>samit_hota
Back to adversary profiles
G0084HighUnknown

Gallmaker (G0084): A Profile of Persistent Cyberespionage

Samit Hota·
Suspected Origin
Unknown
Motivation
Espionage
Aliases
None documented
Target Sectors
Government, Military, Defense
Associated Malware
Metasploit, WindowsRoamingToolsTask, WinZip, Rex PowerShell, PowerShell
#threat-actor#g0084

Overview

Gallmaker, tracked as G0084 in the MITRE ATT&CK framework, is a sophisticated cyberespionage group that has primarily focused its operations on the Middle East since at least December 2017. This highly targeted group is believed to be sponsored by a nation-state, though public reporting has not definitively attributed them to a specific country. Their core motivation is cyberespionage, seeking to acquire sensitive information from critical government, military, and defense entities.

The group stands out for its “living off the land” approach, predominantly relying on readily available system tools and legitimate software rather than developing and deploying custom, persistent malware. This tactic allows Gallmaker to blend in with normal network traffic, making their activities more challenging to detect and attribute definitively. Initial observations of their campaigns indicate a high degree of precision in targeting, suggesting a focused collection requirement against specific organizations and individuals within their chosen sectors.

Tactics & Techniques

Gallmaker’s operational methodology demonstrates a clear preference for evasion and stealth, leveraging common system utilities to minimize their footprint on compromised networks. Their initial access often begins with spearphishing attacks, delivering malicious Microsoft Office documents to their targets. These documents are crafted to exploit vulnerabilities, specifically attempting to leverage the Dynamic Data Exchange (DDE) protocol to execute commands directly in memory. This in-memory execution is a key aspect of their “malware-less” strategy, designed to avoid leaving forensic artifacts on disk that could lead to detection. Victims are typically lured into enabling content within these documents, inadvertently triggering the malicious execution.

Once a foothold is established, Gallmaker extensively utilizes PowerShell for various objectives, including downloading additional payloads and executing commands. They have also been observed obfuscating shellcode during execution to further evade security controls. For data collection and exfiltration, the group uses common archiving utilities like WinZip, likely to compress and prepare stolen data before it leaves the compromised network. This reliance on native operating system features and legitimate tools highlights a tactical choice to leverage existing infrastructure, making it difficult for defenders to differentiate between legitimate system activity and malicious actions.

Notable Campaigns

Gallmaker has been consistently active since at least December 2017, with public reporting detailing a surge in their activity during April 2018. The most recent publicly reported attacks by Gallmaker were observed in June 2018. Their targeting has been highly specific, focusing on government, military, and defense organizations within the Middle East. In addition to these regional targets, Symantec also reported that Gallmaker launched attacks against several overseas embassies belonging to an unspecified Eastern European country. While the details of specific victim organizations or the exact nature of the intelligence sought remain largely undisclosed in public reports, the consistent targeting of high-value sectors underscores their cyberespionage objectives. The campaigns often start with highly crafted spearphishing emails, indicating a significant level of reconnaissance and planning prior to engagement.

Associated Malware & Tools

In line with their “living off the land” philosophy, Gallmaker primarily employs publicly available and legitimate tools rather than custom-developed malware. Their arsenal includes:

  • Metasploit’s reverse_tcp shell: This well-known reverse shell is used to establish covert communication channels back to the attacker’s command and control (C2) infrastructure.
  • WindowsRoamingToolsTask: This PowerShell scheduler is utilized for persistence and potentially for executing further stages of their operations.
  • WinZip: A legitimate archiving tool, employed by Gallmaker for compressing collected data, likely before exfiltration from target systems.
  • Rex PowerShell: An open-source library that assists in creating PowerShell scripts for Metasploit exploits, further demonstrating their integration of publicly available penetration testing tools.
  • PowerShell: This native Windows scripting language is a cornerstone of Gallmaker’s operations for execution, downloading payloads, and various other post-compromise activities.

The absence of unique, custom malware in public reporting makes Gallmaker’s operations particularly challenging to track and attribute using traditional signature-based detection methods. Their reliance on these ubiquitous tools necessitates a strong focus on behavioral analysis and anomaly detection to identify their presence.

Current Status

While Gallmaker was actively reported on between late 2017 and mid-2018, with a significant spike in activity during April 2018, publicly available information regarding their campaigns largely tapered off after June 2018. The MITRE ATT&CK framework page for Gallmaker (G0084) was last modified on April 25, 2025, indicating that the group remains a recognized and tracked entity within the cybersecurity community. However, this last modification date primarily reflects updates to the MITRE entry itself rather than new public reporting on the group’s ongoing operations. Despite the lack of recent public incident reports, the nature of nation-state cyberespionage and Gallmaker’s “living off the land” tactics mean they could still be active, operating under the radar without leaving easily identifiable traces for public disclosure. Without further public reporting from security vendors or government agencies, their current operational status remains unknown.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call