Hackers sent infected Word documents via email to Israeli organizations. When opened, the documents installed malware without needing any clicks from the user.

Who was behind the attack?

The attack was carried out by a group known as OilRig, believed to be linked to the Iranian government and previously active across the Middle East.

Why did they launch this attack?

This was a politically motivated cyber-espionage campaign, likely aimed at stealing sensitive information from Israel’s key sectors.

Targets included Israeli universities, tech companies, and medical institutions. Ben-Gurion University, a major cyber research hub, was exploited to spread the malware.

How did the attack work?

Hackers took advantage of a software vulnerability in Microsoft Word to silently install malware using a method that leaves no traditional files behind, making detection harder.

Why were Israeli institutions attractive targets?

They likely held sensitive intellectual property and strategic data, especially from high-tech and medical sectors.

What should organizations do to stay safe?

Keep systems updated, monitor for unusual behavior (like scheduled tasks), and use advanced security tools that can detect hidden threats.

Is this a widespread threat?

This was a targeted campaign, but it used publicly known techniques. Any organization delaying security updates is potentially at risk.

Threats Feed|OilRig|Last Updated 30/01/2026|AuthorCertfa Radar|Publish Date27/04/2017

OilRig Campaign Resurfaces: Iranian Hackers Target Israel with Helminth Trojan

Actor Motivations: Espionage
Attack Vectors: Zero-Day Attack,Backdoor,Fileless malware,RAT,Spyware,Trojan,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Between April 19-24, 2017, several Israeli organizations, including high-tech development companies, medical entities, and educational institutions were targeted by a politically motivated campaign attributed to the Iranian hacker group responsible for the OilRig malware campaigns. The fileless attack was delivered through compromised email accounts at Ben-Gurion University using Microsoft Word documents exploiting the CVE-2017-0199 vulnerability. The Helminth Trojan was installed as a result, bearing a striking similarity to the OilRig campaign conducted against Middle Eastern financial institutions the previous year. The threat actors exploited the gap between patch release and rollout, with active C&C servers still operational at the time of report publication.

Reference and Credit: Morphisec - April 2017

Iranian Fileless Attack Infiltrates Israeli Organizations

Detected Targets

Type	Description	Confidence
Case	Ben-Gurion University This is an academic institution in Israel that houses the country's Cyber Security Research Center, and its email accounts were compromised by the attackers to deliver the fileless attack to multiple targets across Israel. Ben-Gurion University of the Negev is a public research university in Beersheba, Israel. Ben-Gurion University of the Negev has five campuses: the Marcus Family Campus, Beer Sheva; the David Bergmann Campus, Beer Sheva; the David Tuviyahu Campus, Beer Sheva; the Sede Boqer Campus, and Eilat Campus. Ben-Gurion University has been targeted by OilRig as the main target.	Verified
Sector	High-Tech	Verified
Sector	Information Technology	Medium
Sector	Education Specific targets included Israeli high-tech development companies, medical organizations, education organizations, and notably, Ben-Gurion University.	Verified
Sector	Healthcare	Verified
Sector	University	Verified
Region	Israel The attack targeted numerous Israeli organizations.	Verified

Exploited Vulnerabilities

NIST NVD: CVE-2017-0199

Extracted IOCs

alenupdate[.]info
comonscar[.]in
maralen[.]tk
vpsupdate[.]tk
042f60714e9347db422e1a3a471dc0301d205ffbd053a4015d2b509db92029d1
2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84
5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43
832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8
a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab
be7f1d411cc4160bb221c7181da4370972b6c867af110c12850cad77981976ed
d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48
80[.]82.67.42
82[.]145.40.46
hxxp://comonscar[.]in

download

Tip: 14 related IOCs (2 IP, 4 domain, 1 URL, 0 email, 7 file hash) to this threat have been found.

FAQs

Oilrig Targets Israeli Institutions with Fileless Malware

: Hackers sent infected Word documents via email to Israeli organizations. When opened, the documents installed malware without needing any clicks from the user.
: The attack was carried out by a group known as OilRig, believed to be linked to the Iranian government and previously active across the Middle East.
: This was a politically motivated cyber-espionage campaign, likely aimed at stealing sensitive information from Israel’s key sectors.
: Targets included Israeli universities, tech companies, and medical institutions. Ben-Gurion University, a major cyber research hub, was exploited to spread the malware.
: Hackers took advantage of a software vulnerability in Microsoft Word to silently install malware using a method that leaves no traditional files behind, making detection harder.
: They likely held sensitive intellectual property and strategic data, especially from high-tech and medical sectors.
: Keep systems updated, monitor for unusual behavior (like scheduled tasks), and use advanced security tools that can detect hidden threats.
: This was a targeted campaign, but it used publicly known techniques. Any organization delaying security updates is potentially at risk.

About Affiliation

OilRig

Associate threats