The OilRig group carried out spear phishing attacks to deliver a backdoor tool called QUADAGENT to technology and government targets in the Middle East.

Who is behind these attacks?

The attacks were conducted by OilRig (also known as APT34 or Helix Kitten), a threat actor known for espionage campaigns mainly focused on the Middle East.

What was the goal of the attackers?

The primary goal was espionage—gaining unauthorized access to sensitive systems and maintaining persistence for information gathering.

Who was targeted in these attacks?

A technology services provider and a government agency within the same country were targeted. The attackers used stolen accounts to disguise the source of their attacks.

How did the attackers carry out these attacks?

The attackers used phishing emails with malicious attachments—either executable files or Word documents with embedded macros—to install the QUADAGENT backdoor.

Why were these targets chosen?

Government agencies and technology providers often handle sensitive data or provide access to critical infrastructure, making them attractive espionage targets.

What should organizations do to protect themselves?

Organizations should enhance email security, monitor for suspicious PowerShell activity, block known malicious domains, and train staff to recognize phishing attempts.

Is this type of attack widespread or targeted?

This was a highly targeted attack focused on specific organizations within one country, though the tactics used could be applied to other targets as well.

Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date25/07/2018

Adapting and Evolving: A Look at the OilRig's QUADAGENT-Driven Attacks

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The OilRig group continued its espionage activities, primarily within the Middle East. Between May and June 2018, they orchestrated multiple attacks using compromised accounts from a Middle Eastern government agency, targeting a technology services provider and another government entity. The group leveraged a PowerShell backdoor called QUADAGENT and employed spear-phishing tactics, obfuscation using the Invoke-Obfuscation toolkit, and PE files to achieve their objectives. They also used stolen credentials and decoy dialog boxes to reduce suspicion and evade detection.

Reference and Credit: Palo Alto Networks - July 2018

OilRig Targets Technology Service Provider and Government Agency with QUADAGENT

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Information Technology The attack targeted a technology services provider and a government entity.	Verified
Region	Middle East Countries	High

Extracted IOCs

acrobatverify[.]com
cpuproc[.]com
rdppath[.]com
119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc
1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c
5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63
d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de
d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520

download

Tip: 8 related IOCs (0 IP, 3 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

Overlaps

OilRigOilRig's Cyber Tactics: Targeting Middle East Sectors with Stealthy Attacks

Source: Picus Security - December 2024

Detection (two cases): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c, d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de

APT39Tracking APT39 and APT34: Innovations in C2 Server Profiling

Source: Mandiant - July 2020

Detection (one case): rdppath[.]com

OilRigAnalyzing OilRig's Use of DNS Tunneling in Cyber Espionage Campaigns

Source: Palo Alto Network - April 2019

Detection (two cases): 1f6369b42a76d02f32558912b57ede4f5ff0a90b18d3b96a4fe24120fa2c300c, acrobatverify[.]com

OilRigInside OilRig's Attack on UAE Government: ISMInjector and CVE-2017-0199 Exploit in Play

Source: Palo Alto Networks - October 2017

Detection (one case): 119c64a8b35bd626b3ea5f630d533b2e0e7852a4c59694125ff08f9965b5f9cc

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the OilRig QUADAGENT Attacks

: The OilRig group carried out spear phishing attacks to deliver a backdoor tool called QUADAGENT to technology and government targets in the Middle East.
: The attacks were conducted by OilRig (also known as APT34 or Helix Kitten), a threat actor known for espionage campaigns mainly focused on the Middle East.
: The primary goal was espionage—gaining unauthorized access to sensitive systems and maintaining persistence for information gathering.
: A technology services provider and a government agency within the same country were targeted. The attackers used stolen accounts to disguise the source of their attacks.
: The attackers used phishing emails with malicious attachments—either executable files or Word documents with embedded macros—to install the QUADAGENT backdoor.
: Government agencies and technology providers often handle sensitive data or provide access to critical infrastructure, making them attractive espionage targets.
: Organizations should enhance email security, monitor for suspicious PowerShell activity, block known malicious domains, and train staff to recognize phishing attempts.
: This was a highly targeted attack focused on specific organizations within one country, though the tactics used could be applied to other targets as well.

About Affiliation

OilRig

Associate threats