re-connect when the device restarts. The constant value is\r\nbroadcast when the device finishes booting.\r\nPhone State\r\nAllows the application to monitor incoming calls. The constant value is set when the\r\ncall state is changed.\r\nTable 10\r\nThe Connector Receiver simply starts the Controller Service when the phone boots allowing the malware to run in the\r\nbackground upon start up.\r\nThe CallListener Receiver allows the operator to log when the target makes calls, and record calls (if the operator has\r\nenabled it) as an .amr file that can then be sent to the command and control server.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 42 of 51\n\nLastly, in the Manifest file, the Application enables two additional Activities, “CAMSNAP” and “VIDEOCAP,” as shown in\r\nFigure 36.\r\nThese allow the operator to use the infected device’s camera to take pictures and record video. This activity is hidden from\r\nthe victim using a translucent theme.\r\nThe Malicious APK – The Controller\r\nAs previously mentioned, the Controller class is ultimately responsible for the rest of the functionality. The instance we\r\nanalyzed was configured to use the same host as the Windows malware for command and control communication:\r\n88.198.222[.]163.\r\nWe were able to install a test instance to learn how the malware’s operator could surveil victims. It is clear that the operator\r\nwould have nearly full access to the victim’s information.\r\nFeatures offered include:\r\nFile browsing\r\nSMS and call logging\r\nContacts\r\nBrowser history\r\nApplication Manager\r\nLocation history\r\nWhatsApp Reader (only works on rooted devices)\r\nRemote camera and microphone\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 43 of 51\n\nSome features will only work on rooted devices. For example, the ability to read WhatsApp messages requires the victim’s\r\ndevice to be rooted. Android apps are unable to access the data from other applications unless they are signed with the same\r\ncertificate or if the app has been given permission to execute commands as root. If DroidJack is able to acquire root access it\r\ncan then upload the database on the device where WhatsApp stores its message history.\r\nAppendix C: Mr. Tekide\r\nThis appendix provides more context on Mr. Tekide, first delving into how we have identified his crypter (PAC Crypt) in\r\nstrings in the binaries, and second highlighting the results of open source searching for his aliases and related strings.\r\nSample Correlation With PDB Strings\r\nIn the Group5 malware samples, we have several PDB file references that suggest that the crypter used with the two distinct\r\nRAT tools (njRat and NanoCore) was Mr. Tekide’s ‘PAC Crypt’. For the njRat sample from Dropper Doc 3, we can see the\r\nmalware stub was compiled by ‘mr.tekide’ as well.\r\nReference: Doc Dropper\r\n1 Crypter\r\nMD5:\r\na4f1f4921bb11ff9d22fad89b19b155d\r\nCompile Time: 9/30/2015\r\n00:02:51\r\nc:usersmr.tekidedocumentsvisual studio 2013projectspaccryptnano core dehgani -\r\nvdswindowsapplication2objdebuglaunch manager.pdb\r\nTable 11\r\nReference: Doc Dropper\r\n3 Crypter\r\nMD5:6161083021b695814434450c1882f9f3\r\nCompile Time:\r\n10/6/2015 02:13:45\r\nC:Usersmr.tekideDocumentsVisual Studio\r\n2013Projectspaccrypt11njratmaliipaccryptalipnahzadeobjDebugLManager.pdb\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 44 of 51\n\nTable 12\r\nReference: Doc Dropper 3\r\nnjRat Payload\r\nMD5:b4121c3a1892332402000ef0d587c0ee\r\nCompile Time:\r\n10/6/2015 01:23:31\r\nC:Usersmr.tekideDocumentsVisual Studio 2013Projectsnjrat7stubsoures –\r\nCopynjrat7stubsouresobjDebugdvvm.pdb\r\nTable 13\r\nThe Visual Studio project folders listed above suggest the particular version of PAC Crypt compiled by Mr. Tekide was\r\nbeing prepared in one case for an njRat payload, and another for a NanoCore payload. The strings ‘dehgani –vds’, ‘malii’\r\nand ‘alipnahzade’ may have additional significance or relevance.