C0042: Outer Space
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.[1]
Analyst context for executives and security teams
Outer Space is a 2021 OilRig-attributed campaign targeting Israeli organizations, notable because ATT&CK links it to custom Windows malware: the SampleCheck5000 downloader and Solar C#/.NET backdoor. For leaders, the value is not just the campaign name; it is a reminder to validate whether the organization can see downloader-to-backdoor activity, web-based command-and-control, file transfer, browser information discovery, and obfuscated files before an incident becomes a business disruption.
Executive priority
Treat this as a readiness benchmark for targeted intrusion response rather than evidence of current exposure. Security leaders should ask whether SOC, IR, and threat intelligence teams can connect endpoint execution, network web-protocol traffic, and file movement into one incident picture. The campaign also supports prioritizing controls around Windows endpoint telemetry, suspicious downloader behavior, C2 over common web protocols, and audit evidence that cloud/resource-development abuse is monitored where relevant.
Technical view
ATT&CK provides no campaign-specific detection text and no campaign-level platforms or tactics, but relationships identify Solar and SampleCheck5000 as Windows software used in Outer Space, plus techniques for obfuscation, Visual Basic execution, web-protocol C2, ingress tool transfer, browser information discovery, and adversary resource development using servers, cloud accounts, and malware. SOC teams should validate behavioral detections around unexpected VB/.NET execution, downloader behavior that retrieves and executes additional payloads, unusual file download/execution chains, encoded or encrypted artifacts, browser data enumeration, and outbound HTTP/S-like traffic that does not match normal application behavior.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, and module/runtime evidence for VB and .NET activity
- Endpoint file creation, modification, download, and execution events for new payloads or encoded/encrypted artifacts
- Network proxy, DNS, firewall, TLS, and HTTP/S metadata for outbound web-protocol command-and-control patterns
- EDR telemetry showing downloader-to-backdoor execution chains and file exfiltration or staging behavior
- Browser-related file and profile access events where endpoint logging supports it
Detection direction
- Do not rely on campaign name matching; ATT&CK provides no official detection guidance for C0042, so coverage should be behavior-led and mapped to the related software and techniques.
- Correlate endpoint execution with network egress: downloader execution followed by outbound web traffic and additional payload creation is higher signal than any single event.
- Tune for legitimate administrative and developer activity involving Visual Basic, .NET, scripts, and web downloads to reduce false positives.
- Review blind spots in encrypted web traffic, proxy bypass paths, unmanaged Windows hosts, and limited endpoint logging, since these can obscure downloader and C2 behavior.
- Use the OilRig, Solar, SampleCheck5000, and related ATT&CK technique relationships as threat-intelligence context for hunts, not as proof of local compromise.
Mitigation priorities
- Prioritize resilient endpoint visibility and response controls on Windows systems that can capture execution, file creation, and suspicious download chains.
- Restrict and monitor script and legacy language execution where business use is limited, including Visual Basic-related activity.
- Enforce egress monitoring and policy for outbound web protocols, with attention to unusual destinations, new infrastructure, and abnormal client behavior.
- Harden browser data access and credential exposure paths; browser discovery can reveal internal resources and user context.
- Maintain incident response playbooks that link downloader detection, backdoor containment, network blocking, evidence preservation, and threat-intelligence enrichment.
Analyst notes and limits
Outer Space is described by MITRE as a 2021 campaign conducted by OilRig using SampleCheck5000 and Solar against Israeli organizations. The most actionable defensive value comes from the relationships to software and techniques rather than the campaign object alone.
The supplied ATT&CK object has no official detection text, no campaign-level platforms, and no campaign-level tactics. Local exposure, targeting relevance, control effectiveness, and detection coverage require environment-specific validation. This summary does not assert current activity or guaranteed detection.
Outer Space
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1584.004 | Server Sub-technique | During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1217 | Browser Information Discovery | During Outer Space, OilRig used a Chrome data dumper named MKG.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Outer Space, OilRig used HTTP to communicate between installed backdoors and compromised servers including via the Microsoft Exchange Web Services API.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1585.003 | Cloud Accounts Sub-technique | During Outer Space, OilRig created M365 email accounts to be used as part of C2.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During Outer Space, OilRig deployed VBS droppers with obfuscated strings.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1587.001 | Malware Sub-technique | For Outer Space, OilRig created new implants including the Solar backdoor.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Outer Space, OilRig used VBS droppers to deploy malware.CitationESET OilRig Campaigns Sep 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
S1166: Solar
Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.[1]
S1168: SampleCheck5000
SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. [1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 037285ae8a88… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Campaigns Sep 2023
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Open source URL -
[2]
mitre-attack C0042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.