Group5 (G0043): Persistent Iranian-Linked Espionage Targeting Syrian Opposition
- Suspected Origin
- Iran
- Motivation
- Espionage, Geopolitical Interests
- Aliases
- None documented
- Target Sectors
- Human Rights, Political Opposition, Activism
- Associated Malware
- njRAT, NanoCore, DroidJack
Overview
Group5, tracked by MITRE ATT&CK as G0043, is a sophisticated and persistent threat actor with a strong suspected nexus to Iran. Active since at least late 2015, this group’s operations consistently align with Iranian geopolitical interests, focusing on cyber espionage against the Syrian opposition. While early attribution was described as “circumstantial” by some researchers, subsequent analysis indicates a high degree of confidence in the Iranian connection, with evidence pointing to the use of Iranian infrastructure, language tools, and domestic hosting services.
The primary motivation behind Group5’s activities appears to be information gathering and surveillance, directly supporting Iranian foreign policy objectives in the Middle East. They achieve this by compromising the digital assets of key individuals within the Syrian opposition, collecting sensitive information, and maintaining persistent access to their systems. This makes Group5 a critical concern for anyone involved in or connected to Syrian opposition movements, as well as broader human rights and political activism in the region.
Tactics & Techniques
Group5 employs a range of social engineering and technical tactics to achieve its objectives. Their primary initial access vectors are spearphishing and watering hole attacks. These attacks are meticulously crafted, often incorporating Syrian and Iranian themes and borrowing opposition-related text and slogans to enhance their legitimacy and lure targets into clicking malicious links or opening infected attachments. The goal is to deceive well-connected individuals within the Syrian opposition into compromising their Windows or Android devices.
Once initial access is gained, Group5 demonstrates a clear focus on stealth and persistence. Their malware often includes multiple layers of obfuscation and encryption, making it challenging for traditional security tools to detect and analyze. This allows their malicious payloads to operate under the radar, gathering intelligence without immediate detection. Beyond deployment, their operational techniques include capabilities such as remotely deleting files to cover their tracks, capturing keystrokes for credential harvesting and monitoring communications, and taking screenshots or recording screen activity to gain visual intelligence on victim activities.
The group’s infrastructure acquisition and compromise tactics, as mapped to MITRE ATT&CK, also highlight their methodical approach. They are known to acquire and compromise various forms of infrastructure, including domains (T1583.001, T1584.001), virtual private servers (T1583.003, T1584.003), and other server resources (T1583.004, T1584.004) to support their operations. This preparation demonstrates a deliberate effort to establish robust command-and-control (C2) channels and maintain operational secrecy.
Notable Campaigns
Group5’s activities became publicly known through detailed reporting, most notably from Citizen Lab, which highlighted their focus on the Syrian opposition. A significant incident that brought the group into focus was an investigation triggered by a suspicious email received in early October 2015. This email, sent to Noura Al-Ameer, a prominent Syrian opposition political figure, was traced back to an IP address hosting the command-and-control server for the embedded malware.
Further investigation into Group5’s early operations revealed that during the initial development of a malicious site in October 2015, it was accessed hourly from an Iranian IP block. This pattern of activity, along with operators accessing the site from the malware’s C&C server, provided the initial circumstantial evidence linking the group to Iran. While the group appeared to abandon this particular site after a flurry of activity in late 2015, their overall operational tempo and focus on Syrian opposition figures have remained consistent since then. These campaigns underscore the group’s specific targeting profile and their dedication to espionage objectives.
Associated Malware & Tools
Group5 primarily relies on readily available and commodity remote access tools (RATs) rather than developing highly sophisticated custom malware. Their arsenal includes several well-established RATs that enable surveillance, data theft, and persistent access across different operating systems.
Key malware and tools associated with Group5 include:
- njRAT: This is a widely available Windows-based RAT known for its comprehensive capabilities, including file management, remote desktop control, keylogging, and webcam access. Its prevalence and ease of acquisition make it a favored tool for various threat actors.
- NanoCore: Another common Windows RAT, NanoCore offers similar functionalities to njRAT, such as remote access, file transfer, and surveillance capabilities.
- DroidJack: To target mobile platforms, specifically Android devices, Group5 utilizes DroidJack. This Android RAT allows the group to extend their espionage capabilities to mobile users, reflecting the widespread use of smartphones among their targets.
The consistent use of these commodity RATs suggests an operational model that prioritizes leveraging existing, proven tools for efficiency and effectiveness in their campaigns. Their ability to deploy these tools across both Windows and Android systems indicates a flexible approach to targeting.
Current Status
Group5 remains an active threat. The MITRE ATT&CK entry for G0043 was last modified in April 2024, indicating ongoing monitoring and relevance within the cybersecurity community. Recent analyses from August 2025 continue to describe Group5 as an active, state-linked threat actor with ties to Iran, consistently focusing on the Syrian opposition. Their continued operational activity, coupled with the persistent geopolitical interests driving their espionage, suggests that Group5 will likely remain a significant concern for their target demographic for the foreseeable future. Security professionals should maintain vigilance against their established tactics, particularly spearphishing and watering hole attacks, and monitor for the deployment of njRAT, NanoCore, and DroidJack.
Related content
Molerats (G0021): Persistent Cyber Espionage in the Middle East
Adversary ProfileGorgon Group (G0078): Hybrid Threat Actor Profile
Adversary ProfileNigerian BEC Syndicate: SilverTerrier (G0083) Threat Profile
Adversary ProfileAPT-C-36 (Blind Eagle): A Persistent Threat to Latin America
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call