Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

EnterpriseG0049GroupObject v5.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OilRig is a suspected Iranian group in ATT&CK associated with long-running targeting of Middle Eastern and international organizations, including financial, government, energy, chemical, and telecommunications sectors. The business issue is not just the group name; it is the pattern of trusted-relationship and supply-chain abuse plus use of common administrative utilities, credential tools, PowerShell backdoors, web shells, and downloader/backdoor campaigns. Leaders should treat this as a test of whether the organization can recognize suspicious use of legitimate tools, investigate identity compromise, and validate third-party trust paths before an incident becomes a broader operational problem.

Executive priority

Prioritize OilRig-relevant readiness where the organization has exposure in the cited sectors, operates in or with the Middle East/Israel, depends on trusted partner connectivity, or runs critical Windows and web server infrastructure. Executive questions should focus on: whether supplier and partner access is logged and reviewable, whether credential theft and lateral movement evidence can be produced quickly, whether incident response can distinguish normal administration from adversary use of tools such as PsExec, Net, Reg, certutil, ftp, and PowerShell, and whether audit/compliance evidence exists for monitoring privileged access and remote administration.

Technical view

ATT&CK provides no official detection text, tactics, or platform list for the group object, so defensive validation should be driven by the relationship context. OilRig is linked to campaigns Outer Space and Juicy Mix, and to tools including Mimikatz, PsExec, Net, Tasklist, Reg, ftp, Systeminfo, ipconfig, netstat, certutil, Helminth, POWRUNER, SEASHARPEE, ISMInjector, RGDoor, OopsIE, QUADAGENT, LaZagne, BONDUPDATER, and RDAT. Many related tools are Windows utilities or Windows malware, while ftp and LaZagne have broader platform references. SOC teams should validate visibility for command-line execution, PowerShell activity, credential access indicators, remote execution, IIS/web shell activity, file transfer, and outbound command-and-control-like communications, while avoiding assumptions that every instance of these tools is malicious.

Likely telemetry

  • Endpoint process creation and command-line logs for Windows utilities such as Net, Reg, Tasklist, Systeminfo, ipconfig, netstat, certutil, ftp, and PsExec
  • PowerShell execution logs, script block/module logging where available, and encoded or remote command execution evidence
  • Credential access telemetry related to tools such as Mimikatz and LaZagne, including LSASS access or suspicious credential store access where locally collected
  • Windows authentication, privileged account use, service creation, administrative share access, and remote execution logs
  • Web server and IIS logs, file integrity evidence, and web shell indicators relevant to SEASHARPEE and RGDoor relationship context

Detection direction

  • Build detections around suspicious combinations rather than single tool names: for example, discovery commands followed by credential access tooling, PsExec-style remote execution, file transfer, or PowerShell backdoor behavior.
  • Tune heavily for administrative false positives. PsExec, Net, Reg, certutil, ftp, ipconfig, netstat, systeminfo, and tasklist are legitimate tools; useful detections require baselines for admin accounts, management servers, change windows, and expected command arguments.
  • Validate PowerShell coverage for related backdoors such as POWRUNER, QUADAGENT, BONDUPDATER, and Helminth, but do not rely only on malware names; focus on suspicious script execution, network callbacks, and file staging patterns.
  • Review web-facing Windows/IIS servers for logging depth and investigation readiness because related software includes IIS/web shell backdoors such as RGDoor and SEASHARPEE.
  • Use the campaign relationships as threat-intelligence context, especially Outer Space and Juicy Mix targeting Israeli organizations, but require local telemetry before escalating to attribution.

Mitigation priorities

  • First, reduce identity blast radius: enforce least privilege for administrator accounts, review privileged group membership, and protect credentials likely to be targeted by credential dumping tools.
  • Second, constrain and monitor remote administration: limit where PsExec-style execution and administrative shares are allowed, and require strong logging for privileged remote activity.
  • Third, harden PowerShell and script execution controls using policy, logging, and review of allowed administrative use cases.
  • Fourth, improve web server hygiene for externally reachable services, including patching, file integrity monitoring, access logging, and rapid web shell triage procedures.
  • Fifth, govern supplier and partner trust paths with named owners, access reviews, logging requirements, and incident contact procedures because the official description notes supply-chain and trust-relationship abuse.
Analyst notes and limits

OilRig has many aliases in the supplied ATT&CK data, including APT34, COBALT GYPSY, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, Earth Simnavaz, Crambus, and TA452. APT34 is shown as revoked into OilRig, including an ICS-domain revoked object, but the supplied OilRig object is enterprise-attack and has no explicit ICS tactics or platforms. Treat alias matching carefully in threat intelligence workflows to avoid duplicate reporting or overconfident attribution.

