Latest Update07/07/2025

Threats Feed

  1. Public

    Analyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

    The report highlights OilRig’s deployment of tools like Helminth, ISMAgent, ALMACommunicator, BONDUPDATER, and QUADAGENT, which utilize DNS queries to communicate stealthily with C2 servers. This covert communication method is favored due to DNS's typical allowance through security devices. The group has evolved its DNS tunneling protocols over time, using customized subdomains and encoding techniques to transmit data and evade detection effectively.

    read more about Analyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns
  2. Public

    HELIX KITTEN: Expanding Cyber Threat to Telecommunications and Middle Eastern Targets

    The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

    read more about HELIX KITTEN: Expanding Cyber Threat to Telecommunications and Middle Eastern Targets
  3. Public

    Adapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks

    The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

    read more about Adapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks
  4. Public

    OilRig Threat Group Introduces ALMA Communicator in Spear-Phishing Attacks

    The OilRig threat group has been utilizing a refined version of the Clayslide delivery document for spear-phishing attacks since May 2016. Recently, they have developed a new custom Trojan named "ALMA Communicator", and incorporated the use of Mimikatz for credential harvesting in the delivery phase of the attack. The targets included an individual at a public utilities company in the Middle East. ALMA Communicator uses DNS tunneling for C2 communication and has some data transfer limitations, which may have prompted the early deployment of Mimikatz.

    read more about OilRig Threat Group Introduces ALMA Communicator in Spear-Phishing Attacks
  5. Public

    Potential Cyber Targets Revealed in Greenbug's Domain Registrations: Israeli and Saudi Firms in Focus

    The Iranian threat agent Greenbug registered domains similar to Israeli high-tech and cybersecurity companies, as well as a Saudi Arabian electrical equipment firm. A sample of the ISMdoor malware was submitted from Iraq on October 15, 2017, indicating the threat actor's activities. Despite these registrations, no evidence of direct targeting or impact on these companies is present. High-tech, cybersecurity, online advertising, airport security systems, web development, behavioral biometrics, artificial intelligence, data security, and autonomous driving are sectors potentially of interest to the actor.

    read more about Potential Cyber Targets Revealed in Greenbug's Domain Registrations: Israeli and Saudi Firms in Focus
  6. Public

    Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets

    The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

    read more about Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets
  7. Public

    COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign

    SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

    read more about COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign
  8. Public

    OilRig Campaign: Malware Updates and Expanded Global Targets

    The OilRig cyberattack campaign, first analyzed in May 2016, continues to evolve, targeting government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States. Using spear-phishing emails with malicious Microsoft Excel documents, the attackers have updated their toolset, including Clayslide delivery documents and the Helminth backdoor. The malware communicates with remote servers via HTTP and DNS for command and control. Despite its lack of sophistication, the malware successfully operates under the radar in many establishments due to techniques like DNS command and control.

    read more about OilRig Campaign: Malware Updates and Expanded Global Targets