A hacking toolset used by an Iranian-linked group, APT34, was leaked online. Among the tools is a DNS hijacking framework named "Webmask," which redirects and monitors internet traffic for spying and credential theft.

Who is behind this tools?

The tools were created and used by APT34, also known as OilRig. This group is widely believed to operate on behalf of the Iranian government and has targeted various industries in the Middle East and beyond.

What was the goal of the tools?

The purpose was to intercept sensitive data like usernames, passwords, and browsing activity by hijacking DNS traffic and injecting monitoring scripts into websites visited by the victims.

Which regions or industries were targeted?

Examples in the leaked tools point to potential targets in the Arab Emirates and possibly Spanish or Portuguese-speaking entities. APT34 has historically targeted government, financial, energy, and telecom sectors.

How was the attack carried out?

By setting up rogue DNS servers and proxies, attackers redirected users’ web traffic through systems they controlled. These systems could log credentials, cookies, and even alter the pages users saw.

Why are these organizations targeted?

Industries like government, energy, and finance are often of strategic interest to state actors. In this case, the targeting aligns with Iran’s geopolitical priorities.

Threats Feed|APT34|Last Updated 14/04/2025|AuthorCertfa Radar|Publish Date23/04/2019

APT34’s Webmask Project: DNS Hijacking and Targeted Cyber Attacks

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Malware
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

APT34 has been leveraging DNS tunneling for command and control since May 2016. The leaked source code, revealed via a Telegram channel, includes projects like webmask which primarily focus on DNS hijacking and redirection attacks. The attacks target sectors such as technology firms, telecom companies, and gaming companies across the Middle East and Asia, with a particular focus on UAE. The setup involves using NodeJS and Python for DNS servers, an ICAP proxy server to intercept and modify connections, and Haproxy for high availability.

Reference and Credit: Marco Ramilli - April 2019

APT34: webmask project

Detected Targets

Type	Description	Confidence
Sector	Financial	High
Sector	Government Agencies and Services	High
Sector	Energy	High
Sector	Telecommunication	High
Region	Portugal	Medium
Region	Spain	Medium
Region	United Arab Emirates	Medium
Region	Middle East Countries	Verified

FAQs

Understanding the Webmask Project and APT34

: A hacking toolset used by an Iranian-linked group, APT34, was leaked online. Among the tools is a DNS hijacking framework named "Webmask," which redirects and monitors internet traffic for spying and credential theft.
: The tools were created and used by APT34, also known as OilRig. This group is widely believed to operate on behalf of the Iranian government and has targeted various industries in the Middle East and beyond.
: The purpose was to intercept sensitive data like usernames, passwords, and browsing activity by hijacking DNS traffic and injecting monitoring scripts into websites visited by the victims.
: Examples in the leaked tools point to potential targets in the Arab Emirates and possibly Spanish or Portuguese-speaking entities. APT34 has historically targeted government, financial, energy, and telecom sectors.
: By setting up rogue DNS servers and proxies, attackers redirected users’ web traffic through systems they controlled. These systems could log credentials, cookies, and even alter the pages users saw.
: Industries like government, energy, and finance are often of strategic interest to state actors. In this case, the targeting aligns with Iran’s geopolitical priorities.

About Affiliation

APT34

Associate threats