3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Whitefly

Whitefly

ID: 288162a252c6cc8c6b3cafc2895ec2cc98093
Cybercrime State-Sponsored
Threat types: Espionage, Data Theft, Intrusion
Unknown SGP
Updated: 2026-01-13
Created: 2025-10-22
Progress: 51% Completeness: 52% Freshness: 50%
Operation zone: Singapore
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Whitefly (G0107) is a long-dwell espionage group active since at least 2017, linked publicly to the 2018 SingHealth breach in Singapore and known for disguised malicious executables, DLL search order hijacking (Vcrodat/Nibatad), credential theft (Mimikatz), and encrypted C2 payload staging.


Technique Technique name Tactics Evidence
T1204.002 Malicious File TA0002
  • 2019-03-06 — Initial access via malicious .exe/.dll lures disguised as documents or images, likely delivered via spear-phishing. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • 2019-03-06 — Execution via DLL search order hijacking to run the Vcrodat loader, including DLL names matching security vendor libraries. · ref
T1105 Ingress Tool Transfer TA0011
  • 2019-03-06 — Encrypted payload loads and contacts C2; additional tools are downloaded per target. · ref
T1003.001 LSASS Memory TA0006
  • 2019-03-06 — Use of Mimikatz to dump credentials from LSASS for lateral movement. · ref
T1068 Exploitation for Privilege Escalation TA0004
  • 2019-03-06 — Privilege escalation via exploitation of CVE-2016-0051 on unpatched systems using an open-source tool. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2019-03-06 — Use of a simple remote shell and malicious PowerShell for post-compromise operations. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T14:41:09+00:00
WHITEFLY — Long-dwell espionage targeting Singaporean networks

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Whitefly (MITRE G0107) is a cyber-espionage group active since at least 2017, assessed to target organizations mostly in Singapore across multiple sectors. Public reporting links Whitefly to the 2018 SingHealth breach (1.5M patient records), and describes consistent use of custom loaders (Vcrodat, Nibatad), DLL search order hijacking, malicious executables disguised as documents/images, and post-compromise credential theft (Mimikatz). The group mixes custom malware with open-source tools and living-off-the-land tradecraft to maintain long dwell times and exfiltrate large volumes of data. Overall confidence in the core profile is high based on MITRE and vendor primary reporting.


  • Industries/Sectors: Healthcare; Media; Telecommunications; Engineering; (multinationals with Singapore presence also observed).
  • Geography (Region): Primarily Southeast Asia.
  • Countries (if available): Singapore (multiple incidents including the SingHealth breach).
  • Timeframe: 2017–2019 (public reporting); MITRE page maintained through 2024.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.