Threat Intelligence Tarot
cups · 13
Pakistan (suspected)
G0078★★★★★
risk 2/5
✦ The Petty Face ✦
Gorgon Group
Subaat operators
Western government agenciesFinancial sectorPakistan regional targetsGlobal criminal campaigns
Active since ~2018 · Commodity cybercrime, Government targeting (secondary), RAT deployment for hire
The Petty Face does not choose between espionage and crime - it does both, sloppily. It targets governments with the same commodity RATs it sells to other criminals. Its operational security is poor, its ambitions exceed its discipline, and its name was earned: it wears the face of something dangerous while being mainly noise.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆UK, US, Russian government entity targeting (2018)
- ◆NjRAT and QuasarRAT deployment at scale
- ◆Criminal marketplace activity alongside government targeting
- ◆Open-source RAT distribution and resale operations
Defenses
- ▸Block commodity RAT C2 traffic via threat intelligence feedsCIS Control 9 ↗
- ▸VBA macro controls for Office documents from emailCIS Control 2 ↗
- ▸Email sandboxing for government and financial sectorCIS Control 9 ↗
- ▸Endpoint behavioral detection for NjRAT and QuasarRAT familiesNIST CSF: DE.CM ↗
Reversed: Their Weakness
Gorgon Group's poor operational security - publicly documented social media, reused infrastructure, and commodity tooling - made it one of the easiest APT groups to expose and attribute, demonstrating that nation-state proxies operating in the cybercriminal underground face much higher attribution risk.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.