Threat Actor Profile
High APT
Description

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)

Confidence Score
90%
Known Aliases
WIRTE
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (11)
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1571 - Non-Standard Port
Command and Control
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['WIRTE'],
 'created': '2019-05-24T17:02:44.226Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[WIRTE](https://attack.mitre.org/groups/G0090) is a threat '
                'group that has been active since at least August 2018. '
                '[WIRTE](https://attack.mitre.org/groups/G0090) has targeted '
                'government, diplomatic, financial, military, legal, and '
                'technology organizations in the Middle East and '
                'Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky '
                'WIRTE November 2021)',
 'external_references': [{'external_id': 'G0090',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0090'},
                         {'description': '(Citation: Lab52 WIRTE Apr 2019)',
                          'source_name': 'WIRTE'},
                         {'description': 'S2 Grupo. (2019, April 2). WIRTE '
                                         'Group attacking the Middle East. '
                                         'Retrieved May 24, 2019.',
                          'source_name': 'Lab52 WIRTE Apr 2019',
                          'url': 'https://lab52.io/blog/wirte-group-attacking-the-middle-east/'},
                         {'description': 'Yamout, M. (2021, November 29). '
                                         'WIRTE’s campaign in the Middle East '
                                         '‘living off the land’ since at least '
                                         '2019. Retrieved February 1, 2022.',
                          'source_name': 'Kaspersky WIRTE November 2021',
                          'url': 'https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044'}],
 'id': 'intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1',
 'modified': '2025-04-16T20:37:32.959Z',
 'name': 'WIRTE',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Lab52 by S2 Grupo'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (11)
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Non-Standard Port
Command and Control
Match Legitimate Resource Nam…
Defense Evasion
Deobfuscate/Decode Files or I…
Defense Evasion
View All 11 TTPs
Back to Threat Actors
Dashboard Home