The supplied object does not include official detection guidance, tactics, labels, or platforms. The technical emphasis on Windows, PowerShell, IIS, credentials, and administrative utilities comes from the listed software relationships, not from an explicit group platform field. Any decision about exposure, detection coverage, or incident attribution requires local logs, asset context, and validated intelligence.

Official MITRE ATT&CK definition

OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

58 rows
Domain ID Name Relationship / procedure
Enterprise T1588.003 Code Signing Certificates Sub-technique

OilRig has obtained stolen code signing certificates to digitally sign malware.CitationClearSky OilRig Jan 2017
Enterprise T1555.004 Windows Credential Manager Sub-technique

OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.CitationFireEye APT34 July 2019
Enterprise T1082 System Information Discovery

OilRig has run hostname and systeminfo on a victim.CitationPalo Alto OilRig May 2016CitationPalo Alto OilRig Oct 2016CitationFireEye APT34 July 2019CitationCheck Point APT34 April 2021CitationSymantec Crambus OCT 2023
Enterprise T1003.001 LSASS Memory Sub-technique

OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationFireEye APT35 2018CitationFireEye APT34 July 2019
Enterprise T1008 Fallback Channels

OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.CitationOilRig ISMAgent July 2017
Enterprise T1071.001 Web Protocols Sub-technique

OilRig has used HTTP for C2.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationFireEye APT34 July 2019
Enterprise T1005 Data from Local System

OilRig has used PowerShell to upload files from compromised systems.CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1686.003 Windows Host Firewall Sub-technique

OilRig has modified Windows firewall rules to enable remote access.CitationSymantec Crambus OCT 2023
Enterprise T1059.003 Windows Command Shell Sub-technique

OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.CitationFireEye APT34 Dec 2017CitationOilRig ISMAgent July 2017CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationUnit42 OilRig Nov 2018 OilRig has used batch scripts.CitationFireEye APT34 Dec 2017CitationOilRig ISMAgent July 2017CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationUnit42 OilRig Nov 2018
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationCrowdstrike GTR2020 Mar 2020CitationSymantec Crambus OCT 2023CitationSymantec Crambus OCT 2023
Enterprise T1505.003 Web Shell Sub-technique

OilRig has used web shells, often to maintain access to a victim network.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationCrowdstrike GTR2020 Mar 2020CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1587.001 Malware Sub-technique

OilRig actively developed and used a series of downloaders during 2022.CitationESET OilRig Downloaders DEC 2023
Enterprise T1608.001 Upload Malware Sub-technique

OilRig has hosted malware on fake websites designed to target specific audiences.CitationClearSky OilRig Jan 2017
Enterprise T1036 Masquerading

OilRig has used .doc file extensions to mask malicious executables.CitationCheck Point APT34 April 2021
Enterprise T1219 Remote Access Tools

OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok.CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1218.001 Compiled HTML File Sub-technique

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.CitationPalo Alto OilRig May 2016
Enterprise T1046 Network Service Discovery

OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.CitationFireEye APT34 Webinar Dec 2017
Enterprise T1087.001 Local Account Sub-technique

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.CitationPalo Alto OilRig May 2016
Enterprise T1137.004 Outlook Home Page Sub-technique

OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.CitationFireEye Outlook Dec 2019
Enterprise T1069.002 Domain Groups Sub-technique

OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.CitationPalo Alto OilRig May 2016
Enterprise T1113 Screen Capture

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.CitationFireEye APT34 Webinar Dec 2017
Enterprise T1025 Data from Removable Media

OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic.CitationSymantec Crambus OCT 2023
Enterprise T1007 System Service Discovery

OilRig has used sc query on a victim to gather information about services.CitationPalo Alto OilRig May 2016
Enterprise T1556.002 Password Filter DLL Sub-technique

OilRig has registered a password filter DLL in order to drop malware.CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1059.001 PowerShell Sub-technique

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.CitationFireEye APT34 Dec 2017CitationOilRig New Delivery Oct 2017CitationCrowdstrike Helix Kitten Nov 2018CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1070.004 File Deletion Sub-technique

OilRig has deleted files associated with their payload after execution.CitationFireEye APT34 Dec 2017CitationUnit 42 OopsIE! Feb 2018
Enterprise T1588.002 Tool Sub-technique

OilRig has made use of the publicly available tools including Plink and Mimikatz.CitationSymantec Crambus OCT 2023CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1204.002 Malicious File Sub-technique

OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationCrowdstrike Helix Kitten Nov 2018CitationCheck Point APT34 April 2021CitationClearSky OilRig Jan 2017
Enterprise T1133 External Remote Services

OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.CitationFireEye APT34 Webinar Dec 2017
Enterprise T1078.002 Domain Accounts Sub-technique

OilRig has used an exfiltration tool named STEALHOOK to retreive valid domain credentials.CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1201 Password Policy Discovery

OilRig has used net.exe in a script with net accounts /domain to find the password policy of a domain.CitationFireEye Targeted Attacks Middle East Banks
Enterprise T1586.002 Email Accounts Sub-technique

OilRig has compromised email accounts to send phishing emails.CitationClearSky OilRig Jan 2017
Enterprise T1087.002 Domain Account Sub-technique

OilRig has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.CitationPalo Alto OilRig May 2016
Enterprise T1003.004 LSA Secrets Sub-technique

OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationFireEye APT35 2018CitationFireEye APT34 July 2019
Enterprise T1140 Deobfuscate/Decode Files or Information

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.CitationFireEye APT34 Dec 2017CitationOilRig New Delivery Oct 2017CitationUnit 42 OopsIE! Feb 2018CitationCrowdstrike GTR2020 Mar 2020
Enterprise T1553.002 Code Signing Sub-technique

OilRig has signed its malware with stolen certificates.CitationClearSky OilRig Jan 2017
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS.CitationPalo Alto OilRig Oct 2016CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1110 Brute Force

OilRig has used brute force techniques to obtain credentials.CitationFireEye APT34 Webinar Dec 2017CitationIBM ZeroCleare Wiper December 2019
Enterprise T1059.005 Visual Basic Sub-technique

OilRig has used VBScript macros for execution on compromised hosts.CitationCheck Point APT34 April 2021
Enterprise T1566.002 Spearphishing Link Sub-technique

OilRig has sent spearphising emails with malicious links to potential victims.CitationUnit 42 OopsIE! Feb 2018CitationClearSky OilRig Jan 2017
Enterprise T1112 Modify Registry

OilRig has used reg.exe to modify system configuration.CitationSymantec Crambus OCT 2023CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1120 Peripheral Device Discovery

OilRig has used tools to identify if a mouse is connected to a targeted system.CitationCheck Point APT34 April 2021
Enterprise T1071.004 DNS Sub-technique

OilRig has used DNS for C2 including the publicly available requestbin.net tunneling service.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationFireEye APT34 July 2019CitationCheck Point APT34 April 2021
Enterprise T1105 Ingress Tool Transfer

OilRig had downloaded remote files onto victim infrastructure.CitationFireEye APT34 Dec 2017CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1049 System Network Connections Discovery

OilRig has used netstat -an on a victim to get a listing of network connections.CitationPalo Alto OilRig May 2016
Enterprise T1543.003 Windows Service Sub-technique

OilRig has used a compromised Domain Controller to create a service on a remote host.CitationSymantec Crambus OCT 2023
Enterprise T1195 Supply Chain Compromise

OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities.CitationTrend Micro Earth Simnavaz October 2024
Enterprise T1204.001 Malicious Link Sub-technique

OilRig has delivered malicious links to achieve execution on the target system.CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationCrowdstrike Helix Kitten Nov 2018CitationClearSky OilRig Jan 2017
Enterprise T1078 Valid Accounts

OilRig has used compromised credentials to access other systems on a victim network.CitationUnit42 OilRig Playbook 2023CitationFireEye APT34 Webinar Dec 2017CitationCrowdstrike GTR2020 Mar 2020CitationIBM ZeroCleare Wiper December 2019
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

OilRig used the PowerExchange utility and other tools to create tunnels to C2 servers.CitationFireEye APT34 Webinar Dec 2017
Enterprise T1566.001 Spearphishing Attachment Sub-technique

OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationCrowdstrike Helix Kitten Nov 2018CitationClearSky OilRig Jan 2017
Enterprise T1053.005 Scheduled Task Sub-technique

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.CitationUnit 42 OopsIE! Feb 2018CitationUnit 42 QUADAGENT July 2018CitationFireEye APT34 July 2019CitationCheck Point APT34 April 2021
Enterprise T1119 Automated Collection

OilRig has used automated collection.CitationUnit42 OilRig Playbook 2023
Enterprise T1583.001 Domains Sub-technique

OilRig has set up fake VPN portals, conference sign ups, and job application websites to target victims.CitationClearSky OilRig Jan 2017
Enterprise T1056.001 Keylogging Sub-technique

OilRig has employed keyloggers including KEYPUNCH and LONGWATCH.CitationFireEye APT34 Webinar Dec 2017CitationFireEye APT34 July 2019CitationSymantec Crambus OCT 2023
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.CitationSymantec Crambus OCT 2023
Enterprise T1033 System Owner/User Discovery

OilRig has run whoami on a victim.CitationPalo Alto OilRig May 2016CitationPalo Alto OilRig Oct 2016CitationCheck Point APT34 April 2021
Enterprise T1566.003 Spearphishing via Service Sub-technique

OilRig has used LinkedIn to send spearphishing links.CitationFireEye APT34 July 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0057: APT34

Official MITRE ATT&CK object mirrored from source data.

