Skip to content

G0049 OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.125246168

Item Value
ID G0049
Associated Names COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Version 5.0
Created 14 December 2017
Last Modified 16 January 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
COBALT GYPSY 13
IRN2 9
APT34 This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.8121
Helix Kitten 89
Evasive Serpens 16
Hazel Sandstorm 10
EUROPIUM 10
ITG13 7
Earth Simnavaz 3
Crambus 14
TA452 11

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.4
enterprise T1087.002 Domain Account OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.4
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OilRig has used HTTP for C2.161817
enterprise T1071.004 DNS OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.1618171
enterprise T1119 Automated Collection OilRig has used automated collection.16
enterprise T1217 Browser Information Discovery During Outer Space, OilRig used a Chrome data dumper named MKG.31
enterprise T1110 Brute Force OilRig has used brute force techniques to obtain credentials.187
enterprise T1115 Clipboard Data OilRig has used infostealer tools to copy clipboard data.14
enterprise T1059 Command and Scripting Interpreter OilRig has used various types of scripting for execution.122021822
enterprise T1059.001 PowerShell OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.122693
enterprise T1059.003 Windows Command Shell OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.122021822 OilRig has used batch scripts.122021822
enterprise T1059.005 Visual Basic OilRig has used VBScript macros for execution on compromised hosts.1
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts OilRig has compromised email accounts to send phishing emails.2
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.31
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service OilRig has used a compromised Domain Controller to create a service on a remote host.14
enterprise T1555 Credentials from Password Stores OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917
enterprise T1555.003 Credentials from Web Browsers OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917 OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.17
enterprise T1555.004 Windows Credential Manager OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.17
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding During Juicy Mix, OilRig used a VBS script to send the Base64-encoded name of the compromised computer to C2.31
enterprise T1005 Data from Local System OilRig has used PowerShell to upload files from compromised systems.3
enterprise T1025 Data from Removable Media OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic.14
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging During Juicy Mix, OilRig used browser data and credential stealer tools to stage stolen files named Cupdate, Eupdate, and IUpdate in the %TEMP% directory.31
enterprise T1140 Deobfuscate/Decode Files or Information A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.12262123
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware OilRig actively developed and used a series of downloaders during 2022.24
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.18
enterprise T1585 Establish Accounts -
enterprise T1585.003 Cloud Accounts During Outer Space, OilRig created M365 email accounts to be used as part of C2.31
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.63
enterprise T1203 Exploitation for Client Execution OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of SYSTEM.3
enterprise T1068 Exploitation for Privilege Escalation OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088.3
enterprise T1133 External Remote Services OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.18
enterprise T1008 Fallback Channels OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.20
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall OilRig has modified Windows firewall rules to enable remote access.14
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion OilRig has deleted files associated with their payload after execution.1221
enterprise T1105 Ingress Tool Transfer OilRig had downloaded remote files onto victim infrastructure.123
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging OilRig has employed keyloggers including KEYPUNCH and LONGWATCH.181714
enterprise T1036 Masquerading OilRig has used .doc file extensions to mask malicious executables.1
enterprise T1036.005 Match Legitimate Resource Name or Location OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.14
enterprise T1556 Modify Authentication Process -
enterprise T1556.002 Password Filter DLL OilRig has registered a password filter DLL in order to drop malware.3
enterprise T1112 Modify Registry OilRig has used reg.exe to modify system configuration.143
enterprise T1046 Network Service Discovery OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.18
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.522
enterprise T1027.013 Encrypted/Encoded File OilRig has encrypted and encoded data in its malware, including by using base64.12816922
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool OilRig has made use of the publicly available tools including Plink and Mimikatz.143
enterprise T1588.003 Code Signing Certificates OilRig has obtained stolen code signing certificates to digitally sign malware.2
enterprise T1137 Office Application Startup -
enterprise T1137.004 Outlook Home Page OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.25
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917
enterprise T1003.004 LSA Secrets OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917
enterprise T1003.005 Cached Domain Credentials OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917
enterprise T1201 Password Policy Discovery OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.27
enterprise T1120 Peripheral Device Discovery OilRig has used tools to identify if a mouse is connected to a targeted system.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups OilRig has used net localgroup administrators to find local administrators on compromised systems.414
enterprise T1069.002 Domain Groups OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.21892
enterprise T1566.002 Spearphishing Link OilRig has sent spearphising emails with malicious links to potential victims.212
enterprise T1566.003 Spearphishing via Service OilRig has used LinkedIn to send spearphishing links.17
enterprise T1057 Process Discovery OilRig has run tasklist on a victim’s machine and used infostealers to capture processes.414
enterprise T1572 Protocol Tunneling OilRig has used the Plink utility and other tools to create tunnels to C2 servers.16181714
enterprise T1012 Query Registry OilRig has used reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry.4
enterprise T1219 Remote Access Tools OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok.3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.1618231414
enterprise T1021.004 SSH OilRig has used Putty to access compromised systems.16
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.218171
enterprise T1113 Screen Capture OilRig has a tool called CANDYKING to capture a screenshot of user’s desktop.18
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell OilRig has used web shells, often to maintain access to a victim network.1618233
enterprise T1518 Software Discovery During Juicy Mix, OilRig used browser data dumper tools to create a list of users with Google Chrome installed.31
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware OilRig has hosted malware on fake websites designed to target specific audiences.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing OilRig has signed its malware with stolen certificates.2
enterprise T1195 Supply Chain Compromise OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.4
enterprise T1082 System Information Discovery OilRig has run hostname and systeminfo on a victim.4617114
enterprise T1016 System Network Configuration Discovery OilRig has run ipconfig /all on a victim.46
enterprise T1049 System Network Connections Discovery OilRig has used netstat -an on a victim to get a listing of network connections.4
enterprise T1033 System Owner/User Discovery OilRig has run whoami on a victim.461
enterprise T1007 System Service Discovery OilRig has used sc query on a victim to gather information about services.4
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16181917
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link OilRig has delivered malicious links to achieve execution on the target system.21892
enterprise T1204.002 Malicious File OilRig has delivered macro-enabled documents that required targets to click the “enable content” button to execute the payload on the system.218912
enterprise T1078 Valid Accounts OilRig has used compromised credentials to access other systems on a victim network.1618237
enterprise T1078.002 Domain Accounts
OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks OilRig has used macros to verify if a mouse is connected to a compromised machine.1
enterprise T1047 Windows Management Instrumentation OilRig has used WMI for execution.1814
ics T0817 Drive-by Compromise OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. 30
ics T0853 Scripting OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.28
ics T0865 Spearphishing Attachment OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. 28
ics T0869 Standard Application Layer Protocol OilRig communicated with its command and control using HTTP requests. 28
ics T0859 Valid Accounts OilRig utilized stolen credentials to gain access to victim machines.29

