Threat Actor Profile

Mirage Tiger

Mirage Tiger, formerly tracked as the “WiseGuy” cluster, is a targeted intrusion group linked to India. Active since approximately 2017, this advanced persistent threat (APT) actor primarily targets Pakistani government and military organizations. Their operations rely on password-protected Microsoft Office documents with malicious macros as an initial access vector. Public intelligence on this group remains limited, with detailed telemetry gated behind vendor reports.

Threat Actor Profile

Mirage Tiger

Country of Origin

Mirage Tiger is attributed to a nexus in India, as reported by multiple cybersecurity vendors, including CrowdStrike. While public details are sparse, the consistent targeting of Pakistani entities supports this attribution.

Members

The exact size and composition of Mirage Tiger remain unknown. Public sources do not provide details on individual members or organizational structure.

Leadership

No specific names or aliases of Mirage Tiger’s leadership have been publicly disclosed. The group is tracked under the alias “WiseGuy” in earlier vendor reports.

Mirage Tiger TTPs

Tactics

Mirage Tiger’s primary goal appears to be strategic intelligence collection, focusing on government and military-related organizations in Pakistan. Their operations suggest a targeted intrusion approach rather than hacktivism or commodified cybercrime.

Techniques

The group employs phishing campaigns using password-protected Microsoft Office documents containing malicious macros. These documents are often hosted remotely and delivered via email lures.

Procedures

Initial Access: Remotely hosted, password-protected Office documents with embedded macros.
Execution: Macros trigger malicious scripts, often spawning processes like PowerShell, mshta, or wscript.
Persistence: Attempts to write to persistence locations, such as Startup folders, Scheduled Tasks, or Run keys.
Delivery Vector: Email phishing campaigns with links to remote Office document downloads.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

While no specific operations have been publicly detailed, Mirage Tiger’s campaigns align with regional political and military events, suggesting a strategic focus on intelligence collection.

Law Enforcement & Arrests

No arrests or law enforcement actions against Mirage Tiger have been publicly reported.

How to Defend Against Mirage Tiger

Block Malicious Attachments: Quarantine inbound password-protected Office documents from untrusted senders.

Enforce Macro Policies: Disable macros by default and require signed macros for execution.

Monitor Endpoint Activity: Detect unusual process chains (e.g., Office spawning PowerShell).

Harden Email Gateways: Use static and dynamic analysis for attachments and sandbox URL detonation.

Leverage EDR Solutions: Ensure endpoint detection and response (EDR) tools are configured to block script-based attacks.

Huntress tools can help detect and mitigate these threats by providing endpoint visibility, script-blocking policies, and proactive threat hunting.

Try Huntress for Free

References

https://malpedia.caad.fkie.fraunhofer.de/actor/mirage_tiger

https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free