>samit_hota
Back to adversary profiles
G0078HighActive

Gorgon Group (G0078): Hybrid Threat Actor Profile

Samit Hota·
Suspected Origin
Pakistan
Motivation
Espionage, Financial Gain
Aliases
None documented
Target Sectors
Government, Manufacturing, Critical Infrastructure, Unspecified
Associated Malware
QuasarRAT, Remcos, NjRAT, NanoCore RAT, RevengeRAT, LokiBot, Agent Tesla, ShiftyBug, Crimson RAT, MasterMana botnet
#threat-actor#g0078

Overview

The Gorgon Group, tracked by MITRE as G0078, is a sophisticated and persistent threat actor with suspected origins and connections to Pakistan. This group stands out due to its unusual operational model, seamlessly blending nation-state-level cyber espionage with broad, financially motivated cybercrime. Active since at least 2016, with initial campaigns observed in 2017, Gorgon Group has consistently adapted its tactics and tools, posing a significant threat across various sectors globally.

While evidence suggests a Pakistan nexus, with some members purporting to be located there and activity observed from Pakistani IP addresses, definitive state attribution remains challenging due to the group’s operational security practices and the potential for IP address spoofing. Their motivation is dual-pronged: information theft and espionage drive their targeted operations, while financial gain fuels their more widespread criminal activities, often leveraging the same infrastructure for both objectives.

Gorgon Group has targeted a diverse range of entities. Their government targets have included organizations in the United Kingdom, Spain, Russia, and the United States, particularly those operating within Pakistan. Beyond nation-states, they have also focused on the manufacturing sector. In their criminal endeavors, the group casts a wider net, impacting various industries across the globe, including entities in the European Union, Dubai’s main electrical and water utility (DEWA), and, more recently, the Indonesian industry.

Tactics & Techniques

The Gorgon Group primarily relies on social engineering, particularly spear phishing, for initial access. Their phishing emails often feature malicious Microsoft Office documents, including RTF, Word, Excel, and PowerPoint files, which contain embedded macros or exploit known vulnerabilities. They have notably exploited vulnerabilities such as CVE-2012-0158 and CVE-2017-0199 to achieve initial compromise. These emails are crafted to appear legitimate, sometimes impersonating individuals like a prominent Pakistani military officer, and use enticing subject lines related to political or military topics to encourage victims to open attachments. Beyond email attachments, they’ve also engaged in more elaborate social engineering, such as typo-squatted hotel websites and spoofed reservation confirmations to trap Spanish/Portuguese speakers.

Upon successful exploitation, the group employs various execution methods. This includes the use of PowerShell commands and VBScripts to download and execute additional payloads. They are also known to use cmd.exe for command execution and leverage the Windows API call CreateProcessA(). For defense evasion, Gorgon Group attempts to disable security features in Microsoft Office and Windows Defender by editing registry keys or using commands like taskkill. They also hide PowerShell windows using the -W Hidden parameter. The group has been observed using process hollowing to inject their trojans into legitimate processes, providing an additional layer of stealth.

Persistence is commonly achieved by creating .lnk files and adding Registry Run keys or modifying startup folders. For command and control (C2), Gorgon Group utilizes both traditional domains and common URL shortening services like Bitly, which also provides them with click statistics. In some campaigns, they’ve also leveraged public platforms like Blogspot and Pastebin as part of their C2 infrastructure.

Interestingly, Unit 42 researchers have noted instances of operational security (OPSEC) failures by the group, which have inadvertently provided insights into their shared infrastructure and diverse malware usage across their criminal and targeted operations.

Notable Campaigns

Gorgon Group’s activities can be traced back to 2016, with their first documented campaign occurring in July 2017. This initial wave of phishing emails targeted a U.S.-based government organization, delivering the QuasarRAT malware by exploiting CVE-2012-0158.

A significant surge in activity was observed in February 2018, when Palo Alto Networks’ Unit 42 identified extensive campaigns targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. These attacks frequently focused on agencies operating within Pakistan. During this period, the group notably blurred the lines between cybercrime and nation-state activity, often utilizing the same infrastructure for both types of attacks. For instance, the domain stevemike-fireforce[.]info was used concurrently for a large cybercrime campaign involving thousands of emails and targeted attacks against nation-state agencies between April and May 2018.

In early 2019, a campaign dubbed “Aggah” (after a Pastebin account name) was linked to the Gorgon Group. This operation targeted organizations across the U.S., Middle East, Europe, and Asia, relying on malicious macro-enabled documents that utilized Blogspot, Pastebin, and Bit.ly for C2, ultimately dropping variants of RevengeRAT.

By February 2020, research indicated a notable increase in the Gorgon Group’s sophistication. They were observed targeting the European Union and Dubai’s DEWA with convincing fake login pages, employing typo-squatted hotel websites and spoofed reservation confirmations. This period saw them developing and customizing commodity tools, introducing a custom office.dll for privilege escalation and Windows Defender disabling, and using a trojanized PowerPoint file.

The group’s activity continued into late 2021 with a campaign that leveraged an in-memory infection chain. This operation used legitimate online services like Blogspot and usrfiles.com to host JS/PowerShell commands and a process hollowing tool, ultimately deploying a customized Agent Tesla v3 payload. A significant portion of the victims in this campaign were linked to Indonesia or the Indonesian industry.

Associated Malware & Tools

Gorgon Group is known for its reliance on a variety of readily available remote access Trojans (RATs) and information stealers, often adapting and customizing them for their campaigns. Their toolkit includes:

  • Remote Access Trojans (RATs): QuasarRAT, Remcos (RemcosRAT), NjRAT, NanoCore RAT, RevengeRAT, Crimson RAT, and ShiftyBug.
  • Information Stealers: LokiBot (also known as Loki Password Stealer) and Agent Tesla.
  • Botnets: The group has been linked to the cryptocurrency-stealing MasterMana botnet.
  • Custom Tools: In their more sophisticated attacks, they have developed and used custom components, such as a specialized office.dll designed to elevate privileges and disable Windows Defender.
  • Commodity Tools/Living off the Land: They also make use of various “living off the land” techniques and publicly available tools as part of their operations. This includes using PowerShell and cmd.exe for execution and obfuscation techniques like Base64 encoding.

Current Status

The Gorgon Group has maintained an active presence in the threat landscape over several years, consistently demonstrating a dual capacity for both targeted cyber espionage and widespread criminal activity. While the latest public reports detailing specific new campaigns largely stem from late 2021, showing their use of Agent Tesla against Indonesian targets, the group was observed enhancing its sophistication and customizing tools as recently as early 2020. Their continued listing and most recent modification date on the MITRE ATT&CK knowledge base (May 2026) indicates that security professionals still consider them a relevant and active threat actor. The group’s opportunistic nature and willingness to adapt, coupled with their blend of motivations, suggest they remain a persistent concern.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call