Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date04/10/2016

OilRig Campaign: Malware Updates and Expanded Global Targets

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The OilRig cyberattack campaign, first analyzed in May 2016, continues to evolve, targeting government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States. Using spear-phishing emails with malicious Microsoft Excel documents, the attackers have updated their toolset, including Clayslide delivery documents and the Helminth backdoor. The malware communicates with remote servers via HTTP and DNS for command and control. Despite its lack of sophistication, the malware successfully operates under the radar in many establishments due to techniques like DNS command and control.

Reference and Credit: Palo Alto Networks - October 2016

OilRig Malware Campaign Updates Toolset and Expands Targets

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionIsrael
Verified
RegionQatar
Verified
RegionSaudi Arabia
The countries that were targeted by the attack include Saudi Arabia, Qatar, Turkey, Israel, and the United States.
Verified
RegionTurkey
Verified
RegionUnited States
Verified

Extracted IOCs

  • go0gie[.]com
  • googleupdate[.]download
  • shalaghlagh[.]tk
  • update-kernal[.]net
  • upgradesystems[.]info
  • winodwsupdates[.]me
  • yahoooooomail[.]com
  • 005dde45a6f1d9b2a254e71f89f12ab0dfaaa48d081f5c0a434800bd5c327086
  • 089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe
  • 0b9437dd87a3c24ed7d200f9b870d69f9b7ad918c51325c11444df8bc6fb97ba
  • 0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e
  • 0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1
  • 1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1
  • 299bc738d7b0292820d99028289280ba24d7fb985851d9c74060af7950cecef0
  • 2c4bcab135bf1846684b598e66e3f51443f70f9e8d0544f3417774cbe907e8ef
  • 2e226a0210a123ad828803eb871b74ecbdb702fc4babd9ff786231c486ff65e0
  • 31db0841c3975be5395f13c894b7e444d150cc701487b756fff43ce78d98b1e6
  • 36d4b4b018ec78a79f3c06dc30ec77c250307628a7631f6b5b5995e797d0674f
  • 3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff
  • 3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4
  • 3af6dfa4cebd82f48b6638a9757730810707d79d961dde1b72d3768e972e6184
  • 4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281
  • 4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353
  • 528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b
  • 5a2c38be89ac878d28080a7465c4a3f8708fb414b811511b9d5ae61a47593a69
  • 5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9
  • 65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf
  • 662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f
  • 742a52084162d3789e196fb5ff6f8e2983147cd914088bd5f9ed363d7a5b0df0
  • 80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e
  • 8bfbb637fe72da5c9aee9857ca81fa54a5abe7f2d1b061bc2a376943c63727c7
  • 903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996
  • 90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed
  • 93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0
  • 9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471
  • a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064
  • bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9
  • c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51
  • c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da
  • c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d
  • cffc694ace3e1547007ae00437536f2a88ba60179c51f23228e696fb02afdc86
  • d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34
  • d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d
  • e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa
  • f04cf9361cf46bff2f9d19617bba577ea5f3ad20ea76e1f7e159701e446364fc
  • f1de7b941817438da2a4b7284bc56c291db7312e3ba5e2397b3621811a816aa3
  • f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2
  • f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e
download

Tip: 48 related IOCs (0 IP, 7 domain, 0 URL, 0 email, 41 file hash) to this threat have been found.

Overlaps

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (one case): 903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996

OilRigAnalyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Source: Palo Alto Network - April 2019

Detection (nine cases): 089bf971e8839db818ac462f53f82daed523c413bfc2e01fb76dd70b37162afe, 0ec288ac8c4aa045a45526c2939dbd843391c9c75fa4a3bcc0a6d7dc692fdcd1, 1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1, 3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4, 4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281, 662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f, d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34, f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e, go0gie[.]com

OilRigOilRig's Developmental Tactics: Evading Antivirus Through Rigorous Testing

Source: Palo Alto Networks - April 2017

Detection (one case): update-kernal[.]net

OilRigStolen Code Signatures Fuel OilRig's Multi-Nation Cyber Attacks

Source: ClearSky - January 2017

Detection (five cases): googleupdate[.]download, shalaghlagh[.]tk, update-kernal[.]net, upgradesystems[.]info, winodwsupdates[.]me

OilRigOilRig Group Unleashes Coordinated Cyber Campaigns on Saudi Arabian Industries

Source: Palo Alto Networks - May 2016

Detection (one case): go0gie[.]com

APT34APT34 Targets Middle Eastern Banks with Macro Malware

Source: Mandiant - May 2016

Detection (one case): go0gie[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the OilRig Malware Campaign

A threat group known as OilRig has been actively updating its malware toolset and expanding its attacks against various government and corporate targets across multiple countries.

The group is believed to be linked to Iranian-based threat actors, known for cyber-espionage operations against Middle Eastern and Western organizations.

The campaign aims to conduct espionage by compromising target systems, maintaining access, and exfiltrating sensitive data through stealthy methods like DNS-based command and control.

Targets include government organizations and companies in Saudi Arabia, Qatar, Turkey, Israel, and the United States, indicating a focus on high-value geopolitical and strategic interests.

Attackers used spear-phishing emails with malicious Excel documents containing embedded macros. Once executed, these documents deployed malware that communicates with remote servers via HTTP and DNS.

The targeted entities likely possess sensitive political, economic, or military information valuable for strategic intelligence gathering.

Organizations should enhance email security, monitor network traffic for suspicious activity, enforce macro restrictions, and keep security tools updated to detect known malware variants.

This campaign is highly targeted, focusing on specific organizations of strategic interest, rather than being a broad, opportunistic attack.

About Affiliation
OilRig
View OilRig's Insights