Gorgon Group (G0078): Hybrid Threat Actor Profile
- Suspected Origin
- Pakistan
- Motivation
- Espionage, Financial Gain
- Aliases
- None documented
- Target Sectors
- Government, Manufacturing, Critical Infrastructure, Unspecified
- Associated Malware
- QuasarRAT, Remcos, NjRAT, NanoCore RAT, RevengeRAT, LokiBot, Agent Tesla, ShiftyBug, Crimson RAT, MasterMana botnet
Overview
The Gorgon Group, tracked by MITRE as G0078, is a sophisticated and persistent threat actor with suspected origins and connections to Pakistan. This group stands out due to its unusual operational model, seamlessly blending nation-state-level cyber espionage with broad, financially motivated cybercrime. Active since at least 2016, with initial campaigns observed in 2017, Gorgon Group has consistently adapted its tactics and tools, posing a significant threat across various sectors globally.
While evidence suggests a Pakistan nexus, with some members purporting to be located there and activity observed from Pakistani IP addresses, definitive state attribution remains challenging due to the group’s operational security practices and the potential for IP address spoofing. Their motivation is dual-pronged: information theft and espionage drive their targeted operations, while financial gain fuels their more widespread criminal activities, often leveraging the same infrastructure for both objectives.
Gorgon Group has targeted a diverse range of entities. Their government targets have included organizations in the United Kingdom, Spain, Russia, and the United States, particularly those operating within Pakistan. Beyond nation-states, they have also focused on the manufacturing sector. In their criminal endeavors, the group casts a wider net, impacting various industries across the globe, including entities in the European Union, Dubai’s main electrical and water utility (DEWA), and, more recently, the Indonesian industry.
Tactics & Techniques
The Gorgon Group primarily relies on social engineering, particularly spear phishing, for initial access. Their phishing emails often feature malicious Microsoft Office documents, including RTF, Word, Excel, and PowerPoint files, which contain embedded macros or exploit known vulnerabilities. They have notably exploited vulnerabilities such as CVE-2012-0158 and CVE-2017-0199 to achieve initial compromise. These emails are crafted to appear legitimate, sometimes impersonating individuals like a prominent Pakistani military officer, and use enticing subject lines related to political or military topics to encourage victims to open attachments. Beyond email attachments, they’ve also engaged in more elaborate social engineering, such as typo-squatted hotel websites and spoofed reservation confirmations to trap Spanish/Portuguese speakers.
Upon successful exploitation, the group employs various execution methods. This includes the use of PowerShell commands and VBScripts to download and execute additional payloads. They are also known to use cmd.exe for command execution and leverage the Windows API call CreateProcessA(). For defense evasion, Gorgon Group attempts to disable security features in Microsoft Office and Windows Defender by editing registry keys or using commands like taskkill. They also hide PowerShell windows using the -W Hidden parameter. The group has been observed using process hollowing to inject their trojans into legitimate processes, providing an additional layer of stealth.
Persistence is commonly achieved by creating .lnk files and adding Registry Run keys or modifying startup folders. For command and control (C2), Gorgon Group utilizes both traditional domains and common URL shortening services like Bitly, which also provides them with click statistics. In some campaigns, they’ve also leveraged public platforms like Blogspot and Pastebin as part of their C2 infrastructure.
Interestingly, Unit 42 researchers have noted instances of operational security (OPSEC) failures by the group, which have inadvertently provided insights into their shared infrastructure and diverse malware usage across their criminal and targeted operations.
Notable Campaigns
Gorgon Group’s activities can be traced back to 2016, with their first documented campaign occurring in July 2017. This initial wave of phishing emails targeted a U.S.-based government organization, delivering the QuasarRAT malware by exploiting CVE-2012-0158.
A significant surge in activity was observed in February 2018, when Palo Alto Networks’ Unit 42 identified extensive campaigns targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. These attacks frequently focused on agencies operating within Pakistan. During this period, the group notably blurred the lines between cybercrime and nation-state activity, often utilizing the same infrastructure for both types of attacks. For instance, the domain stevemike-fireforce[.]info was used concurrently for a large cybercrime campaign involving thousands of emails and targeted attacks against nation-state agencies between April and May 2018.
In early 2019, a campaign dubbed “Aggah” (after a Pastebin account name) was linked to the Gorgon Group. This operation targeted organizations across the U.S., Middle East, Europe, and Asia, relying on malicious macro-enabled documents that utilized Blogspot, Pastebin, and Bit.ly for C2, ultimately dropping variants of RevengeRAT.
By February 2020, research indicated a notable increase in the Gorgon Group’s sophistication. They were observed targeting the European Union and Dubai’s DEWA with convincing fake login pages, employing typo-squatted hotel websites and spoofed reservation confirmations. This period saw them developing and customizing commodity tools, introducing a custom office.dll for privilege escalation and Windows Defender disabling, and using a trojanized PowerPoint file.
The group’s activity continued into late 2021 with a campaign that leveraged an in-memory infection chain. This operation used legitimate online services like Blogspot and usrfiles.com to host JS/PowerShell commands and a process hollowing tool, ultimately deploying a customized Agent Tesla v3 payload. A significant portion of the victims in this campaign were linked to Indonesia or the Indonesian industry.
Associated Malware & Tools
Gorgon Group is known for its reliance on a variety of readily available remote access Trojans (RATs) and information stealers, often adapting and customizing them for their campaigns. Their toolkit includes:
- Remote Access Trojans (RATs): QuasarRAT, Remcos (RemcosRAT), NjRAT, NanoCore RAT, RevengeRAT, Crimson RAT, and ShiftyBug.
- Information Stealers: LokiBot (also known as Loki Password Stealer) and Agent Tesla.
- Botnets: The group has been linked to the cryptocurrency-stealing MasterMana botnet.
- Custom Tools: In their more sophisticated attacks, they have developed and used custom components, such as a specialized
office.dlldesigned to elevate privileges and disable Windows Defender. - Commodity Tools/Living off the Land: They also make use of various “living off the land” techniques and publicly available tools as part of their operations. This includes using PowerShell and
cmd.exefor execution and obfuscation techniques like Base64 encoding.
Current Status
The Gorgon Group has maintained an active presence in the threat landscape over several years, consistently demonstrating a dual capacity for both targeted cyber espionage and widespread criminal activity. While the latest public reports detailing specific new campaigns largely stem from late 2021, showing their use of Agent Tesla against Indonesian targets, the group was observed enhancing its sophistication and customizing tools as recently as early 2020. Their continued listing and most recent modification date on the MITRE ATT&CK knowledge base (May 2026) indicates that security professionals still consider them a relevant and active threat actor. The group’s opportunistic nature and willingness to adapt, coupled with their blend of motivations, suggest they remain a persistent concern.
Related content
Nigerian BEC Syndicate: SilverTerrier (G0083) Threat Profile
Adversary ProfileAPT-C-36 (Blind Eagle): A Persistent Threat to Latin America
Adversary ProfileLazyScripter Threat Profile: Targeting Airlines and Global Workforce
Adversary ProfileMolerats (G0021): Persistent Cyber Espionage in the Middle East
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call