Threats Feed

BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.

APT34 (OilRig) has launched a targeted cyber espionage campaign against Iraqi government entities since 2024, using spearphishing emails with forged documents to deploy custom C# malware disguised as PDF files. The malware performs system reconnaissance, anti-VM checks, and sets up persistence via scheduled tasks. It communicates with command-and-control infrastructure through both HTTP and compromised Iraqi government email accounts (SMTP/IMAP). The group also utilizes European-hosted infrastructure with deceptive 404 pages and obfuscated communication protocols. Targeted sectors include government, energy, finance, defense, and telecommunications, indicating a continued focus on intelligence gathering in the Middle East.

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

Earth Simnavaz, also known as APT34 or OilRig, has been targeting governmental entities in the UAE and Gulf region, focusing on the energy sector and critical infrastructure. The group uses sophisticated tactics, including the exploitation of Microsoft Exchange servers for credential theft and privilege escalation via CVE-2024-30088. They employ custom .NET tools, PowerShell scripts, and IIS-based malware to avoid detection. Additionally, the attackers utilize ngrok for persistent access and lateral movement, and manipulate password filters to extract plain-text credentials. These credentials are used for supply chain attacks, with a focus on exfiltrating sensitive data through compromised email servers.

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

AttackIQ has released attack graphs emulating OilRig’s operations against global sectors, based on reports from Mandiant, Intezer, and Palo Alto Networks. The 2020 social media phishing campaign used LinkedIn to distribute malicious documents, leading to the Tonedeaf backdoor installation, persistence via scheduled tasks, and credential dumping with tools like LaZagne. The 2018 QuadAgent campaign targeted technology service providers and government agencies with PowerShell malware, establishing persistence, and utilizing multi-channel command-and-control communication, including SSL, HTTP, and DNS.

OilRig targeted a telecommunications organization in the Middle East using a variant of their RDAT tool, featuring a novel email-based command and control (C2) channel that employs steganography. This method hides commands and data within bitmap images attached to emails, making detection difficult. The attack involved custom Mimikatz tools for credential dumping, Bitvise for SSH tunneling, and PowerShell downloaders. RDAT has been under development since 2017, evolving to include DNS tunneling and Exchange Web Services (EWS) for C2 communications. The use of steganographic images in emails represents a sophisticated evasion technique.

APT34 has launched a new campaign targeting United States-based research services company Westat, and its customers, employing a modified toolset. The attack was discovered in late January 2020 and initiated with a spear-phishing operation using a disguised employee satisfaction survey file, survey.xls. Once the victim enabled macros, malicious VBA code executed, extracting and installing a more advanced and stealthy variant of the TONEDEAF malware, TONEDEAF 2.0. The attackers also possibly used a VALUEVAULT implant for browser credential theft. The effort demonstrates APT34's substantial investment in upgrading its toolset to evade future detection.

IBM's X-Force team has detailed a new destructive malware, ZeroCleare, targeting the energy sector in the Middle East. The wiper, similar to Shamoon, overwrites data and maliciously uses legitimate tools. Attribution points to Iranian state-sponsored groups, possibly a collaboration between ITG13 and another entity. The report highlights the increase in destructive attacks, particularly in the energy sector, and offers mitigation strategies, including the use of threat intelligence, robust security controls and effective backup systems. Finally, it notes the wider geopolitical implications of such attacks.

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

Mandiant detected a phishing campaign by APT34, an Iranian-nexus threat actor, in late June 2019. The actor, posing as a member of Cambridge University, delivered malicious documents via LinkedIn and introduced three new malware families. The primary industries targeted by this campaign were Energy and Utilities, Government, and Oil and Gas. APT34 is notably active in the Middle East, employing a blend of public and non-public tools to carry out its cyber espionage activities.

The OilRig group has been actively targeting various sectors, including government, media, energy, and technology across 27 countries. The group has stolen nearly 13,000 credentials, deployed over 100 webshells, and maintained backdoor access to compromised hosts. Techniques include credential dumping with Mimikatz, DNS hijacking, and using PowerShell-based tools like Glimpse and Poison Frog. Their operations involve SQL injections, exploiting public-facing applications, and leveraging webshells for persistent access. The group's sophisticated TTPs underline their persistent threat to diverse industry verticals.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

Unit 42 monitored OilRig's testing of the TwoFace webshell, specifically its TwoFace++ variant, to evade detection by security tools. Analysis revealed that OilRig's developers systematically modified the webshell's loader script to reduce detection rates, ultimately achieving zero detection by altering code related to the embedded payload's update functionality. The testing involved decoding and encrypting webshell data and frequent code alterations to pinpoint and circumvent security measures. Additionally, another webshell, named DarkSeaGreenShell, was discovered during these tests.

The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.