Gorgon Group

The Gorgon Group is a threat actor known for its cybercriminal activities, with a particular focus on financial fraud and cybercrime. They also engage in targeted attacks against government organizations, including entities in Russia, Spain, the UK, and the US. The group uses Bitly for distribution and shortening of C2 (Command and Control) domains, a strategy similar to their targeted attacks. Despite their lack of sophistication, the Gorgon Group has proven to be relatively successful, particularly exploiting individuals without proper protections. This success is evidenced by the group netting 132,840 Bitly clicks from mid-February to the present during their current campaign. There are striking similarities between the tactics, techniques, and procedures (TTPs) of Aggah, another cyber threat actor, and the Gorgon Group. While there's no clear evidence of any state-sponsorship or national identity for Aggah, these similarities suggest a possible link to the Gorgon Group, which is believed to be a state-sponsored group under the Pakistani government. Furthermore, an analysis of the group's activity led to the conclusion that several of its members have a nexus in Pakistan. Cybersecurity firms like 360 and Tuisec have already identified some Gorgon Group members. AutoFocus customers can track these samples with the Gorgon Group actor tag. Additionally, Traps blocks all of the files currently associated with the Gorgon Group, adding a layer of protection against this threat actor. Throughout April, an increase in Gorgon Group’s activity volume was observed, leveraging click counts for the campaign for Bitly. Therefore, continuous monitoring and proactive cybersecurity measures are necessary to mitigate the risks posed by the Gorgon Group.