Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0063: BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. [1] [2] A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [3]

EnterpriseG0063GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BlackOasis matters because ATT&CK describes it as a Middle Eastern threat group with reported interest in high-profile political, media, activist, UN, and think tank targets. For leaders, the practical takeaway is not to assume this group profile maps to every organization, but to use it as a prompt to validate readiness for targeted espionage-style activity, especially where executive, policy, advocacy, media, or regional exposure creates sensitive intelligence value.

Executive priority

Prioritize this as a threat-intelligence and readiness item when the organization has people, missions, partners, or geographies resembling the ATT&CK-described target set. The key executive questions are: do we know which users and functions would be high-value intelligence targets, can the SOC recognize stealthy or obfuscated payload behavior, and can incident response preserve evidence quickly enough to support legal, regulatory, or executive decisions? Because ATT&CK provides no official detection text for this group, assurance should come from validated telemetry and control testing rather than name-based coverage claims.

Technical view

ATT&CK does not specify BlackOasis platforms, tactics, or official detections in the supplied object. The provided relationship shows BlackOasis uses T1027 Obfuscated Files or Information, a stealth-related technique involving encrypted, encoded, compressed, archived, or otherwise difficult-to-analyze files or content in transit. SOC and detection teams should therefore validate whether their controls can surface suspicious obfuscation patterns, file analysis failures, unusual archives or encoded payloads, and related execution or delivery context without relying solely on static signatures. Treat the reported association with NEODYMIUM as contextual intelligence only; the supplied description states evidence that the group names are aliases has not been identified.

Likely telemetry

  • Endpoint file creation, modification, quarantine, and execution events involving compressed, archived, encoded, encrypted, or otherwise suspicious files
  • Security tool alerts or analysis logs showing packed, obfuscated, or analysis-resistant content
  • Network telemetry for unusual encoded, encrypted, or compressed payload transfer patterns where inspection is permitted
  • Email, web, or content-security logs that record attachment and download metadata
  • Malware sandbox or detonation results, including failures, evasive behavior indicators, and unpacking observations

Detection direction

  • Validate coverage for T1027-style obfuscation, because it is the only supplied technique relationship for this group.
  • Tune detections to combine obfuscation indicators with delivery, execution, user, and asset context to reduce false positives from legitimate compressed, encrypted, or encoded business files.
  • Check blind spots where content inspection is limited by encryption, privacy constraints, unsupported platforms, or missing endpoint telemetry.
  • Avoid treating NEODYMIUM and BlackOasis as interchangeable labels unless internal intelligence has separate supporting evidence.
  • Use the group profile to drive watchlists for high-risk personas or business functions only where local risk context supports it.

Mitigation priorities

  • Identify high-value users, roles, and business units whose public profile or mission resembles the ATT&CK-described target set, then align monitoring and response playbooks around them.
  • Ensure endpoint, email, web, and network controls retain enough metadata to investigate obfuscated files or payload transfer attempts.
  • Harden processes for handling suspicious attachments, downloads, archives, and encrypted files, especially for exposed executives, researchers, communications staff, and policy-facing personnel where applicable.
  • Test incident response procedures for preserving suspicious files, sandbox results, user context, and chain-of-custody evidence.
  • Use ATT&CK technique T1027 as the control-validation anchor; do not rely on a group name alone for prevention or audit evidence.
Analyst notes and limits

The supplied ATT&CK object is a group entry with sparse operational detail. Its strongest decision value is threat-intelligence scoping: BlackOasis is described as interested in prominent UN figures, opposition bloggers, activists, regional news correspondents, and think tanks, and it has a supplied relationship to obfuscation behavior. The CyberScoop/Securelist references provide provenance, while ATT&CK explicitly cautions that NEODYMIUM is closely associated but not proven to be an alias.

No official detection guidance, platforms, or tactics are provided for the BlackOasis group object. The only supplied technique relationship is T1027, so recommendations are limited to conservative readiness and detection-validation themes around obfuscated files or information. Local telemetry, business exposure, and intelligence requirements are necessary to determine relevance or priority.

Official MITRE ATT&CK definition

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. [1] [2] A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information

BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.CitationSecurelist BlackOasis Oct 2017
Relationship explorer

All related ATT&CK context

uses · Technique T1027: Obfuscated Files or Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ce31ac0e7f844a6b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ce31ac0e7f84…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Securelist BlackOasis Oct 2017

    Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.

    Open source URL
  2. [2]
    Securelist APT Trends Q2 2017

    Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.

    Open source URL
  3. [3]
    CyberScoop BlackOasis Oct 2017

    Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.

    Open source URL
  4. [4]
    BlackOasis

    (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017)

  5. [5]
    mitre-attack G0063
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use