Software

ID Name References Techniques
S0360 BONDUPDATER 12 33 DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Domain Generation Algorithms:Dynamic Resolution Hidden Window:Hide Artifacts Ingress Tool Transfer Scheduled Task:Scheduled Task/Job
S0160 certutil 1214 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0095 ftp 6 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0170 Helminth 4189 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Clipboard Data PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Local Data Staging:Data Staged Data Transfer Size Limits Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Encrypted/Encoded File:Obfuscated Files or Information Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls
S0100 ipconfig 4 System Network Configuration Discovery
S0189 ISMInjector 26 Deobfuscate/Decode Files or Information Obfuscated Files or Information Process Hollowing:Process Injection Scheduled Task:Scheduled Task/Job
S0349 LaZagne 19 Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Keychain:Credentials from Password Stores LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping LSASS Memory:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Proc Filesystem:OS Credential Dumping Credentials In Files:Unsecured Credentials
S1169 Mango 31 Web Protocols:Application Layer Protocol Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify Tools:Impair Defenses Native API Encrypted/Encoded File:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Owner/User Discovery Malicious File:User Execution
S0002 Mimikatz 16181914 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net 41214
Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 41214 System Network Connections Discovery
S0508 ngrok 3 Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S1170 ODAgent 24 Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Native API Bidirectional Communication:Web Service
S1172 OilBooster 24 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Fallback Channels Hidden Window:Hide Artifacts Ingress Tool Transfer Inter-Process Communication Native API System Information Discovery System Owner/User Discovery Bidirectional Communication:Web Service
S1171 OilCheck 24 Exfiltration Over Web Service Ingress Tool Transfer Bidirectional Communication:Web Service
S0264 OopsIE 21 Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Archive via Utility:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Standard Encoding:Data Encoding Local Data Staging:Data Staged Data Transfer Size Limits Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Software Packing:Obfuscated Files or Information Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S1173 PowerExchange 14 Mail Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Ingress Tool Transfer
S0184 POWRUNER 12 Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery Ingress Tool Transfer Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Windows Management Instrumentation
S0029 PsExec 18 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0269 QUADAGENT 8 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fallback Channels File Deletion:Indicator Removal Match Legitimate Resource Name or Location:Masquerading Modify Registry Command Obfuscation:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Query Registry Scheduled Task:Scheduled Task/Job System Network Configuration Discovery System Owner/User Discovery
S0495 RDAT 32 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Mail Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Non-Standard Encoding:Data Encoding Steganography:Data Obfuscation Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Steganography:Obfuscated Files or Information Screen Capture
S0075 Reg 412 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0258 RGDoor 34 Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Ingress Tool Transfer IIS Components:Server Software Component System Owner/User Discovery
S1168 SampleCheck5000 31 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Exfiltration Over Web Service Ingress Tool Transfer Local Storage Discovery System Information Discovery Bidirectional Communication:Web Service
S0185 SEASHARPEE 18 Windows Command Shell:Command and Scripting Interpreter Timestomp:Indicator Removal Ingress Tool Transfer Web Shell:Server Software Component
S0610 SideTwist 1 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Fallback Channels File and Directory Discovery Ingress Tool Transfer Native API System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S1166 Solar 31 Automated Exfiltration Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Scheduled Task:Scheduled Task/Job System Information Discovery
S0096 Systeminfo 12 System Information Discovery
S0057 Tasklist 412 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S1151 ZeroCleare OilRig collaborated on the destructive portion of the ZeroCleare attack.7 Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Disk Structure Wipe:Disk Wipe Exploitation for Privilege Escalation File Deletion:Indicator Removal Local Storage Discovery Native API Code Signing:Subvert Trust Controls

References

  1. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  2. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. 

  3. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024. 

  4. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  5. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. 

  6. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. 

  7. Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024. 

  8. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  9. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. 

  10. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  11. Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025. 

  12. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  13. Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021. 

  14. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024. 

  15. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  16. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. 

  17. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

  18. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  19. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024. 

  20. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018. 

  21. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  22. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  23. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  24. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. 

  25. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. 

  26. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. 

  27. Singh, S., Yin, H. (2016, May 22). https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html. Retrieved November 17, 2024. 

  28. Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19  

  29. Dragos Chrysene Retrieved. 2019/10/27  

  30. Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved September 12, 2024. 

  31. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  32. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  33. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. 

  34. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.