A wave of spear-phishing emails targeting Middle Eastern banks in May 2016 led to the deployment of malware designed to steal sensitive information and credentials using stealthy techniques like DNS tunneling.

Who was behind the attack?

The campaign was attributed to APT34, also known as OilRig, a suspected Iranian threat group active since at least 2014, known for targeting critical sectors in the Middle East.

What was the goal of the attackers?

The attackers aimed to gather intelligence, specifically credentials and internal system data from financial institutions, likely for long-term espionage and access.

How were the banks targeted?

Attackers used emails with malicious Excel files posing as legitimate IT reports. Once opened, macros in the files launched scripts that downloaded further malware and set up covert data exfiltration.

Why were these banks targeted?

Banks are often targeted by nation-state actors for financial intelligence, access to internal systems, or to monitor financial activities within a geopolitical region.

How did the attack work at a high level?

Victims opened malicious Excel attachments, which ran scripts that created scheduled tasks and downloaded tools to gather data and send it back using DNS, a protocol rarely blocked in corporate environments.

Is this a widespread issue?

This was a targeted campaign, but it highlights the risks posed by macro-based phishing and DNS misuse. Similar tactics have been used by other APT groups globally.

What can organizations do to protect themselves?

Train employees to identify phishing attempts, restrict script execution, monitor DNS activity, and enforce multi-layered authentication. Network-level anomaly detection for DNS and PowerShell use is also essential.

Threats Feed|APT34|Last Updated 29/01/2026|AuthorCertfa Radar|Publish Date22/05/2016

APT34 Targets Middle Eastern Banks with Macro Malware

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Downloader,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

APT34 launched targeted attacks against banks in the Middle East in May 2016. The threat actors sent malicious macro-enabled XLS files in emails to banking sector employees, which then created multiple directories and dropped PowerShell scripts to perform various malicious activities. The macros also unhidden content post-execution, creating a false sense of legitimacy. These files executed various scripts to download additional payloads, gather information, and exfiltrate data over DNS queries, demonstrating the continued effectiveness of macro malware.

Reference and Credit: Mandiant - May 2016

Targeted Attacks against Banks in the Middle East

Detected Targets

Type	Description	Confidence
Sector	Financial The attack targeted banks in the Middle East region.	Verified
Region	Middle East Countries	Verified

Extracted IOCs

go0gie[.]com
35[.]35.35.35
hxxp://go0gie[.]com

download

Tip: 3 related IOCs (1 IP, 1 domain, 1 URL, 0 email, 0 file hash) to this threat have been found.

Overlaps

OilRigAnalyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Source: Palo Alto Network - April 2019

Detection (one case): go0gie[.]com

OilRigOilRig Campaign: Malware Updates and Expanded Global Targets

Source: Palo Alto Networks - October 2016

Detection (one case): go0gie[.]com

OilRigOilRig Group Unleashes Coordinated Cyber Campaigns on Saudi Arabian Industries

Source: Palo Alto Networks - May 2016

Detection (three cases): 35[.]35.35.35, hxxp://go0gie[.]com, go0gie[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

APT34’s Banking Sector Espionage in the Middle East

: A wave of spear-phishing emails targeting Middle Eastern banks in May 2016 led to the deployment of malware designed to steal sensitive information and credentials using stealthy techniques like DNS tunneling.
: The campaign was attributed to APT34, also known as OilRig, a suspected Iranian threat group active since at least 2014, known for targeting critical sectors in the Middle East.
: The attackers aimed to gather intelligence, specifically credentials and internal system data from financial institutions, likely for long-term espionage and access.
: Attackers used emails with malicious Excel files posing as legitimate IT reports. Once opened, macros in the files launched scripts that downloaded further malware and set up covert data exfiltration.
: Banks are often targeted by nation-state actors for financial intelligence, access to internal systems, or to monitor financial activities within a geopolitical region.
: Victims opened malicious Excel attachments, which ran scripts that created scheduled tasks and downloaded tools to gather data and send it back using DNS, a protocol rarely blocked in corporate environments.
: This was a targeted campaign, but it highlights the risks posed by macro-based phishing and DNS misuse. Similar tactics have been used by other APT groups globally.
: Train employees to identify phishing attempts, restrict script execution, monitor DNS activity, and enforce multi-layered authentication. Network-level anomaly detection for DNS and PowerShell use is also essential.

About Affiliation

APT34

Associate threats