An Iran-based hacking group known as HELIX KITTEN has been conducting targeted attacks against a range of industries using sophisticated phishing and custom malware implants.

Who is behind the attack?

HELIX KITTEN, also called OilRig or APT34, is a threat actor assessed to operate from Iran. They are known for state-aligned cyber-espionage campaigns.

What was the goal of the attack?

The attackers aimed to steal sensitive information and gain long-term access to victims’ systems, with possible objectives including espionage and data collection.

Organizations in aerospace, energy, finance, government, hospitality, and most recently telecommunications were targeted.

How did the attackers get in?

They used convincing phishing emails containing malicious Office documents that installed malware when opened by recipients.

Why target telecommunications companies?

Controlling telecommunications infrastructure can give attackers access to large volumes of communication data and enable rerouting or monitoring of traffic.

What should organizations do to protect themselves?

Organizations should strengthen email defenses, disable risky macro functionality, monitor for suspicious network activity (especially DNS anomalies), and train employees to spot phishing attempts.

Is this a widespread problem or targeted?

This campaign is highly targeted, focusing on organizations with strategic value, rather than broad indiscriminate attacks.

Threats Feed|Helix Kitten|Last Updated 04/07/2025|AuthorCertfa Radar|Publish Date27/11/2018

HELIX KITTEN: Expanding Cyber Threat to Telecommunications and Middle Eastern Targets

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Malicious Macro,RAT,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The adversary group, HELIX KITTEN, is employing spear-phishing attacks and using custom PowerShell implants (Helminth and ISMDoor) to target entities in the aerospace, energy, financial, government, hospitality, and telecommunications sectors. With a special focus on the Middle East, specifically Bahrain and Kuwait, the group manipulates DNS AAAA records for command and control, and exfiltrates data, captures screenshots, and executes arbitrary commands on victims' machines. Furthermore, HELIX KITTEN has begun targeting the telecommunications industry, possibly for bulk data collection and rerouting communications for future intelligence activities.

Reference and Credit: CrowdStrike - November 2018

Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN

Detected Targets

Type	Description	Confidence
Sector	Information Technology	Verified
Sector	Telecommunication	Verified
Region	Bahrain The countries targeted by the attack include Bahrain and Kuwait.	Verified
Region	Kuwait	Verified

FAQs

Understanding the HELIX KITTEN Campaign

: An Iran-based hacking group known as HELIX KITTEN has been conducting targeted attacks against a range of industries using sophisticated phishing and custom malware implants.
: HELIX KITTEN, also called OilRig or APT34, is a threat actor assessed to operate from Iran. They are known for state-aligned cyber-espionage campaigns.
: The attackers aimed to steal sensitive information and gain long-term access to victims’ systems, with possible objectives including espionage and data collection.
: Organizations in aerospace, energy, finance, government, hospitality, and most recently telecommunications were targeted.
: They used convincing phishing emails containing malicious Office documents that installed malware when opened by recipients.
: Controlling telecommunications infrastructure can give attackers access to large volumes of communication data and enable rerouting or monitoring of traffic.
: Organizations should strengthen email defenses, disable risky macro functionality, monitor for suspicious network activity (especially DNS anomalies), and train employees to spot phishing attempts.
: This campaign is highly targeted, focusing on organizations with strategic value, rather than broad indiscriminate attacks.

About Affiliation

Helix Kitten