Group5 is a threat group with suspected Iranian connections. This threat group has targeted individuals connected to the Syrian opposition through spear phishing and watering hole attacks, primarily using Syrian and Iranian themes. Group5 has used two commonly available Remote Access Tools (RATs), njRAT and NanoCore, and an Android RAT, DroidJack.

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.