Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date05/01/2017

Stolen Code Signatures Fuel OilRig's Multi-Nation Cyber Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Spyware,Trojan,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian threat agent OilRig, active since the end of 2015, has been implicated in a wave of cyber attacks targeting several countries, namely Israel, Turkey, Qatar, Kuwait, UAE, Saudi Arabia, and Lebanon. In their most recent campaigns, they have leveraged advanced strategies, setting up fake VPN portals, counterfeit websites, and using stolen code signing certificates to give their malware an appearance of authenticity. This not only illustrates their high technical capability, but also underscores the complexity and effectiveness of their operations. These attacks have largely targeted IT and financial institutions, causing significant concerns in these sectors.

Reference and Credit: ClearSky - January 2017

Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford

Detected Targets

TypeDescriptionConfidence
CaseAI Squared
AI Squared is a legitimate software company whose code signing certificate was stolen and used by the attackers to digitally sign their malware, providing it with an extra layer of seeming legitimacy. AI Squared provides a way to add AI and ML to the business applications AI Squared has been targeted by OilRig with abusive purposes.
Verified
SectorFinancial
Verified
SectorInformation Technology
The sectors targeted by the attack were IT, Finance, and the Postal service based on the mentioned targets.
Verified
SectorLogistics
Verified
RegionIsrael
The countries targeted by the attack were Israel, Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.
Verified
RegionKuwait
Verified
RegionLebanon
Verified
RegionQatar
Verified
RegionSaudi Arabia
Verified
RegionTurkey
Verified
RegionUnited Arab Emirates
Verified

Extracted IOCs

  • accountsupportteam[.]com
  • acount-google[.]ml
  • admin-supporter[.]com
  • applicationframehost[.]in
  • check-system[.]org
  • check-updater[.]org
  • dns-bind9[.]com
  • dnsrecordsolver[.]tk
  • dnsupdateservers[.]net
  • dockerjsbin[.]com
  • egoogle[.]org
  • gaccountservices[.]com
  • googleaccountsservices[.]com
  • googlednsupdate[.]tk
  • googleupdate[.]download
  • hell-tec[.]in
  • it-service[.]in
  • kernel-update[.]com
  • kernel[.]ws
  • liuedu-lb[.]in
  • main-google-resolver[.]com
  • malamvpn[.]com
  • microsoft-kernels-pdate[.]net
  • microsoftupdate[.]mom
  • net-support[.]info
  • outlookteam[.]live
  • oxford-careers[.]com
  • oxford-employee[.]com
  • oxford[.]in
  • oxford-symposia[.]com
  • shalaghlagh[.]tk
  • shellexperiencehost[.]in
  • supportvpn[.]net
  • sys-update[.]com
  • taldor[.]org
  • technical-google[.]com
  • tecsupport[.]in
  • update-kernal[.]net
  • updateorg[.]com
  • updater[.]li
  • upgradesystems[.]info
  • vodafoneco[.]com
  • windows-dns-resolver[.]org
  • winodwsupdates[.]me
  • 138iklspool-arp.googleaccountsservices[.]com
  • 87pqxz159.dockerjsbin[.]com
  • 9660d0a.winodwsupdates[.]me
  • app.microsoftupdate[.]mom
  • f83zx-138iklspool-arp.googleaccountsservices[.]com
  • ns11.windows-dns-resolver[.]org
  • ns1.applicationframehost[.]in
  • ns1.dnsrecordsolver[.]tk
  • ns1.egoogle[.]org
  • ns1.microsoftupdate[.]mom
  • ns1.shalaghlagh[.]tk
  • ns1.windows-dns-resolver[.]org
  • ns1.winodwsupdates[.]me
  • ns2.applicationframehost[.]in
  • ns2.dnsrecordsolver[.]tk
  • ns2.egoogle[.]org
  • ns2.microsoftupdate[.]mom
  • ns2.shalaghlagh[.]tk
  • ns2.sys-update[.]com
  • ns2.windows-dns-resolver[.]org
  • ns2.winodwsupdates[.]me
  • nsn1.winodwsupdates[.]me
  • www.googleaccountsservices[.]com
  • www.microsoftupdate[.]mom
  • www.windows-dns-resolver[.]org
  • www.winodwsupdates[.]me
  • zzs00000tdy30.egoogle[.]org
  • jason.hasaki@hotmail[.]com
  • javamaker@inbox[.]ru
  • masha.sharon@inbox[.]ru
  • megandoherty@teleworm[.]us
  • nism2020@yandex[.]com
  • ranjan1984rajiv@gmail[.]com
  • salim.ahmed.alqahtani@mail[.]ru
  • sara.patrik@chmail[.]ir
  • zack.patrik@mail[.]com
  • zak.s.whittaker@gmail[.]com
  • 0235605e4795208724409e1626c6117c
  • 0302e72fafd6fa8143943fdf2efc592d
  • 0bf3cf83ac7d83d6943afd02c28d286a
  • 1792cdd0c5397ff5df445d73276d1a50
  • 197c018922237828683783654d3c632a
  • 1c23b3f11f933d98febfd5a92eb5c715
  • 20b8dc0f4f5758afdaf442bad3552bf5
  • 262bc259682cb48ce66a80dcc9a5d587
  • 3a5fcba80c1fd685c4b5085d9d474118
  • 456a45b59a7588294cf25a5cab4a9821
  • 5713c3c01067c91771ac70e193ef5419
  • 6a65d762fb548d2dc56cfde4842a4d3c
  • 72e046753f0496140b4aa389aee2e300
  • 7528c387f853d96420cf7e20f2ad1d32
  • adb1e854b0a713f6ffd3eace6431c81d
  • bd7d2efdb2a0f352c4b74f2b82e3c7bc
  • bdafd1fb08d5ed0073b3c0605e1e4581
  • cd46960e865dc06596a1b68be427ac7a
  • d50ab63f4034c6f5eb356e3326320e66
  • f76443385fef159e6b73ad6bf7f086d6
  • f77ee804de304f7c3ea6b87824684b33
  • f8ce7e356e09de6a48dca9e51421b6f6
  • 136[.]243.203.141
  • 136[.]243.203.174
  • 136[.]243.214.247
  • 138[.]201.7.140
  • 149[.]202.230.140
  • 151[.]80.211.156
  • 158[.]69.57.61
  • 178[.]33.94.47
  • 192[.]99.102.35
  • 31[.]3.225.55
  • 83[.]142.230.138
  • 85[.]117.204.18
download

