virus logo Threat Actor

OilRig

Description

OilRig, also known as APT34, Helix Kitten, and IRN2, is an Iranian threat actor that has been active since at least 2015, with a particular interest in the Middle East region for espionage and sabotage operations. The group is known to have targeted organizations in various industries such as government, energy, and defense sectors.

This threat actor has been highly active, launching multiple campaigns in late 2024 and early 2025. In late 2024, the group targeted Gulf-state government entities, particularly in the UAE, using a new backdoor called StealHook to exfiltrate sensitive credentials from on-premises Microsoft Exchange servers. They also exploited the CVE-2024-30088 Windows privilege escalation vulnerability to gain elevated access.

By early 2025, the group began leveraging AI technologies, including platforms like Google's Gemini chatbot, to enhance their cyber attack capabilities. These tools have been used for writing malicious code, identifying vulnerabilities, and gathering intelligence on potential targets, significantly increasing the efficiency and scale of their operations. These developments highlight APT34’s continuous evolution in tactics and its expanding reach in the region.

On March 2 2026, Operation Epic Fury a joint coordinated strike on Iran conducted by the United States and Israel commenced. We are monitoring for developments and will update the Threat Actor profile with rolling updates.

Added to Known Tools Used Section:

PowerExchange — (PowerShell backdoor)

Custom C# Backdoor — (Unnamed/unclassified)

Aliases

  • Evasive Serpens
  • EUROPIUM
  • Hazel Sandstorm
  • Helix Kitten
  • IRN2
  • ITG13
  • COBALT GYPSY
  • APT34
  • Earth Simnavaz

Common Vulnerabilities and Exposures

Targeted Industries

  • Aerospace & Defense
  • Finance
  • Chemicals
  • Education
  • Energy & Oil
  • Government
  • Hospitality
  • IT
  • Technology
  • Telecommunications

Objectives

  • Cyber Espionage & Intelligence Gathering

  • Surveillance of Dissidents & Opposition Groups

  • Credential Theft & Network Persistence

  • Supporting Iranian Cyber Warfare & Influence Operations

Known Tools Used

  • Alma Communicator
  • BONDUPDATER
  • certutil
  • Clayslide
  • DistTrack
  • DNSExfiltrator
  • DNSpionage
  • Fox Pane
  • GoogleDrive RAT
  • Helminth
  • HyperShell
  • ipconfig
  • ISMAgent
  • ISMInjector
  • Karkoff
  • KEYPUNCH
  • LaZagne
  • LONGWATCH
  • Mimikatz
  • Net
  • netstat
  • ODAgent
  • OilBooster
  • OilCheck
  • OopsIE
  • Ops Tempo
  • Plink
  • PoisonFrog
  • POWRUNER
  • PsExec
  • QUADAGENT
  • RDAT
  • Reg
  • RGDoor
  • Saitama
  • SampleCheck5000
  • SEASHARPEE
  • SideTwist
  • StealHook
  • systeminfo
  • tasklist
  • ThreeDollars
  • TONEDEAF
  • TwoFace
  • VALUEVAULT
  • Webmask
  • ZeroCleare
  • ftp
  • PowerExchange
  • Custom C# Backdoor

Known Infection Vectors

  • Spearphishing
  • Watering Hole
  • Exploitation of VPN & Network Appliance Vulnerabilities
  • Supply Chain Attacks
  • CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)
  • CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability)
  • CVE-2024-30088 (Microsoft Windows Kernel Elevation of Privilege Vulnerability)
  • CVE-2020-0688 (Microsoft Exchange Memory Corruption Vulnerability)
  • CVE-2018-15982 (Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability)

References

Please Confirm You Received Our APT (Fortinet)
https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt

OilRig (MITRE)
https://attack.mitre.org/groups/G0049/

OilRig

ID

5528

Published

Apr 03, 2026

Threat Actor Type

Nation-State

Tags

Iran-linked Cyber Attacks Agent Tesla Malware Attack UNC1549 Espionage Attack Threat Signal

Attacker Origins

  • Iran

Target Systems

  • Windows

Regions Targeted

  • Middle East
  • North America
  • Europe
  • Asia
  • Africa

Active CVEs