Skip to content

G0084 Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.1

Item Value
ID G0084
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Gallmaker has used WinZip, likely to archive data prior to exfiltration.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Gallmaker used PowerShell to download additional payloads and for execution.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.1
enterprise T1027 Obfuscated Files or Information Gallmaker obfuscated shellcode used during execution.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Gallmaker sent emails with malicious Microsoft Office documents attached.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Gallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution.1


Back to top