Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0089: The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

EnterpriseG0089GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

The White Company matters because MITRE describes it as a likely state-sponsored actor with advanced capabilities tied to an espionage campaign against government and military organizations in Pakistan during 2017–2018. For defenders, the decision value is less about assuming current targeting and more about validating readiness against the behaviors ATT&CK links to the group: spearphishing attachments, malicious files, client-side exploitation, remote access tools, packing/obfuscation, discovery of security software, system time discovery, and file deletion.

Executive priority

Treat this as a planning reference for espionage-style intrusion readiness. Leaders should ask whether email security, endpoint visibility, vulnerability management for client applications, and incident response evidence preservation can withstand targeted phishing followed by RAT deployment and anti-detection behavior. Because ATT&CK provides no official detection text and no platforms directly on the group object, coverage claims should be evidence-based and mapped to the related techniques and software rather than to the group name alone.

Technical view

SOC and IR teams should validate controls around the related ATT&CK relationships: NETWIRE, Revenge RAT, Software Packing, File Deletion, System Time Discovery, Exploitation for Client Execution, Malicious File, Security Software Discovery, and Spearphishing Attachment. Detection engineering should focus on behavior chains: targeted email with attachment, user execution or client exploit, suspicious child processes or dropped files, packed executable characteristics, RAT-like persistence or command-and-control indicators where locally available, host discovery of security tools, and deletion of intrusion artifacts. The group object itself has no official detection guidance, so detections should be built from the related software and technique objects plus local telemetry.

Likely telemetry

  • Email gateway and mailbox logs for attachments and targeted phishing delivery
  • Endpoint process creation and command-line telemetry
  • File creation, modification, quarantine, and deletion events
  • EDR/antivirus detections and security-tool tamper or discovery signals
  • Application and document reader crash/exploit telemetry for client-side execution attempts

Detection direction

  • Validate that spearphishing attachment and malicious-file detections cover both delivery and post-open execution, not only known hashes.
  • Tune for suspicious document or attachment-driven process trees, while accounting for legitimate business document workflows.
  • Assess whether packed or obfuscated executables are logged and triaged, since packing can weaken signature-only detection.
  • Look for discovery of installed security tools or monitoring agents as a possible prelude to evasion, but baseline legitimate admin and inventory activity to reduce false positives.
  • Confirm file deletion telemetry is retained long enough for IR, because cleanup behavior can remove obvious artifacts.

Mitigation priorities

  • Prioritize phishing-resistant user and email controls for attachment handling, including sandboxing or detonation where available.
  • Maintain timely patching for client applications commonly exposed to document or file-based exploitation.
  • Ensure endpoint logging and EDR policies capture process, file, and security-tool discovery activity across relevant operating systems in the environment.
  • Harden incident response evidence retention so file deletion does not eliminate investigative visibility.
  • Map detections and response playbooks to the related ATT&CK techniques rather than relying on the intrusion-set label as the control objective.
Analyst notes and limits

The supplied ATT&CK object is an intrusion-set entry with sparse direct fields: no platforms, tactics, or official detection text are provided for the group itself. The most useful defensive context comes from the listed relationships to software and techniques. The public report citation is Operation Shaheen, and MITRE’s description limits the campaign context to 2017–2018 targeting government and military organizations in Pakistan.

This take does not assert current activity, customer exposure, or confirmed targeting beyond the official ATT&CK description. Platform references are derived from related software and technique objects, not from the group object itself. Local telemetry, asset exposure, mail flow, endpoint coverage, and vulnerability data are required to determine actual organizational risk and detection coverage.

Official MITRE ATT&CK definition

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1027.002 Software Packing Sub-technique

The White Company has obfuscated their payloads through packing.CitationCylance Shaheen Nov 2018
Enterprise T1518.001 Security Software Discovery Sub-technique

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.CitationCylance Shaheen Nov 2018
Enterprise T1203 Exploitation for Client Execution

The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.CitationCylance Shaheen Nov 2018
Enterprise T1070.004 File Deletion Sub-technique

The White Company has the ability to delete its malware entirely from the target system.CitationCylance Shaheen Nov 2018
Enterprise T1566.001 Spearphishing Attachment Sub-technique

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.CitationCylance Shaheen Nov 2018
Enterprise T1204.002 Malicious File Sub-technique

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.CitationCylance Shaheen Nov 2018
Enterprise T1124 System Time Discovery

The White Company has checked the current date on the victim system.CitationCylance Shaheen Nov 2018
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0198: NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[1][2][3]

WindowsLinuxmacOS
Relationship explorer

All related ATT&CK context

uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Malware S0379: Revenge RAT Enterprise uses · Malware S0198: NETWIRE Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1124: System Time Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
9524988a842ac127...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 9524988a842a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cylance Shaheen Nov 2018

    Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

    Open source URL
  2. [2]
    mitre-attack G0089
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use