Skip to main content
Mallory
Back to threat actors
1 malware family

PittyTiger

Also known asPittyTiger

PittyTiger is a tracked threat actor referenced as G0011. The provided content attributes to PittyTiger the use of publicly available credential access tooling including Mimikatz and gsecdump, and states that the group attempts to obtain legitimate credentials during operations. The content also associates PittyTiger with MITRE ATT&CK techniques T1078 (Valid Accounts), T1588.002 (obtain capabilities/tools), T1621 (Multi-Factor Authentication Request Generation), and T1098 (Account Manipulation). The ATT&CK tactic annotations in the content include Defense Evasion, Delivery, Exploitation, Installation, Persistence, and Privilege Escalation. No additional aliases, sub-groups, targeting details, or attribution beyond the name PittyTiger are directly stated in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics17 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.002×5
Tool
TA0001
Initial Access
1 technique
T1078×22
Valid Accounts
TA0003
Persistence
3 techniques
T1078×22
Valid Accounts
T1098×3
Account Manipulation
T1136
Create Account
T1136.001
Local Account
TA0004
Privilege Escalation
2 techniques
T1078×22
Valid Accounts
T1098×3
Account Manipulation
TA0005
Stealth
1 technique
T1078×22
Valid Accounts
TA0006
Credential Access
3 techniques
T1003×2
OS Credential Dumping
T1110
Brute Force
T1621
Multi-Factor Authentication Request Generation
TA0008
Lateral Movement
1 technique
T1550
Use Alternate Authentication Material
TA0011
Command and Control
3 techniques
T1090
Proxy
T1219
Remote Access Tools
T1572
Protocol Tunneling
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
MimikatzAPT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.1May 26, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows Azure PowerShell Module Installation Via PowerShell Script | Splunk Security Content

Listed as a threat actor associated with Azure Active Directory account takeover, persistence, privilege escalation, and related cloud-focused post-compromise activity detected via PowerShell module installation.

Read more
splunk researchNews
Feb 25, 2026
Detection: ASL AWS SAML Update identity provider | Splunk Security Content

Listed as a threat actor associated with the Valid Accounts technique in the context of AWS SAML provider update detection and potential federated credential abuse.

Read more
splunk researchNews
Feb 25, 2026
Detection: AWS Bedrock Invoke Model Access Denied | Splunk Security Content

Listed as a threat actor associated with the detection's ATT&CK-style annotations for valid accounts and alternate authentication material activity.

Read more
splunk researchNews
Feb 25, 2026
Detection: AWS SAML Update identity provider | Splunk Security Content

Listed as a threat actor associated with valid accounts activity in the context of AWS SAML provider updates and potential federated credential abuse.

Read more
+32 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping11

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.