G0107: Whitefly
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]
Analyst context for executives and security teams
Whitefly matters because MITRE describes it as a cyber espionage group focused on stealing large amounts of sensitive information, with reporting centered mostly on organizations in Singapore and a link to the SingHealth incident. For leaders, the decision value is less about the name and more about whether the organization can prevent, detect, and investigate credential theft, malicious file execution, tool transfer, DLL abuse, obfuscated files, and privilege escalation behaviors that ATT&CK associates with this group.
Executive priority
Prioritize this as an information-theft and resilience scenario: validate protection of sensitive data, identity infrastructure, privileged access, endpoint visibility, and incident response readiness. The relationship to LSASS credential access and Mimikatz makes identity compromise a key business risk area. Because MITRE provides no official detection text for the group itself, executives should ask for evidence-based control coverage mapped to the associated techniques rather than relying on group-name alerts.
Technical view
SOC and IR teams should validate detections and investigation playbooks around the supplied relationships: Mimikatz use, LSASS memory access on Windows, command and scripting interpreter activity, malicious file execution, ingress tool transfer, encrypted or encoded files, resource-name masquerading, exploitation for privilege escalation, and DLL abuse. Treat the group page as a threat-intelligence pivot, then test whether telemetry can connect initial user-driven execution to tool staging, credential access, privilege escalation, and stealth behaviors.
Likely telemetry
- Endpoint process creation and command-line telemetry
- Windows security and authentication events, especially privileged logons and abnormal account use
- Endpoint detection telemetry for LSASS access and credential dumping indicators
- File creation, modification, rename, and path/location telemetry for suspicious naming or trusted-location abuse
- DLL load events and application execution context on Windows
Detection direction
- Do not depend on the group name; build coverage around the associated ATT&CK techniques and software relationship.
- Validate LSASS and Mimikatz detections with attention to administrative-tool false positives and legitimate security testing activity.
- Tune command and scripting interpreter analytics against known administrative baselines to reduce noise while preserving visibility into unusual execution chains.
- Review whether file obfuscation, encoded content, DLL abuse, and legitimate-name/location masquerading are visible in endpoint telemetry, not only blocked by prevention controls.
- Correlate malicious file execution with follow-on tool transfer, privilege escalation attempts, and credential access to improve incident confidence.
Mitigation priorities
- Harden identity and privileged access first: reduce unnecessary admin rights, protect credential material, and monitor high-value accounts.
- Improve endpoint visibility and prevention for credential dumping, suspicious DLL loading, malicious file execution, and script abuse.
- Maintain timely vulnerability management for systems where privilege escalation would materially increase impact.
- Restrict and monitor inbound tool transfer paths, including web, proxy, and endpoint-controlled file acquisition.
- Strengthen user-facing controls and response processes for malicious files, including training, attachment handling, and rapid triage.
Analyst notes and limits
The supplied ATT&CK object identifies Whitefly as an espionage group operating since at least 2017, mostly targeting Singapore-based organizations across varied sectors, and interested in large-scale sensitive information theft. The most actionable details come from relationships to techniques and Mimikatz rather than from group-specific detection guidance.
Platforms and tactics are not specified on the Whitefly group object, and official detection is not provided. Related techniques include platform information, but that should not be treated as a complete Whitefly platform profile. Local telemetry, asset context, geography, sector relevance, and incident evidence are required before assessing exposure or coverage.
Whitefly
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Whitefly has the ability to download additional tools from the C2.CitationSymantec Whitefly March 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | Whitefly has used search order hijacking to run the loader Vcrodat.CitationSymantec Whitefly March 2019 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.CitationSymantec Whitefly March 2019 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1059 | Command and Scripting Interpreter | Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.CitationSymantec Whitefly March 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Whitefly has encrypted the payload used for C2.CitationSymantec Whitefly March 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Whitefly has used malicious .exe or .dll files disguised as documents or images.CitationSymantec Whitefly March 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.CitationSymantec Whitefly March 2019 |
Groups, software, and campaigns
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1940aa925701… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Whitefly March 2019
Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
Open source URL -
[2]
mitre-attack G0107Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.