Threat Actor Profile
High APT
Description

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

Confidence Score
90%
Known Aliases
Group5
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (4)
T1056.001 - Keylogging
Collection
T1113 - Screen Capture
Collection
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Group5'],
 'created': '2017-05-31T21:32:08.304Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Group5](https://attack.mitre.org/groups/G0043) is a threat '
                'group with a suspected Iranian nexus, though this attribution '
                'is not definite. The group has targeted individuals connected '
                'to the Syrian opposition via spearphishing and watering '
                'holes, normally using Syrian and Iranian themes. '
                '[Group5](https://attack.mitre.org/groups/G0043) has used two '
                'commonly available remote access tools (RATs), '
                '[njRAT](https://attack.mitre.org/software/S0385) and '
                '[NanoCore](https://attack.mitre.org/software/S0336), as well '
                'as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)',
 'external_references': [{'external_id': 'G0043',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0043'},
                         {'description': '(Citation: Citizen Lab Group5)',
                          'source_name': 'Group5'},
                         {'description': 'Scott-Railton, J., et al. (2016, '
                                         'August 2). Group5: Syria and the '
                                         'Iranian Connection. Retrieved '
                                         'September 26, 2016.',
                          'source_name': 'Citizen Lab Group5',
                          'url': 'https://citizenlab.ca/2016/08/group5-syria/'}],
 'id': 'intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40',
 'modified': '2024-04-11T02:23:59.598Z',
 'name': 'Group5',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.3'}
Quick Actions
Related TTPs (4)
Keylogging
Collection
Screen Capture
Collection
Encrypted/Encoded File
Defense Evasion
File Deletion
Defense Evasion
Back to Threat Actors
Dashboard Home