\r\nWe conducted searches across online malware repositories and analysis services (such as VirusTotal, Malwr, and TotalHash)\r\nin an effort to acquire additional data relating to the use of PAC Crypt. These searches revealed very little in relation to PAC\r\nCrypt specifically, so we instead examined the data for instances of ‘tekide’ related strings found in PDB files.\r\nIt is our hope that the data or avenue of investigation presented below may be of value to other researchers.\r\nThe results we examined contained over 200 samples which we then clustered into sets based on compile time and PDB\r\nreference as shown in the table below:\r\nThe following compile time / PDB references were also observed in singular instances:\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 45 of 51\n\nKeeping in mind the limitations of reliance on compile times, we nevertheless were able to compare the noted compile times\r\nagainst the first time samples appeared in common malware repositories such as VirusTotal, Malwr, and TotalHash. In most\r\ninstances, samples began to appear in malware repositories within hours of the files being compiled. Dynamic analysis of\r\nthe samples in these sets revealed multiple different payloads and C2 configurations. For example, analysis of the samples in\r\nSet A yielded the following payloads and configurations:\r\nFinally, analysis of the compile times observed across the acquired samples suggest a period of activity falling in the latter\r\nhalf of 2014. There are many possible explanations as to why so few samples were observed with compile times beyond\r\n2014: conscious removal of PDB information, a change in personal circumstances, or possibly even a shift to less public\r\nmalware development activities.\r\nMr. Tekide on the Internet\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 46 of 51\n\nMr. Tekide maintains a visible profile across various malware related web forums, as well as on social media. Searches\r\nconducted for this alias provided numerous results which reveal a consistent use of the Mr. Tekide name and avatar, as\r\nshown in the images below.\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 47 of 51\n\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 48 of 51\n\nA link found on the ‘Contact’ page of the crypter[.]ir website led to a Facebook profile in the name of ‘Pezhman Blackhat.’\r\nIn addition to this Facebook profile, we also identified a LinkedIn profile in which he refers to himself as a ‘crypter,’ and\r\nstates that he works for the ashiyane digital security team. He also maintains an Instagram profile.\r\nAppendix D: File Hashes\r\nFull Table of Binaries\r\nFile MD5\r\nVirusTotal\r\n(26-Jul-2016)\r\nFirst\r\nSub.\r\non VT\r\nDropper Doc 1      \r\nassadcrimes.ppsx 76F8142B4E52C671871B3DF87F10C30C N/A N/A\r\nputty.exe [stage1\r\ndownloader]\r\n366908F6C5C4F4329478D60586ECA5BC N/A N/A\r\ndvm.exe [stage 2 payload] 7D898530D2E77F15F5BADCE8D7DF215E N/A N/A\r\nUnpacked dvm.exe A4F1F4921BB11FF9D22FAD89B19B155D N/A N/A\r\nNanoCore RAT payload DD5BEDD915967C5EFE00733CF7478CB4 N/A N/A\r\nDropper Doc 2      \r\nassadcrimes1.ppsx F1F84EA3229DCA0CCACB7381A2F49F99 N/A N/A\r\ndvm.exe 7D898530D2E77F15F5BADCE8D7DF215E N/A N/A\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 49 of 51\n\nFile MD5\r\nVirusTotal\r\n(26-Jul-2016)\r\nFirst\r\nSub.