Gallmaker

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
Gallmaker, a threat actor group we have been monitoring since its inception in December 2017, has exhibited consistent activity up until June 2018. The group's operations are characterized by a unique approach of not using custom malware but instead leveraging "living off the land" (LotL) tactics and publicly available hacking tools. This strategy makes Gallmaker's activities particularly challenging to detect, as they blend with legitimate processes and use widely accessible tools, thereby leaving minimal traces of intrusion. The group's activity points strongly towards cyber espionage, likely sponsored by a state entity, given the nature of their targets. Gallmaker's victims are primarily associated with government, military, or defense sectors, indicating a highly targeted approach. The group uses three primary IP addresses for its command-and-control (C&C) infrastructure to communicate with infected devices. Notably, the victims observed lacked a specific patch, rendering them vulnerable to exploits via the DDE protocol. Despite the stealthy nature of Gallmaker's activities, Symantec's Targeted Attack Analytics (TAA) technology was instrumental in detecting this threat actor. Gallmaker's reliance on LotL tactics and public hack tools, combined with their focus on high-value governmental and defense targets, underscores the evolving sophistication of threat actors and the need for advanced detection capabilities. It also emphasizes the importance of regular system updates and patches in maintaining a strong security posture.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gallmaker Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Gallmaker: New Attack Group Eschews Malware to Live off the Land