Tip: 115 related IOCs (12 IP, 71 domain, 0 URL, 10 email, 22 file hash) to this threat have been found.

Overlaps

APT34Cyber-Espionage in the Middle East: A Deep Dive into APT34's Operations

Source: Cyware - August 2019

Detection (three cases): oxford-careers[.]com, oxford-employee[.]com, oxford[.]in

OilRigOilRig's Developmental Tactics: Evading Antivirus Through Rigorous Testing

Source: Palo Alto Networks - April 2017

Detection (two cases): update-kernal[.]net, updateorg[.]com

OilRigOilRig Campaign: Malware Updates and Expanded Global Targets

Source: Palo Alto Networks - October 2016

Detection (five cases): googleupdate[.]download, shalaghlagh[.]tk, update-kernal[.]net, upgradesystems[.]info, winodwsupdates[.]me

OilRigOilRig Group Unleashes Coordinated Cyber Campaigns on Saudi Arabian Industries

Source: Palo Alto Networks - May 2016

Detection (one case): kernel[.]ws

ChaferChafer and Cadelle: Unveiling Iran's Persistent Cyber Surveillance on Middle Eastern Targets

Source: Symantec - December 2015

Detection (one case): 87pqxz159.dockerjsbin[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

OilRig’s Digitally Signed Malware and Oxford Impersonation

An Iranian-linked hacking group, OilRig, used fake websites impersonating the University of Oxford and legitimate software (like a VPN client) to distribute malware. The malicious files were even signed with trusted digital certificates to evade detection.

The campaign was orchestrated by OilRig, a known Iranian cyber-espionage group active since at least 2015.

The attackers aimed to infiltrate sensitive networks, steal data, and maintain persistent access to target organizations by using trusted-looking malware and deceptive portals.

Victims included IT vendors, financial organizations, government-linked services in Israel, and other entities across the Middle East, including Turkey, UAE, and Lebanon.

Victims received phishing emails or visited fake Oxford-related websites, where they were tricked into downloading and installing malware disguised as job application tools or VPN software.

Using a prestigious and trusted institution like Oxford increases the chance that targets will engage with the fake websites and download the malware.

Ensure software installations are only from verified sources, monitor for suspicious domain activity, validate digital certificates, and train staff to recognize phishing lures.

Yes. The infrastructure and malware used show overlap with other Iranian-linked groups like Chafer and campaigns using tools like Backdoor.Remexi, indicating broader regional cyber-espionage activity.

About Affiliation
OilRig
View OilRig's Insights