G0043: Group5
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]
Analyst context for executives and security teams
Group5 matters less as a fixed “profile” and more as a reminder that targeted social engineering against politically or mission-connected individuals can lead to commodity remote access tool activity. The ATT&CK record describes suspected, not definite, Iranian nexus activity targeting people connected to the Syrian opposition through spearphishing and watering holes, using Syrian and Iranian themes. For defenders, the practical issue is whether the organization can recognize phishing-led RAT compromise, credential capture through keylogging, screen capture, obfuscated files, and cleanup attempts before they become an incident response blind spot.
Executive priority
Treat this as a targeted-threat readiness check rather than an attribution problem. Leaders should ask whether high-risk users and mission-exposed communities receive extra phishing resilience, endpoint monitoring, and incident response support. The business value is in validating coverage for commonly available RATs such as NanoCore and njRAT, evidence of credential collection, and post-compromise cleanup activity. This also supports audit and compliance conversations around endpoint visibility, user protection, logging retention, and documented response procedures for targeted intrusion scenarios.
Technical view
ATT&CK provides no group-specific detection text and no group-level platforms or tactics, so SOC validation should be driven by the relationships: NanoCore and njRAT are Windows RATs, while the associated techniques include encrypted or encoded files, keylogging, file deletion, and screen capture across common endpoint platforms. Detection engineers should confirm whether controls can connect initial user-facing lures or watering-hole exposure to later host evidence such as suspicious RAT execution, .NET-based tooling where relevant to NanoCore, unauthorized screen capture behavior, keystroke logging indicators, encoded payload artifacts, and deletion of intrusion-related files. IR teams should preserve volatile endpoint and credential evidence early because file deletion and keylogging can reduce visibility and increase account-compromise risk.
Likely telemetry
- Email security and user-reporting evidence for spearphishing themes when available locally
- Web proxy, DNS, browser, and network security logs that could support watering-hole investigation
- Endpoint process, command-line, module, and file creation telemetry
- EDR or host telemetry for RAT-like remote access behavior on Windows endpoints
- File metadata and content inspection results for encrypted or encoded artifacts
Detection direction
- Do not rely on the Group5 name or suspected attribution as a detection strategy; validate behavior-based coverage for RAT execution, collection, credential access, obfuscation, and cleanup.
- Prioritize correlation between user-targeting evidence and endpoint activity consistent with NanoCore, njRAT, keylogging, screen capture, encoded files, and file deletion.
- Tune detections to reduce false positives from legitimate remote administration, screenshot tools, software packaging, and normal file cleanup by requiring suspicious parent processes, unusual paths, unsigned or unexpected binaries, or user-risk context.
- Check whether Windows endpoint visibility is strong enough for the related RATs, while recognizing that the related techniques themselves are not limited to one platform.
- Validate retention and triage workflows: file deletion and encoded artifacts can make late investigation harder if endpoint telemetry is short-lived or not centrally searchable.
Mitigation priorities
- Start with user-risk reduction for exposed populations: phishing awareness, reporting paths, and heightened review for politically or mission-themed lures where relevant.
- Strengthen endpoint prevention and monitoring for unauthorized remote access tools, suspicious .NET tooling, keylogging, and screen capture behavior.
- Apply least privilege and credential protections so keystroke capture of one user does not easily become broader access.
- Harden web and email controls to reduce exposure to spearphishing and watering-hole delivery paths, while preserving logs for investigation.
- Ensure incident response playbooks include rapid endpoint isolation, credential reset decisions, and evidence preservation when RAT, keylogging, or file deletion activity is suspected.
Analyst notes and limits
The ATT&CK object identifies Group5 as a threat group with suspected but not definite Iranian nexus and cites Citizen Lab reporting. The most actionable content in the supplied data is the relationship set: use of NanoCore, njRAT, encrypted or encoded files, keylogging, file deletion, and screen capture. Glexia would use this object to drive readiness questions around targeted-user protection, Windows RAT visibility, credential-compromise response, and endpoint evidence retention rather than to make attribution claims.
No official detection guidance, group-level platforms, or group-level tactics were provided. DroidJack is mentioned in the description but no relationship object was supplied, so detailed platform or detection guidance for it is not included. Local telemetry, asset criticality, user population, and control configuration are required to determine actual exposure or coverage.
Group5
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | Malware used by Group5 is capable of capturing keystrokes.CitationCitizen Lab Group5 |
| Enterprise | T1113 | Screen Capture | Malware used by Group5 is capable of watching the victim's screen.CitationCitizen Lab Group5 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Malware used by Group5 is capable of remotely deleting files from victims.CitationCitizen Lab Group5 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.CitationCitizen Lab Group5 |
Groups, software, and campaigns
S0385: njRAT
S0336: NanoCore
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | ab26429f8291… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Citizen Lab Group5
Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
Open source URL -
[2]
Group5
(Citation: Citizen Lab Group5)
-
[3]
mitre-attack G0043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.