Revoked/deprecated
Malware Enterprise

S1170: ODAgent

ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.[1]

Windows
Malware Enterprise

S0495: RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[1]

Windows
Tool Enterprise

S0508: ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3][4]

Windows
Tool Enterprise

S0057: Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0160: certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

Windows
Malware Enterprise

S1151: ZeroCleare

ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.[1][2][3][4]

Windows
Tool Enterprise

S0075: Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [1]

Utilities such as Reg are known to be used by persistent threats. [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0189: ISMInjector Enterprise uses · Technique T1588.003: Code Signing Certificates Enterprise uses · Technique T1555.004: Windows Credential Manager Enterprise uses · Malware S1170: ODAgent Enterprise uses · Malware S0495: RDAT Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Tool S0096: Systeminfo Enterprise uses · Technique T1003.001: LSASS Memory Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Malware S0269: QUADAGENT Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1686.003: Windows Host Firewall Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1587.001: Malware Enterprise uses · Technique T1608.001: Upload Malware Enterprise attributed to · Campaign C0042: Outer Space Enterprise uses · Technique T1036: Masquerading Enterprise uses · Technique T1219: Remote Access Tools Enterprise uses · Malware S0264: OopsIE Enterprise uses · Technique T1218.001: Compiled HTML File Enterprise uses · Tool S0508: ngrok Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
5.0
Created
Modified
Raw hash
74d7f9e30c9d8e47...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 5.0 Current bundle 74d7f9e30c9d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT34 Dec 2017

    Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

    Open source URL
  2. [2]
    Palo Alto OilRig April 2017

    Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.

    Open source URL
  3. [3]
    ClearSky OilRig Jan 2017

    ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.

    Open source URL
  4. [4]
    Palo Alto OilRig May 2016

    Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

    Open source URL
  5. [5]
    Palo Alto OilRig Oct 2016

    Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

    Open source URL
  6. [6]
    Unit42 OilRig Playbook 2023

    Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.

    Open source URL
  7. [7]
    Unit 42 QUADAGENT July 2018

    Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

    Open source URL
  8. [8]
    APT34

    This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)

  9. [9]
    COBALT GYPSY

    (Citation: Secureworks COBALT GYPSY Threat Profile)

  10. [10]
    Check Point APT34 April 2021

    Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

    Open source URL
  11. [11]
    Crambus

    (Citation: Symantec Crambus OCT 2023)

  12. [12]
    Crowdstrike Helix Kitten Nov 2018

    Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.

    Open source URL
  13. [13]
    EUROPIUM

    (Citation: Microsoft Threat Actor Naming July 2023)

  14. [14]
    Earth Simnavaz

    (Citation: Trend Micro Earth Simnavaz October 2024)

  15. [15]
    Evasive Serpens

    (Citation: Unit42 OilRig Playbook 2023)

  16. [16]
    Hazel Sandstorm

    (Citation: Microsoft Threat Actor Naming July 2023)

  17. [17]
    Helix Kitten

    (Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)

  18. [18]
    IBM ZeroCleare Wiper December 2019

    Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.

    Open source URL
  19. [19]
    IRN2

    (Citation: Crowdstrike Helix Kitten Nov 2018)

  20. [20]
    ITG13

    (Citation: IBM ZeroCleare Wiper December 2019)

  21. [21]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  22. [22]
    OilRig

    (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)

  23. [23]
    Proofpoint Iranian Aligned Attacks JAN 2020

    Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.

    Open source URL
  24. [24]
    Secureworks COBALT GYPSY Threat Profile

    Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.

    Open source URL
  25. [25]
    Symantec Crambus OCT 2023

    Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.

    Open source URL
  26. [26]
    TA452

    (Citation: Proofpoint Iranian Aligned Attacks JAN 2020)

  27. [27]
    Trend Micro Earth Simnavaz October 2024

    Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.

    Open source URL
  28. [28]
    Unit 42 Playbook Dec 2017

    Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

    Open source URL
  29. [29]
    mitre-attack G0049
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use