\r\non VT\r\nDropper Doc 3      \r\nassadcrimes.info.ppsx 30BB678DB3AD0140FC33ACD9803385C3 N/A N/A\r\nputty.exe 5C4EC3D93A664E4BFA1CE6286CCF0249 N/A N/A\r\nUnpacked putty.exe 6161083021B695814434450C1882F9F3 N/A N/A\r\nnjRAT payload B4121C3A1892332402000EF0D587C0EE N/A N/A\r\nDecoy Dropper 4      \r\nalshohadaa alatfal.exe\r\n[decoy app]\r\n2FC276E1C06C3C78C6D7B66A141213BE N/A N/A\r\ndvm.exe [dropped by\r\ndecoy app]\r\n494BAB7FD0B42B0B14051ED9ABBD651F 14 / 55\r\n2-Mar-2016\r\nUnpacked dvm.exe 6161083021B695814434450C1882F9F3 N/A N/A\r\nnjRAT payload B4121C3A1892332402000EF0D587C0EE N/A N/A\r\nAndroid Malicious APK\r\n(DroidJack)\r\n     \r\nadobe_flash_player.apk 8EBEB3F91CDA8E985A9C61BEB8CDDE9D 23 / 53\r\n5-Jul-2016\r\nTable 14\r\nThese hashes are also available via the Citizen Lab Github.\r\nAppendix E: Email Information\r\nDate Sender subject IP Binary attached\r\n03 Oct 2015\r\n06:05:41 -0700\r\n(PDT)\r\noffice@assadcrimes.info\r\nايران تقتل\r\nالحجاج في مىن\r\n88.198.222.163 assadcrimes.ppsx\r\n04 Oct 2015\r\n05:47:00 -0700\r\n(PDT)\r\noffice@assadcrimes.info\r\nايران :Re\r\nتقتل الحجاج\r\nفي مىن\r\nRoundCube\r\n(212.7.195.171)\r\nassadcrimes1.ppsx\r\ntable 15\r\nAppendix F: Notification\r\nOn April 12, 2016 we contacted Hetzner via e-mail as well as their abuse form, and informed them that the server was being\r\nused to host malware. We also provided network logs as well as a malware sample. We subsequently followed up with two\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 50 of 51\n\nphone calls. On a telephone call, a Hetzner representative refused to investigate, stating that they would take no investigative\r\naction before sharing the content of our complaint with the customer, who would then have 24 hours to take action. When\r\nwe suggested that this might result in the deletion of evidence, and highlighted the special nature of the case, the\r\nrepresentative refused any further action.\r\nFootnotes1 Noura has given her permission for us to disclose her role in this case, and use her photograph.\r\n2\r\n Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0\r\n3\r\n http://ashiyane[.]org/forums\r\n4\r\n This technique has been documented previously.\r\nSource: https://citizenlab.ca/2016/08/group5-syria/\r\nhttps://citizenlab.ca/2016/08/group5-syria/\r\nPage 51 of 51\n\n https://citizenlab.ca/2016/08/group5-syria/ \nMr. Tekide also maintains an active presence as a moderator on the Ashiyane forums,3 an Iranian security discussion board\nrun by the Ashiyane Digital Security Team (ADST). The ADST is a well-known Iranian security and hacking group which\n Page 22 of 51", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2016/08/group5-syria/" ], "report_names": [ "group5-syria" ], "threat_actors": [ { "id": "9aa9b489-a297-4dbd-8601-8fc0370201a6", "created_at": "2022-10-25T16:07:23.696796Z", "updated_at": "2026-04-10T02:00:04.71508Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "ETDA:Group5", "tools": [ "Atros2.CKPN", "Bladabindi", "DroidJack", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cf0704ab-99e4-44d7-96d9-3cba91339229", "created_at": "2022-10-25T15:50:23.485375Z", "updated_at": "2026-04-10T02:00:05.332806Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "Group5" ], "source_name": "MITRE:Group5", "tools": [ "njRAT", "NanoCore" ], "source_id": "MITRE", "reports": null }, { "id": "094d8210-4c64-4457-ad97-a94fc7af7630", "created_at": "2023-01-06T13:46:38.98103Z", "updated_at": "2026-04-10T02:00:03.170376Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "MISPGALAXY:Group5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9663cdbf-646e-4579-881a-a8ebc3aabf63", "created_at": "2023-01-06T13:46:38.360862Z", "updated_at": "2026-04-10T02:00:02.942852Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "ITsecTeam" ], "source_name": "MISPGALAXY:Cutting Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441551, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4cd158310f71226c89ea045ca677732c00778c87.pdf", "text": "https://archive.orkl.eu/4cd158310f71226c89ea045ca677732c00778c87.txt", "img": "https://archive.orkl.eu/4cd158310f71226c89ea045ca677732c00778c87.jpg" } }